currently serving 21464 YARA rules and 3852 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
MAL_Rust_Splinter_Implants_Sep24
Detects C2 implants of the Splinter post-exploitation framework
25.09.2024
PUA_LNX_TMate_Sep24_1
Detects PUA TMate terminal sharing utility. Tmate is a fork of tmux but allows for easier sharing of terminal sessions to remote users.
24.09.2024
SUSP_UPX_Inside_PE_Sep24
Detects a UPX packed PE binary inside a small PE, which makes it more probable, that UPX was used to obfuscate rather than for compression
23.09.2024
SUSP_Nim_UPX_Packed_Small_Sep24
Detects a suspicious unsigned executable written in Nim, which is packed with UPX despite already being quite small
23.09.2024
PUA_Mullvad_VPN_Sep24
Detects Mullvad VPN, a legitimate VPN tool sometimes abused by threat actors
23.09.2024
SUSP_Rust_UPX_Packed_Small_Sep24
Detects a suspicious unsigned executable written in Rust, which is packed with UPX despite already being quite small
23.09.2024
SUSP_Rust_Implant_Indicators_Sep24_1
Detects suspicious indicators found in Rust based malware samples
20.09.2024
SUSP_PS1_LummaStealer_Pattern_Sep24_1
Detects suspicious patterns found in LummaStealer PowerShell scripts that users copy to the command line an execute
20.09.2024
SUSP_CronTab_Entries_Sep24_2
Detects suspicious crontab entries
19.09.2024
SUSP_PS1_Casing_Anomaly_Join
Detects suspicious casing in commands
19.09.2024
EXPL_HTKL_VeeamBackup_CVE_2024_40711_Sep24_1
Detects exploit code for Veeam Backup & Replication RCE CVE-2024-40711
17.09.2024
WEBSHELL_PHP_Gen_Sep24_1
Detects PHP web shells based on certain patterns
17.09.2024
WEBSHELL_JSP_Pattern_Sep24_1
Detects obfuscated JSP web shells based on certain characteristics
17.09.2024
WEBSHELL_JSP_Pattern_Sep24_2
Detects obfuscated JSP web shells based on certain characteristics
17.09.2024
WEBSHELL_ASP_Pattern_Sep24_1
Detects obfuscated ASP web shells based on certain characteristics
17.09.2024
WEBSHELL_ASP_Pattern_Sep24_2
Detects obfuscated ASP web shells based on certain characteristics
17.09.2024
WEBSHELL_JSP_Pattern_Sep24_3
Detects obfuscated JSP web shells based on certain characteristics
17.09.2024
WEBSHELL_JSP_Tiny_Sep24_1
Detects tiny JSP web shells
17.09.2024
WEBSHELL_ASP_OBFUSC_Sep24_1
Detects obfuscated ASP web shells
17.09.2024
WEBSHELL_Tiny_Sep24_1
Detects tiny obfuscated web shells based on certain characteristics
17.09.2024
WEBSHELL_JSP_OBFUSC_Sep24_1
Detects obfuscated JSP web shells
17.09.2024
MAL_ShadowPad_Downloader_Sep24
Detects downloader, seen being used by ShadowPad APT group
16.09.2024
MAL_BruteRatel_Loader_Sep24
Detects Brute Ratel C4 loaders
13.09.2024
PUA_Tdskiller_Sep24
Detects Tdskiller a legitimate tool developed by Kaspersky to remove rootkits. It is also capable of disabling EDR software
13.09.2024
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_MSIL_NET_ConfuserEx_Module_Encryption_Sep23
2
09737f2d417d25a8d5cbd5a12447851af849e8e72a28be71dd9d90f70c4ece9c
Suspicious_Javascript_Running_Interpreter
11
e88b5c134026a384b17d742e6c0aeda720e2d4ab7832e4f616961421be7b2849
SUSP_PY_Stealer_Characteristics_Sep24
5
3d2d9f4e103b40740b0820732726a2b3292b31d6767a32f4c31cf2a9af7f2a2d
SUSP_Protector_Themida_Packed_Samples_Mar21_1
12
23309dd2cdb0a34997478189e6f44fa8e920e32517f88c4d5c25d5aff9de45d4
SUSP_Go_Binary_Microsoft_Copyright
1
67c1c5ad17b0e7e9cca47700a434b44537c8fce3027fa5f891940160211aeb21
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
5
66aef1ab7d4c8c561ea1d8dd9b2b673814f5082f524b2dfef4530a315ad6c016
APT_PlugX_SFX_Chinese_Chars_Jan14
9
d56d19a06e37f00bd76062a556506d0809d5d7fdb7b61716836b197e72bdabd6
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
6354
Threat Hunting (not subscribable, only in THOR scanner)
5122
APT
4877
Hacktools
4545
Webshells
2333
Exploits
632
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Potential Lumma Stealer PowerShell Pattern
Detects process command line pattern of the Lumma Stealer malware family.
21.09.2024
Splinter Traffic Activity
Detects splinter pentest tool GET requests used to retrive data from the C2
20.09.2024
Java JAR Execution From Potentially Suspicious Location
Detects execution of Java application that has been packaged into a JAR from suspicious locations.
20.09.2024
Java JAR Execution With Uncommon JAR Extension
Detects execution of Java application that has been packaged into a JAR that doesn't contain a common extension.
20.09.2024
Suspicious Granting of Full Control to Everyone via Security Descriptor
Detects the usage of commands that modify security descriptors to grant full control (KA) permissions to the Everyone (WD) group. The presence of "D:(A;;KA;;;WD)" in a command line is unusual and may indicate an attempt to weaken security by allowing all users unrestricted access to critical system objects, potentially leading to privilege escalation or unauthorized system modifications.
19.09.2024
Suspicious Modification of Service Control Manager Permissions Via Sc.EXE
Detects changes to the Service Control Manager (SCManager) security descriptor that grant excessive permissions (e.g., Everyone group) to control system services. This behavior can indicate an attempt at local privilege escalation by allowing unauthorized users to manipulate critical services.
19.09.2024
Suspicious Veeam Backup Process Creation
Detects the execution of suspicious Veeam Backup sub processes and PowerShell commands that are often related to exploitation
17.09.2024
Network Connection Initiated To BTunnels Domains
Detects network connections to BTunnels domains initiated by a process on the system.
Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
13.09.2024
Potential Iisreset Abuse
Detects iisreset usage to stop the IIS services to prevent users to access the webserver
10.09.2024
PowerShell Restart Windows Defender
Detects powershell restarting services related to Windows Defender
10.09.2024
Renamed SharpNBTScan.EXE Execution
Detects the execution of a renamed "SharpNBTScan.exe". Often used by the attackers to perform scanning in the environment/.
10.09.2024
Startup/Logon Script Added to Group Policy Object
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
06.09.2024
Group Policy Abuse for Privilege Addition
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
04.09.2024
Process Deletion of Its Own Executable
Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.
03.09.2024
PowerShell Web Access Feature Enabled Via DISM
Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
03.09.2024
PowerShell Web Access Installation - PsScript
Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
03.09.2024
Remote Access Tool - AnyDesk Incoming Connection
Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
02.09.2024
Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
Detects potential commandline obfuscation using unicode characters.
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
02.09.2024
Suspicious Invocation of Shell via AWK - Linux
Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function.
This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
02.09.2024
Shell Invocation via Env Command - Linux
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
02.09.2024
Shell Execution via Flock - Linux
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Execution via Find - Linux
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
02.09.2024
Shell Execution GCC - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Execution via Git - Linux
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Execution via Nice - Linux
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Inline Python Execution - Spawn Shell Via OS System Library
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
02.09.2024
Shell Execution via Rsync - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
3197
18267
Sigma
3334
518
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1245
windows / registry_set
200
windows / file_event
189
windows / ps_script
166
windows / security
157
linux / process_creation
120
windows / image_load
104
webserver
78
windows / system
72
macos / process_creation
65
proxy
52
windows / network_connection
52
linux / auditd
48
azure / activitylogs
43
aws / cloudtrail
42
azure / auditlogs
38
windows / registry_event
38
windows / ps_module
33
windows / application
28
azure / signinlogs
24
okta / okta
22
windows / process_access
22
windows / dns_query
21
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
linux
17
rpc_firewall / application
17
gcp / gcp.audit
16
windows / windefend
16
bitbucket / audit
14
windows / create_remote_thread
13
windows / file_delete
13
github / audit
13
m365 / threat_management
13
cisco / aaa
12
windows / ps_classic_start
10
kubernetes / application / audit
10
windows / driver_load
10
windows / codeintegrity-operational
10
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
azure / pim
7
windows / appxdeployment-server
7
windows / registry_delete
7
gcp / google_workspace.admin
7
windows / bits-client
7
zeek / smb_files
7
antivirus
7
windows / file_access
6
windows / dns-client
6
kubernetes / audit
5
jvm / application
5
linux / network_connection
5
zeek / dns
4
zeek / dce_rpc
4
windows / sysmon
4
windows / taskscheduler
4
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
windows / wmi_event
3
zeek / http
3
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
windows / file_change
2
firewall
2
windows / security-mitigations
2
spring / application
2
m365 / audit
2
linux / syslog
2
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
windows
1
windows / dns-server-analytic
1
database
1
zeek / kerberos
1
windows / printservice-operational
1
windows / driver-framework
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
nginx
1
windows / ldap
1
fortios / sslvpnd
1
netflow
1
cisco / bgp
1
cisco / syslog
1
linux / auth
1
cisco / ldp
1
django / application
1
windows / smbclient-connectivity
1
linux / cron
1
windows / openssh
1
windows / process_tampering
1
paloalto / file_event / globalprotect
1
linux / guacamole
1
huawei / bgp
1
windows / appmodel-runtime
1
nodejs / application
1
paloalto / appliance / globalprotect
1
cisco / duo
1
juniper / bgp
1
windows / applocker
1
windows / shell-core
1
python / application
1
linux / clamav
1
windows / appxpackaging-om
1
windows / raw_access_thread
1
windows / file_executable_detected
1
windows / capi2
1
windows / microsoft-servicebus-client
1
velocity / application
1
linux / sudo
1
windows / certificateservicesclient-lifecycle-system
1
windows / smbclient-security
1
windows / file_rename
1
ruby_on_rails / application
1
m365 / exchange
1
zeek / x509
1
sql / application
1
windows / sysmon_status
1
m365 / threat_detection
1
linux / vsftpd
1
zeek / rdp
1
windows / diagnosis-scripted
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
217
windows / registry_set
57
windows / ps_script
55
windows / wmi
29
windows / file_event
23
windows / image_load
17
proxy
12
windows / security
11
linux / process_creation
11
windows / network_connection
7
windows / system
7
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / registry_event
5
windows / sense
4
windows / pipe_created
4
windows / create_remote_thread
4
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / application-experience
3
windows / registry_delete
3
windows / bits-client
2
windows / driver_load
2
windows / kernel-shimengine
2
windows / taskscheduler
2
windows / audit-cve
1
windows / file_access
1
windows / registry-setinformation
1
windows / dns_query
1
windows / firewall-as
1
windows / file_delete
1
windows / file_rename
1
macos / process_creation
1
windows / windefend
1
windows / amsi
1
windows / process_access
1
windows / codeintegrity-operational
1
windows / application
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR