currently serving 22294 YARA rules and 4048 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
APT_MAL_Grapeloader_Apr25
Detects Grapeloader, seen being used to deliver Wineloader, related to APT29
19.04.2025
SUSP_OBFUSC_PS_COM_Apr25
Detects obfuscated PowerShell scripts using COM-based extraction (Shell.Application.NameSpace) to download and unzip payloads
19.04.2025
MAL_NodeJS_Script_Apr25
Detects NodeJS script that collects system info and download next stage payload
19.04.2025
SUSP_Python_Sideloading_DLL_Apr25
Detects Python DLL that may be used to sideload malicious code, need to be manually investigated.
18.04.2025
SUSP_PS1_OBFUSC_Loader_Apr25_3
Detects indicators found in obfuscated PowerShell loaders
17.04.2025
SUSP_OBFUSC_HTTPS_Split_Apr25_3
Detects suspicious obfuscation patterns often used in malware
17.04.2025
HKTL_EDRaser_Apr25
Detects EDRaser - Python tool for remotely deleting database, access and event logs
16.04.2025
PUA_VULN_TSCAN_Apr25
Detects Tscan - a tool written in Go used for vulnerability scanning
16.04.2025
PUA_VULN_Scanner_Apr25
Detects vscan and scan4all - a tool written in Go used for vulnerability scanning
16.04.2025
SUSP_HTML_HTA_WScript_Combo_Apr25
Detects characteristics found in relation with malicious HTA files
15.04.2025
SUSP_Bash_BackConnect_Pattern_Apr25
Detects bash back connect patterns often used in Linux malware or post-exploitation
15.04.2025
SUSP_OBFUSC_Multi_Encoded_PE_Apr25
Detects multiple times encoded PE files. This kind of multi encoding is often used by threat actors to bypass detections.
15.04.2025
MAL_OBFUSC_Reverse_Encoded_PE_Apr25
Detects reversed and encoded PE files. This kind of encoding is often used by malware loaders and droppers.
13.04.2025
EXPL_LOG_Ivanti_CVE_2025_22457_Apr25
Detects indicators that could appear in log files of Ivanti products after the exploitation of CVE-2025-22457
11.04.2025
SUSP_Javascript_Obfuscation_NonAscii_Apr25
Detects JavaScript obfuscation by inserting non ascii garbage characters in the strings
11.04.2025
SUSP_Javascript_Obfuscation_Apr25
Detects JavaScript string obfuscation
11.04.2025
APT_UNC5325_Ivanti_PITFUEL_Apr25
Detects SparkGateway plugin loading shared object backdoor
11.04.2025
SUSP_OBFUSC_Set_Apr25_1
Detects indicators found in obfuscated VBS/Batch loaders
09.04.2025
SUSP_PS1_OBFUSC_Loader_Apr25_2
Detects indicators found in obfuscated PowerShell loaders
09.04.2025
MAL_MasqLoader_Loader_Apr25
Detects Masqloader DLL loader, seen being used by Earth Alux APT group
09.04.2025
MAL_RAIL_Characteristic_Apr25
Detects generic characteristic for RAILSETTER/RAILLOAD, seen being used by Earth Alux APT
09.04.2025
APT_MAL_Spwansloth_Apr25
Detects Spwansloth acts as a log tampering component tied to the Spwansnail backdoor, seen being used by UNC5221, a suspected China-nexus espionage actor
08.04.2025
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_HKTL_Hacktool_Strings_Oct21_1
4
08119757eaf1fe2ea9a7fd64d936aa8755c83db6cf22e0a5f5b602442053d45d
PUA_ConnectWise_ScreenConnect_Mar23
1
0c1aa27ec692ca0202c1d916a814bde6c73610afc7283dc7892dc0b462c02718
SUSP_Double_Base64Encoded_Kernel32_Functions
4
92ff1c4c556645e26774b05392c88071af85229af65780ab54df11353c1f9c49
SUSP_HKTL_Hacktool_Strings_Oct21_1
10
84855794a766ed583ba9ea3411a3175c3c79e3e5b4542a71891c32ebd0a9e7db
SUSP_HKTL_Hacktool_Strings_Oct21_1
10
748639613ff82cf0fd659246bcbfac0d5a4c6cdade7799cbfac831abf37472cc
SUSP_HKTL_Hacktool_Strings_Oct21_1
14
d8f8ee690b291509d1ea3e78b5b49426fa5d1439e75106ab2310e7cd5620e59e
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
6771
Threat Hunting (not subscribable, only in THOR scanner)
5369
APT
4942
Hacktools
4668
Webshells
2364
Exploits
660
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Suspicious Process Spawned by CentreStack Portal AppPool
Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)
17.04.2025
Suspicious CrushFTP Child Process
Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as
CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests.
The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.
10.04.2025
Scheduled Task Executed Masquerading as System Binary
Detects the suspicious execution of Scheduled Tasks where the Program being run is masquerading as a system binary.
This is often used by threat actors to maintain persistence and evade detection.
07.04.2025
Scheduled Task Creation with System Binary Masquerading - Security
Detects scheduled task creation that may indicate masquerading attempts where attackers use eecutables to be executed same to legitimate Windows system binaries.
This technique is frequently used by adversaries to establish persistence mechanisms, bypass security controls, and hide malicious activities by blending with normal system operations.
07.04.2025
Scheduled Task Creation with System Binary Masquerading
Detects the creation of scheduled tasks that execute the binaries having same names to Windows system binaries, indicating potential masquerading.
Adversaries commonly create scheduled tasks with names resembling legitimate system binaries to maintain persistence and evade detection.
This technique helps them preserve system access after reboots or system changes while avoiding suspicion.
07.04.2025
Windows Defender Permission Modification Using Icacls
Detects attempts to modify permissions on Windows Defender files using icacls command.
This technique is often used by Threat Actors or Malware Group to disable or bypass security features, allowing the malware to operate without interference from Windows Defender.
The command typically involves granting full control to the Everyone group on critical Windows Defender files, which can lead to potential system compromise.
04.04.2025
Potential Privilege Escalation Tool Execution - Potato Variants
Detects execution of files ending with 'potato.exe' which are commonly associated with Windows privilege escalation tools.
Various "Potato" exploits (like RottenPotato, JuicyPotato, SweetPotato) are known privilege escalation techniques that exploit Windows vulnerabilities to elevate privileges.
These tools are frequently used by attackers post-exploitation to gain higher privileges on compromised systems.
03.04.2025
Fake Zoom Process Execution
Detects execution of fake Zoom process which could indicate potential malicious activity.
Adversaries have been observed using spoofed versions of Zoom, a widely-used video conferencing
and collaboration application, to distribute various types of commodity malware and gain initial access to systems.
02.04.2025
Suspicious BluetoothDiagnosticUtil DLL Creation
Detects the creation of BluetoothDiagnosticUtil.dll in outside legitimate folder.
It could be an attempt to UAC bypass via msdt.exe, abusing DLL hijacking vulnerability in BluetoothDiagnosticUtil.dll file.
31.03.2025
UAC Bypass Attempt via MSDT
Detects the UAC Bypass Attempt via msdt.exe. MSDT stands for the Microsoft Support Diagnostic Tool, a built-in Windows utility used for troubleshooting and diagnosing system issues.
Adversary may abuse DLL hijacking vulnerability in BluetoothDiagnosticUtil.dll (Bluetooth diagnostic package) which is loaded by auto-elevated msdt.exe without UAC prompt.
31.03.2025
MSC EvilTwin Exploit Process Creation
Detects process creation events related to potential EvilTwin exploit (CVE-2025-26633) execution which manipulates .msc files and the Multilingual User Interface Path (MUIPath).
This rule monitors for suspicious process executions of .msc files from abnormal locations, which could indicate exploitation attempts of CVE-2025-26633.
27.03.2025
MSC EvilTwin Exploit File Dropped
Detects the creation of .msc files in suspicious directories such as 'C:\Windows \System32', which could indicate an EvilTwin exploit (CVE-2025-26633) attempt.
In this attack, the threat actor manipulates .msc files and the Multilingual User Interface Path (MUIPath) to execute malicious msc payload.
27.03.2025
Suspicious Executable Files Execution From Unusual Locations
Detects execution of executables files other than .exe, such as '.com', '.scr' etc., from suspicious and uncommon locations that may indicate malicious activity.
Malware often uses non-standard executable formats and drops them in temporary or user-accessible locations to evade detection.
This rule specifically monitors executions from paths like Temp folders, Downloads, User directories, and Windows system folders that are commonly abused by malware.
26.03.2025
Suspicious File Dropped in Perflogs Directory
Detects the creation of suspicious files (like scripts and executables) in the Perflogs directory, which could indicate malicious activity.
The PerfLogs directory is a default Windows folder typically used for storing performance logs and data, making it an unusual location for executable files.
Adversaries may attempt to hide malicious files in this directory to evade detection, as it's rarely monitored and accessed by normal users.
This detection focuses on common file extensions that are often associated with malicious code execution.
24.03.2025
Potential ArphaDump64.DLL Sideloading
Detects potential DLL sideloading of "arphaDump.dll", a technique where attackers place a malicious DLL alongside a legitimate vulnerable application to evade detection, gain persistence, and execute malicious code.
24.03.2025
Suspicious Image Load From PerfLogs Directory
Detects suspicious image loads from PerfLogs directory which may indicate malicious activity
24.03.2025
Suspicious Network Connection from PerfLogs Directory
Detects network connections from processes executing from the PerfLogs directory, which is unusual and potentially suspicious.
The PerfLogs directory is a default Windows directory intended for storing performance logs and not typically used for running executables.
The fact that network connection is being made could hint that malware could be making connection to its C&C server.
Adversaries often this directory to hide malware as it is often overlooked in monitoring and investigations.
24.03.2025
Process Execution from PerfLogs Directory
Detects process execution from the Windows PerfLogs directory, which is unusual and potentially suspicious.
PerfLogs is a folder used by Windows for log collection and highly unlikely place for processes to execute from.
24.03.2025
Suspicious LNK Command-Line Padding with Whitespace Characters
Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).
Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.
The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.
This rule flags suspicious use of such padding observed in real-world attacks.
19.03.2025
Windows Defender Disable Attempt via DISM
Detects attempts to disable Windows Defender using Deployment Image Servicing and Management (DISM.exe) utility.
DISM is a legitimate Windows utility, which is used to install, uninstall, configure, and update the features and packages in offline Windows images and offline Windows Preinstallation Environment (WinPE) images.
Adversaries may attempt to disable Windows Defender using DISM to evade detection and prevent their malware from being caught.
This technique is particularly concerning as DISM is a legitimate Windows utility, making the malicious activity harder to distinguish from normal system administration.
18.03.2025
HackTool - SharpNBTScan Execution
Detects execution of SharpNBTScan, a tool used for NetBios Scanning. Adversaries use this tool for hostname and IP address enumeration.
18.03.2025
HackTool - Ladon Penetration Testing Tool Execution
Detects execution of Ladon, a penetration testing tool used for network scanning and exploitation.
Ladon is a multi-threaded plug-in comprehensive scanning artifact for large-scale network penetration,
including port scanning, service identification, network assets, password blasting, high-risk vulnerability detection and one click getshell.
18.03.2025
Suspicious Execution From Public Folder
Detects execution of suspicious files (like .bat, .exe, .ps1, etc.) from the Public folder, which may indicate execution of dropped malicious payloads.
This technique is commonly used by ransomware actors, including BlackBasta, to execute their malware from publicly accessible locations.
Legitimate software rarely installs executables in Public folders, making this behavior suspicious.
18.03.2025
PUA - Angry IP Scanner Execution
Detects execution of Angry IP Scanner, a network scanning tool.
Adversaries may use this tool for network discovery, identifying potential targets, and mapping out network infrastructure during the reconnaissance phase of an attack.
18.03.2025
PowerShell Enumeration of Security Products via WMI/CIM - Powershell
Detects Powershell commands that query the SecurityCenter2 namespace using Get-WmiObject or Get-CimInstance, potentially for AV/AntiSpyware reconnaissance.
Threat actors often use these powershell commands to enumerate installed security products on a system to identify security solutions present on the system,
plan evasion tactics based on discovered security products, and determine potential weaknesses in the security posture.
This technique is commonly used in the initial reconnaissance phase of an attack.
17.03.2025
Files or Folders Permission Modification
Detects file or folders permissions changes through built-in Windows utilities like icacls.exe and cacls.exe.
Adversaries may want to change permissions of files or directories for encryption, deletion, or other malicious purposes.
14.03.2025
Potential Enumeration and Terminaation of User Sessions
Detects PowerShell script blocks containing both quser and logoff commands, which might indicate malware attempting to enumerate and forcefully terminate user sessions on a compromised host
14.03.2025
PUA - Masscan Execution
Detects usage of masscan. Adversaries may use masscan to perform high-speed network scanning to identify open ports and services.
14.03.2025
Execution of Takeown.exe for File Ownership
Detects the execution of takeown.exe, which is used to get ownership of files or directories.
Adversaries may use takeown.exe to take ownership of files or directories to take ownership of files or directories for encryption, deletion, or other malicious purposes.
14.03.2025
Possible Lateral Movement via WinRS
Detects potential lateral movement attempts through WinRS (Windows Remote Shell) where winrshost.exe spawns suspicious child processes like cmd.exe, powershell.exe, or other script interpreters.
This pattern may indicate unauthorized remote command execution or administrative activities.
WinRS is a legitimate Windows Remote Management tool but is commonly abused for lateral movement.
14.03.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
3210
19084
Sigma
3365
683
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1257
windows / registry_set
202
windows / file_event
194
windows / ps_script
166
windows / security
156
linux / process_creation
119
windows / image_load
107
webserver
78
windows / system
72
macos / process_creation
65
proxy
52
windows / network_connection
52
linux / auditd
48
aws / cloudtrail
46
azure / activitylogs
43
azure / auditlogs
38
windows / registry_event
38
windows / ps_module
33
windows / application
29
azure / signinlogs
24
okta / okta
22
windows / dns_query
22
windows / process_access
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
windows / create_remote_thread
13
windows / file_delete
13
github / audit
13
m365 / threat_management
13
cisco / aaa
12
kubernetes / application / audit
10
windows / driver_load
10
windows / codeintegrity-operational
10
windows / ps_classic_start
9
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
azure / pim
7
windows / appxdeployment-server
7
gcp / google_workspace.admin
7
windows / bits-client
7
windows / registry_delete
7
zeek / smb_files
7
antivirus
7
windows / file_access
6
windows / dns-client
6
kubernetes / audit
5
jvm / application
5
linux / network_connection
5
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
zeek / dns
4
zeek / http
4
windows / sysmon
4
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
m365 / audit
3
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
firewall
2
windows / file_change
2
spring / application
2
windows / security-mitigations
2
linux / syslog
2
zeek / kerberos
1
windows / sysmon_status
1
database
1
windows / driver-framework
1
windows
1
windows / dns-server-analytic
1
nginx
1
windows / printservice-admin
1
netflow
1
cisco / bgp
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
linux / auth
1
cisco / ldp
1
fortios / sslvpnd
1
cisco / syslog
1
linux / cron
1
windows / ldap
1
django / application
1
windows / smbclient-connectivity
1
linux / guacamole
1
huawei / bgp
1
windows / appmodel-runtime
1
nodejs / application
1
paloalto / file_event / globalprotect
1
cisco / duo
1
linux / clamav
1
juniper / bgp
1
windows / applocker
1
windows / process_tampering
1
paloalto / appliance / globalprotect
1
windows / appxpackaging-om
1
windows / openssh
1
windows / raw_access_thread
1
python / application
1
windows / shell-core
1
windows / capi2
1
velocity / application
1
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
ruby_on_rails / application
1
m365 / exchange
1
linux / sudo
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
sql / application
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
m365 / threat_detection
1
zeek / rdp
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
315
windows / ps_script
67
windows / registry_set
67
windows / image_load
39
windows / file_event
33
windows / wmi
29
windows / security
18
proxy
12
linux / process_creation
11
windows / network_connection
8
windows / system
7
windows / registry_event
7
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / pipe_created
4
windows / sense
4
windows / taskscheduler
4
windows / create_remote_thread
4
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / registry_delete
3
windows / application-experience
3
windows / hyper-v-worker
3
windows / kernel-shimengine
2
windows / process_access
2
windows / driver_load
2
windows / bits-client
2
windows / file_rename
1
macos / process_creation
1
windows / windefend
1
windows / amsi
1
windows / application
1
windows / audit-cve
1
windows / file_delete
1
windows / registry-setinformation
1
windows / codeintegrity-operational
1
windows / file_access
1
windows / dns_query
1
windows / firewall-as
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR