Valhalla Logo
currently serving 22185 YARA rules and 4002 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
SUSP_PY_Malware_Indicators_Mar25
Detects suspicious Python malware indicators. This rule is a generic rule that might generate false positives. A match should be further investigated.
21.03.2025
MAL_PS1_RANSOM_Mar25
Detects PowerShell ransomware
21.03.2025
SUSP_Base64_UserAgent_Definition_Mar25
Detects suspicious base64 encoded user agent definition in small files
21.03.2025
SUSP_PS1_OBFUSC_Patterns_Mar25
Detects suspicious obfuscated PowerShell scripts. This rule is a generic rule that might generate false positives. A match should be further investigated.
21.03.2025
SUSP_SchTasks_Create_OnLogon_Mar25
Detects suspicious schtasks command line that creates a task on logon with highest privileges
21.03.2025
SUSP_UAC_ByPass_Indicators_Mar25
Detects suspicious UAC bypass indicators
21.03.2025
SUSP_ShellCode_Injection_Indicators_Mar25
Detects suspicious shellcode injection indicators
21.03.2025
SUSP_PY_Base64_Code_Mar25
Detects suspicious Base64 encoded Python code. This rule is a generic rule that might generate false positives. A match should be further investigated.
20.03.2025
SUSP_MSF_X64_ShellCode
Detects Metasploit x64 shell code
20.03.2025
SUSP_SVG_JS_Payload_Mar25
Detects a suspicious SVG file that contains a JavaScript payload. This rule is a generic rule that might generate false positives. A match should be further investigated.
20.03.2025
MAL_Saintbot_Loader_Mar25
Detects signed obfuscated .NET loader for next stage payload
20.03.2025
SUSP_Github_Repo_Name_Mar25
Detects suspicious GitHub repository names. This rule is a generic rule that might generate false positives. A match should be further investigated.
19.03.2025
SUSP_JAVA_ByteCode_Indicators_Mar25_1
Detects suspicious contents in JAVA classes (previously subset of SUSP_JAVA_ByteCode_Indicators_Feb22_1)
19.03.2025
SUSP_PS1_OBFUSC_Xor_Mar25
Detects PowerShell xor obfuscation designed to obscure payloads.
18.03.2025
SUSP_LNK_PS1_Download_Mar25
Detects LNK file that downloads a file using PowerShell.
18.03.2025
SUSP_PS1_OBFUSC_Reverse_Order_String_Mar25_1
Detects reverse order string obfuscation in PowerShell scripts. This technique is often used by threat actors to obscure their payloads.
18.03.2025
MAL_Loader_Lualoader_Mar25
Detects Lualoader, a shellcode loader that executes embedded Lua from Rust.
17.03.2025
APT_CN_MAL_Winnti_Rootkit_Driver_Hfapp_Mar25
Detects a Winnti rootkit driver - Hfapp.sys (completely reworked rule Winnti_Rootkit_Driver_Hfapp)
17.03.2025
SUSP_Stealer_Indicators_COM_Objects_Mar25
Detects COM object GUIDs commonly found in credential stealers.
17.03.2025
SUSP_Stealer_Indicators_Mar25
Detects combinations of strings commonly found in credential stealers.
17.03.2025
MAL_Dexter_Loader_Mar25
Detects dexter PowerShell dropper which delivers a patched version of asyncrat
14.03.2025
MAL_Mirai_Shell_Script_Mar25
Detects shell script downloader used by mirai
14.03.2025
MAL_PolarEdge_Botnet_Mar25
Detects PolarEdge IoT botnet which establishes a TLS backdoor
14.03.2025
SUSP_HashDump_Pipe_Mar25
Detects a suspicious pipe as used in credential dumping hack tools
14.03.2025
MAL_PipeMagic_Mar25_2
Detects PipeMagic a plugin-based trojan
13.03.2025
HKTL_PUA_HashDump_Mar25
Detects old tool called Hash Dump, which was probably part of the Hash Suite
13.03.2025
MAL_DLL_Loader_Mar25
Detects DLL loader which is used to load Lumma stealer
13.03.2025
MAL_AceCryptor_Mar25
Detects payloads packed with AceCryptor a packing service offered to cyber criminals. AceCryptor claims to avoid antivirus and analysis engines.
13.03.2025
SUSP_VBA_MACRO_OBFUSC_Mar25
Detects XLS macros dropping next stage payload
13.03.2025
MAL_Sosano_Backdoor_Mar25
Detects Sosano backdoor written in GO that targeted United Arab Emirates communications organizations and critical transportation infrastructure
13.03.2025

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
WEBSHELL_suspEval_Mar20
1
601d637c72e2f7ee54bed0fe8bdbf9c1175f9e1da89eec9363316253e136fd28
APT_NK_MAL_Lazarus_Implant_Aug20_1
12
9b3baa959a5abebdeb174367804ee1f7c4411f659c0d37449de203a47c73b950
HKTL_LNX_Rev_Shells_Jan23_1
12
fb94fa3a7c1edc2c0404c21ab4fc02c6533dd853d3ee9a53feeb4b8e0aac5840
SUSP_LNX_Base64_Encoded_Webshell_Mar22
3
a42b03335873f4cfd9a33490bba1b51e2df504f851b353433e7beee9f49e90dd
PowerShell_JAB_B64
9
2f53c09ac821f26782dfacd9d31a8039026adc7fb912906a73bd6da7f75b0589
WEBSHELL_PHP_BeginsWith_eval_Sep21
1
14a351ef445d0bf5ba0020cc7dcb50253be65e2696e8384129f4b6db337842f2
MAL_Sednit_DelphiDownloader_Apr18_2
2
eb52c2f9fbe62d307a023bfa6b4804f3a2405e4618aef5dc6ddf61b77afe2b97
SUSP_HKTL_Hacktool_Strings_Oct21_1
3
5b09c08222bd8c0bf7b0dfafed3952844ed3ce7cfbc276a14fd357c1051d12a6
MAL_Sednit_DelphiDownloader_Apr18_2
3
8df94a95365d791e94e578f52b4fab46f94653bb1bab511a0cd0b1a86e97100d
Webshell_GIF_Cloaked_PHP_Webshell
1
37f6bfb20e6bb6864232bc2756f93435c18926008065e826d2681eb073b499e8
MAL_Sednit_DelphiDownloader_Apr18_2
3
6894b417c8278e54e0067a16cf2cdab5aa30ac74a5274d374c90577c24a54a7b
MAL_Sednit_DelphiDownloader_Apr18_2
3
594fa3b2a82ebca032a0e0ed4909026d7f8c0bf20ab2088d34b15e2b03c4cd9c
MAL_Sednit_DelphiDownloader_Apr18_2
3
91044f80033097a88d4666a65eedc3b1dd6e3914226871edc9ba80043d063792
APT_CN_Actor_Serv2_Jun17_1
14
4850343b2a5c462ac55e69bdc9daa103b3957d1c80932dfcf8da442d1092ef9e
PUA_ConnectWise_ScreenConnect_Mar23
2
437307fc9a2e01adf47b50602566bf1c020edacdf3196e1ee590f8350d917114
SUSP_HKTL_Gen_Pattern_Feb25_2
10
f8411dc0ca376a38af62887973015391a3677ea9b3ebe18b431c3b3ec6305bce
HKTL_PY_ShellCode_Loader_Feb21_1
5
28706eedb319dc51e1675c4ca12d2d5ca1edeeb8520287db65318261903cb47f
Cobaltbaltstrike_Payload_Encoded
7
9d6ebf879b1d4ead58a94461c78710028b21c1d4579485ee8b78a7335269c78c
HKTL_PY_ShellCode_Loader_Feb21_1
7
9d6ebf879b1d4ead58a94461c78710028b21c1d4579485ee8b78a7335269c78c
PUA_NetSupport_Apr22
13
10f2af99ae8fc1f269087d73186d45b0eb0e8d8f0244172485f340b197cd1dcd

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6717
Threat Hunting (not subscribable, only in THOR scanner)
5336
APT
4927
Hacktools
4657
Webshells
2363
Exploits
658

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
PowerShell Enumeration of Security Products via WMI/CIM - Powershell
Detects Powershell commands that query the SecurityCenter2 namespace using Get-WmiObject or Get-CimInstance, potentially for AV/AntiSpyware reconnaissance. Threat actors often use these powershell commands to enumerate installed security products on a system to identify security solutions present on the system, plan evasion tactics based on discovered security products, and determine potential weaknesses in the security posture. This technique is commonly used in the initial reconnaissance phase of an attack.
17.03.2025
Windows Defender Exclusion of C Drive - PowerShell
Detects attempts to exclude the entire C:\ drive from Microsoft Defender Antivirus scanning. Adversaries may attempt to exclude the entire C:\ drive from Microsoft Defender Antivirus scanning to avoid detection of their malicious activities. The entire C:\ drive, including all its subdirectories (C:\Windows\, C:\Program Files\, C:\Users\, etc.), will not be scanned. This can be used to hide malware from being detected by Microsoft Defender Antivirus.
13.03.2025
Windows Defender Exclusion of C Drive
Detects attempts to exclude the entire C:\ drive from Microsoft Defender Antivirus scanning. Adversaries may attempt to exclude the entire C:\ drive from Microsoft Defender Antivirus scanning to avoid detection of their malicious activities. The entire C:\ drive, including all its subdirectories (C:\Windows\, C:\Program Files\, C:\Users\, etc.), will not be scanned. This can be used to hide malware from being detected by Microsoft Defender Antivirus.
13.03.2025
Cmd Querying For Virtualization Software
Detects commandline querying for virtualization software, which may indicate an attempt to detect virtual environments as part of evasion techniques used by malware.
11.03.2025
Suspicious Scheduled Task Creation of Legitimate MSC File - Security
Detection the creation of suspicious Windows Scheduled Tasks related to .msc files such as 'CompMgmt' or 'eventvwr'. These are legitimate Windows files to launch used to launch management tools and configure system settings. During their execution, they check the registry key `HKCU\Software\Classes\mscfile\shell\open\command` to determine the location of `mmc.exe`, which is used to open these files such as the `eventvwr.msc` or `CompMgmt.msc`. If the registry value is modified to point to a malicious binary, that binary will be executed instead of `mmc.exe` as a privileged process, bypassing the UAC prompt. Adversaries could exploit this by modifying the `HKCU\Software\Classes\mscfile\shell\open\command` registry key to point to a malicious binary, allowing it to run with elevated privileges without user consent bypassing UAC. For persistence, they could create a scheduled task to ensure the malicious binary is executed. Therefore, it is also recommended to verify whether the registry value has been tampered with or not to verify malicious activity.
07.03.2025
UAC Bypass via Mscfile Registry Key Modification
Detects attempts to modify the registry key HKCU\Software\Classes\mscfile\shell\open\command to point to a malicious binary (e.g., c:\Users\AppData\Local\Temp\Malware.exe) for potential exploitation. This could be indicative of adversaries attempting to replace mmc.exe with a malicious binary for privilege escalation without triggering a UAC prompt. Executing any kind of .msc file will then execute the malicious binary with elevated privileges.
07.03.2025
Suspicious Scheduled Task Creation of Legitimate MSC File - Process
Detects the creation of suspicious Windows Scheduled Tasks via `schtasks.exe`, related to .msc files such as 'CompMgmt' or 'eventvwr'. These are legitimate Windows services, but during their execution, they check the registry key `HKCU\Software\Classes\mscfile\shell\open\command` to determine the location of `mmc.exe`, which is used to open the `eventvwr.msc` or `CompMgmt.msc`. If the registry value is modified to point to a malicious binary, that binary will be executed instead of `mmc.exe` as a privileged process, bypassing the UAC prompt. Adversaries could exploit this by modifying the `HKCU\Software\Classes\mscfile\shell\open\command` registry key to point to a malicious binary, allowing it to run with elevated privileges without user consent bypassing UAC. For persistence, they could create a scheduled task of these services to ensure the malicious binary is executed. Therefore, it is also recommended to verify whether the registry value has been tampered with or not to verify malicious activity.
07.03.2025
Hiding Files or Folders in Uncommon Location Using Attrib.exe
Detects the suspicious usage of attrib.exe to hide files or folders in suspicious or uncommon location. Adversaries often drop their malicious files on suspicious locations like public folders, temporary directories, etc. To avoid being visible to the user, they may use attrib.exe to hide the files.
04.03.2025
Disable UAC via EnableLUA Registry Modification
Detects attempts to disable User Account Control (UAC) by modifying the EnableLUA registry key. Disabling UAC lowers system security by allowing processes to run with elevated privileges without user consent. Adversaries may disable UAC to escalate privileges or execute malicious code without triggering security prompts, making detection and containment more difficult.
03.03.2025
Uncommon CDB Child Processes
Detects Uncommon child processes spawned by Microsoft Console Debugger
27.02.2025
Potential Data Exfiltration Via Powershell
Detects powershell commands that potentially performing data exfiltration.
27.02.2025
Potential AV Reconnaissance Via Powershell
Detects Powershell commands that query the SecurityCenter2 namespace using Get-WmiObject or Get-CimInstance, potentially for AV/AntiSpyware reconnaissance. Threat actors often use these powershell commands to enumerate installed security products on a system to identify security solutions present on the system, plan evasion tactics based on discovered security products, and determine potential weaknesses in the security posture. This technique is commonly used in the initial reconnaissance phase of an attack.
27.02.2025
Renamed CDB.exe Execution
Detects the execution of a renamed Microsoft Console Debugger "CDB.exe" binary based on the PE metadata fields
27.02.2025
Potentially Suspicious Execution of Printui
Detects suspicious execution of printui.exe, running from outside its legitimate path, which is highly unusual. This may indicate attempt for DLL search order hijacking or side-loading.
27.02.2025
Suspicious Process Loading PowerShell Engine
Detects suspicious processes loading the PowerShell engine, which may indicate the execution of PowerShell commands outside of powershell.exe. Adversaries often abuse this technique for stealthy execution of malicious scripts, defense evasion. Common benign applications rarely load this DLL, making it a useful indicator of suspicious activity.
27.02.2025
Suspicious File Creation Inside Masqueraded System32 Path
Detects suspicious file creation event in the System32 directory where an adversary attempts to masquerade the path using a space between "Windows" and "\System32". This technique may be used for to bypass UAC through hijacking dll load flow abuse, logging mechanisms, or detection rules that rely on exact path matching. Attackers may leverage this to deploy malware, persistence mechanisms, or execute payloads stealthily.
27.02.2025
Suspicious PowerShell Execution Using Curl And IEX
Detects suspicious execution of PowerShell processes that utilize curl and iex in the command line. This behavior is commonly associated with malicious script execution, remote code retrieval, and execution from external sources.
27.02.2025
Suspicious Standard Tool Injection And Lateral Movement
Detects suspicious activity where payloads are injected into legit windows executables. The injected module facilitate lateral movement, execute commands on remote endpoints, and exfiltrate data. This behavior is associated with the SquidDoor backdoor and could be used by diffrent actors/malwares.
27.02.2025
File Masquerading as Legitimate Binaries Dropped in Suspicious Location
Detects instances of Legitimate binary named such as svchost.exe, rundll32.exe being dropped in suspicious location, which is highly unusual. Legitimate software typically does not create or modify svchost.exe during normal operations. Such activity could indicate malicious behavior, such as malware disguising itself as a system process or persistence mechanisms using renamed malicious executables.
26.02.2025
HTTP Request to Low Reputation TLD or Suspicious File Extension
Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
26.02.2025
Certutil Execution via WinrsHost
Detects the execution of certutil from WinrsHost.exe, which may indicate the use of Windows Remote Shell (WinRS) for malicious purposes. This combination is often seen in lateral movement and defense evasion techniques, where attackers leverage remote execution to run malicious commands such as certificate manipulation or payload retrieval.
24.02.2025
Suspicious Copy.exe Accessing Sensitive Windows Files
Detects access to critical Windows security-related files via xcopy.exe or copy, such as the NTDS database and system configuration files. This behavior is commonly associated with credential theft and other malicious activities.
24.02.2025
NetScan Shares Write Access Check
Detects the use of NetScan's 'Check for write access' feature by monitoring the write access check of a 'delete.me' file on network shares. When NetScan is run with the 'Check for write access' option enabled, it creates and then deletes a 'delete.me' file on discovered network shares to test write permissions.
24.02.2025
HTA File Dropped by MSHTA in INetCache Directory
Detects the .hta files being dropped by mshta.exe process in \Windows\INetCache. This could be indication of native Windows mshta.exe utility used to execute remote hta file. Adversaries may abuse the living off the land functionality of mshta.exe to execute remotely hosted malicious .hta file.
24.02.2025
Notepad Password Files Discovery
Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
21.02.2025
LOLBAS Cmstp Loading Files from Suspicious Location
Detects the execution of cmstp.exe, loading potentially malicious files from suspicious locations. Attackers may try to abuse the living off the land capability of the CMSTP utility to execute their malicious payloads. This technique is often used to evade detection and persist on the system.
21.02.2025
Suspicious Execution of SystemSettings
Detects the execution of SystemSettings.exe from non-standard paths or with different metadata than original. This may indicate a malicious attempt to disguise as a legitimate application. Adversaries often mimic their malware as legitimate executables to evade detection, blend in with normal system activity, and exploit trust in known system files.
21.02.2025
Potential UAC Bypass via Cmstp - Taskkill of Cmstp.exe
Detects the execution of "taskkill /IM cmstp.exe /F" command which is hardcoded in INF files used for UAC bypass through LOLBAS cmstp.exe binary. Attackers may try to abuse the living off the land capability of the CMSTP utility to execute their malicious payloads. This technique is often used to evade detection and persist on the system.
21.02.2025
Potential CVE-2024-35250 Exploitation Activity
Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250.
19.02.2025
Potential Toshdpapi.DLL Sideloading
Detects potential DLL sideloading of "toshdpapi.dll"
18.02.2025

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
3214
18971
Sigma
3361
641

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1254
windows / registry_set
202
windows / file_event
194
windows / ps_script
165
windows / security
156
linux / process_creation
119
windows / image_load
107
webserver
78
windows / system
72
macos / process_creation
65
windows / network_connection
52
proxy
52
linux / auditd
48
aws / cloudtrail
46
azure / activitylogs
43
windows / registry_event
38
azure / auditlogs
38
windows / ps_module
33
windows / application
29
azure / signinlogs
24
okta / okta
22
windows / dns_query
22
windows / process_access
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / create_remote_thread
13
windows / file_delete
13
github / audit
13
cisco / aaa
12
windows / codeintegrity-operational
10
kubernetes / application / audit
10
windows / driver_load
10
linux / file_event
9
windows / ps_classic_start
9
windows / create_stream_hash
9
windows / registry_add
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
gcp / google_workspace.admin
7
windows / bits-client
7
zeek / smb_files
7
windows / registry_delete
7
windows / dns-client
6
windows / file_access
6
linux / network_connection
5
kubernetes / audit
5
jvm / application
5
zeek / dns
4
zeek / http
4
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
m365 / audit
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
windows / file_change
2
firewall
2
spring / application
2
linux / syslog
2
windows / security-mitigations
2
ruby_on_rails / application
1
windows / capi2
1
velocity / application
1
m365 / exchange
1
linux / sudo
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
sql / application
1
linux / vsftpd
1
zeek / x509
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_error
1
m365 / threat_detection
1
zeek / rdp
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_status
1
database
1
zeek / kerberos
1
windows / dns-server-analytic
1
nginx
1
windows / driver-framework
1
windows
1
windows / printservice-admin
1
windows / printservice-operational
1
netflow
1
cisco / bgp
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
fortios / sslvpnd
1
linux / auth
1
cisco / ldp
1
django / application
1
cisco / syslog
1
linux / cron
1
windows / ldap
1
windows / smbclient-connectivity
1
linux / guacamole
1
huawei / bgp
1
windows / appmodel-runtime
1
nodejs / application
1
paloalto / file_event / globalprotect
1
cisco / duo
1
linux / clamav
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
windows / process_tampering
1
python / application
1
paloalto / appliance / globalprotect
1
windows / appxpackaging-om
1
windows / raw_access_thread
1
windows / shell-core
1
windows / certificateservicesclient-lifecycle-system
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
293
windows / registry_set
67
windows / ps_script
66
windows / wmi
29
windows / file_event
28
windows / image_load
28
windows / security
17
proxy
12
linux / process_creation
11
windows / network_connection
7
windows / system
7
windows / registry_event
7
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / pipe_created
4
windows / sense
4
windows / create_remote_thread
4
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / taskscheduler
3
windows / vhd
3
webserver
3
windows / application-experience
3
windows / registry_delete
3
windows / kernel-shimengine
2
windows / process_access
2
windows / driver_load
2
windows / bits-client
2
windows / codeintegrity-operational
1
windows / file_delete
1
windows / firewall-as
1
windows / dns_query
1
windows / file_rename
1
macos / process_creation
1
windows / amsi
1
windows / application
1
windows / windefend
1
windows / audit-cve
1
windows / file_access
1
windows / registry-setinformation
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022