Valhalla Logo
currently serving 22415 YARA rules and 4082 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
VULN_Zimbra_XSS_CVE_2024_27443_May25
Detects a vulnerable version of Zimbra for which an exploit PoC exists. An update is required.
15.05.2025
EXPL_PY_CVE_2023_43770_Roundcube_May25
Detects Python scripts that are used to exploit CVE-2023-43770 in Roundcube Webmail
15.05.2025
MAL_SpyPress_Roundcube_May25
Detects SpyPress.Roundcube, a JavaScript payload injected into vulnerable Roundcube webmail instances, that can steal credentials and create malicious Sieve rules
15.05.2025
MAL_JS_Roundcube_Cred_Stealer_May25
Detects JavaScript code that steals login credentials from Roundcube webmail
15.05.2025
MAL_JS_EXPL_CVE_2023_43770_Roundcube_May25
Detects malicious JavaScript that is used in exploiting CVE-2023-43770 in Roundcube Webmail
15.05.2025
SUSP_Encoded_Eval_May25
Detects suspicious encoding of 'eval'
15.05.2025
VULN_Roundcube_XSS_CVE_2023_43770_May25
Detects a vulnerable version of Roundcube Webmail for which an exploit PoC exists. An update is required.
15.05.2025
MAL_LCRYPTORX_Ransomware_May25
Detects LCRYPTORX ransomware, a vbs-based ransomware that encrypts files with the .lcryx extension and demands payment for decryption
12.05.2025
HKTL_Defendnot_May25
Detects Defendnot, a tool used to disable Microsoft Defender by registering with Windows Security Center using undocumented APIs. It mimics third-party antivirus presence and persists via autorun, undermining system protection
10.05.2025
HKTL_Pocassist_May25
Detects pocassist a vulnerability testing framework written in Golang
09.05.2025
SUSP_PS1_Characteristics_May25
Detects PowerShell script that uses functions in an odd way
09.05.2025
MAL_CobaltStrike_Stager_May25
Detects CobaltStrike Stager
09.05.2025
SUSP_Encoded_PE_In_Image_File_May25
Detects image files that contain encoded executables, a technique often used by droppers to hide payloads on disk.
09.05.2025
MAL_HXLibrary_Backdoor_IIS_NET_May25
Detects HXLibrary backdoor IIS module
09.05.2025
HKTL_Glider_Proxy_May25
Detects GLider a forward proxy with multiple protocols support, and also a dns/dhcp server with ipset management features(like dnsmasq).
09.05.2025
HKTL_WinPEAS_May25
Detects a PowerShell script version of winPEAS (Windows Privilege Escalation Awesome Script), a tool used by penetration testers and red teamers to automate the process of finding privilege escalation vectors on Windows systems
09.05.2025
SUSP_EXPL_CVE_2025_31324_May25
Detects indicators found for CVE-2025-31324 SAP NetWeaver exploitation activity
09.05.2025
MAL_Lostkeys_Campaign_Stage2_May25
Detects Lostkeys campaign, Device evasion and stage 3 loader, seen being used by COLDRIVER threat group
08.05.2025
MAL_Lostkeys_May25
Detects Lostkeys that steals files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker.
08.05.2025
MAL_Lostkeys_Campaign_Decoder_May25
Detects Lostkeys campaign, decoder script, seen being used by COLDRIVER threat group
08.05.2025
MAL_Lostkeys_Campaign_Stage3_May25
Detects Lostkeys campaign stage 3 that retrieves and decodes final payload, seen being used by COLDRIVER threat group
08.05.2025
SUSP_Obfuscator_Generated_Content_May25
Detects potentially obfuscated code generated using obfuscator tool.
08.05.2025
MAL_TerraLogger_May25
Detects Terra keylogger, seen being used by threat actor called Golden Chickens
08.05.2025
MAL_RomCom_Second_Stage_Variants_May25
Detects second stage of RomCom variants written in Rust, seen being used to connect with C2 servers and downloads additional payloads
07.05.2025
MAL_RomCom_Downloader_May25
Detects RomCom downloader
07.05.2025
MAL_Loader_May25
Detects a loader written in C# which is used to load Revenge RAT
07.05.2025
SUSP_PS1_InfoStealer_May25
Detects PowerShell scripts used for information gathering.
07.05.2025
SUSP_LNK_Eval_May25
Detects LNK with embedded JavaScript using eval()
07.05.2025
MAL_VBA_Downloader_May25
Detects a downloader written in Visual Basic
07.05.2025
SUSP_WebDav_Redirector_Download_May25
Detects shortcut and script files containing a remote file download via WebDav this can be legitimate but is often abused by threat actors.
06.05.2025

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_B64_Atob_Aug23
1
28bdef9752b8fa57e2097429ab8244aec6e245aa0c1a32151fe8ed8bdbe8d0f9
SUSP_OBFUSC_Reversed_Encoded_Executable_Mar22
5
a1c44b6801b9dc94acafd60cbd09f9a2706a18467c57ada50ba1c0b5c1cb2b79
SUSP_Defender_Exclusion_Aug21
1
27e95ee7e37d71dd30dcc06251161405623c30d3f1e727833392c1d31c32f4ef
SUSP_PS1_FromBase64String_Content_Indicator
1
27e95ee7e37d71dd30dcc06251161405623c30d3f1e727833392c1d31c32f4ef
SUSP_VBA_Kernel32_Imports_Jun22_1
3
e759414597e39ce5cc375793b709c40973fc7b058591ec2110efb29520ac6dc0
MAL_MacroDropper_Jan18_1
12
58f8e69be084025ae1033833c0214ecd96f052c01fdfd418719d22c3bfac4266
MAL_Xred_Backdoor_Mar24
12
9251b16208e38d5de48130230d5f51036c979843ac33bc52cd31c298dd9cb105
HKTL_iKAT_Tool_Generic
11
e99bc01946de1cb817ac1345ff0a0655e05be2b61156dec6a5758099f36bccd1
Hacktools_CN_Burst_Blast
11
e99bc01946de1cb817ac1345ff0a0655e05be2b61156dec6a5758099f36bccd1
SUSP_HKTL_PS1_Loader_May23_3
1
f2e2325546e4299fec3374315ecae376feb4682cd3a75105dc2ee548299ab567
SUSP_PS1_CaseAnomaly_Chrw_Aug22_1
4
a78c600712610ded154cbcc5c0e95b741eca55c156ecffff369dcfa4b007bafe
HKTL_PasswordsPro
11
e99bc01946de1cb817ac1345ff0a0655e05be2b61156dec6a5758099f36bccd1
HKTL_bdcli100
11
e99bc01946de1cb817ac1345ff0a0655e05be2b61156dec6a5758099f36bccd1
HKTL_PUA_SystemInformer_Nov22_1
1
b448c9df8891a706435f5de61989a53f558d17d9173be53f74039b2156b393c2
CN_Hacktools_dbgntboot_ntboot_ntboot_ntboot
11
e99bc01946de1cb817ac1345ff0a0655e05be2b61156dec6a5758099f36bccd1
PUA_ConnectWise_ScreenConnect_Mar23
1
436e0c00eb16f2930694838618bc56576f32f5a34dfa1b3fde4745efca3302bb
Hacktools_CN_Burst_pass
11
e99bc01946de1cb817ac1345ff0a0655e05be2b61156dec6a5758099f36bccd1
SUSP_Public_Program_Ref_May22_1
3
0366bb7ad4ae99d159d556f10138570262002dcb112782732aa8cc323a607c74
SUSP_FilePath_Public_Oct21_1
3
0366bb7ad4ae99d159d556f10138570262002dcb112782732aa8cc323a607c74
Invoke_Mimikatz
11
e99bc01946de1cb817ac1345ff0a0655e05be2b61156dec6a5758099f36bccd1

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6831
Threat Hunting (not subscribable, only in THOR scanner)
5398
APT
4956
Hacktools
4680
Webshells
2373
Exploits
665

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Execution of Remotely Hosted MSHTA File via UNC Path
Detects execution of mshta.exe with a remote UNC path in the command line (e.g., \\host\share\file.hta). This behavior is commonly associated with threat actors delivering HTA-based payloads hosted on remote systems to gain initial access or for persistence or to perform lateral movement.
07.05.2025
MSHTA Execution via Explorer
Detects MSHTA.exe execution spawned by explorer.exe, which could indicate malicious activity. MSHTA.exe is a utility that executes Microsoft HTML Applications (HTA) files. While legitimate in the past, its usage in modern environments is rare and often associated with malicious activities. Attackers frequently abuse MSHTA.exe to execute malicious scripts and bypass application allowlisting. It is commonly used to download and execute remote payloads. Nowadays, it has been commonly observed being executed through LNK files or ClickFix campaigns, making it easier for attackers to deliver and run malicious payloads with minimal user interaction.
07.05.2025
Suspicious Office Add-ins Creation
Detects the creation of Office add-ins by processes other than Microsoft Office applications, which might indicate malicious activity. Threat actors often use these malicious add-ins to gain initial access, typically delivered through phishing emails with malicious Office documents.
05.05.2025
Fake Document Execution
Detects execution of files that contain document extensions in their name but are actually executables. Adversaries may use this technique to masquerade malicious executables as legitimate documents to evade detection and trick users into executing them.
05.05.2025
Fake Image Execution
Detects execution of binaries that have image file extensions but are actually executables. Adversaries may use a image file extension to disguise malware as image files to avoid detection.
05.05.2025
Suspicious Office Add-ins Execution
Detects the execution of office add-ins from suspicious locations or suspicious parent. The office add-on can be abused for persistence and execution of malicious code. Threat actors often use these malicious add-ins to gain initial access, typically delivered through phishing emails with malicious Office documents.
05.05.2025
Suspicious MMC Execution From Unusual Location
Detects execution of Microsoft Management Console (MMC.exe) with MSC files from suspicious locations outside of Windows default paths, which may indicate malicious activity such as execution of weaponized MSC files for defense evasion or privilege escalation. Common legitimate MSC files are typically located in Windows system directories.
25.04.2025
Suspicious BCDEdit Safe Mode Modification
Detects the use of BCDEdit to modify Windows boot configuration for Safe Mode with minimal services. In this configuration, Windows will only load the essential system services and drivers, and will not load any third-party software or drivers, including security programs like antivirus and EDRs. This technique is often used by attackers to disable or bypass security software, and is considered potentially malicious activity.
24.04.2025
PUA - Magnet RAM Capture Service Installation - Security
Detects the service installation of Magnet RAM Capture driver, a legitimate forensics tool that can be abused for malicious purposes. This tool is designed for memory acquisition but has been observed being misused by threat actors for credential harvesting. The tool's signed kernel driver can be exploited to bypass security controls, making it attractive for adversaries seeking to evade detection.
24.04.2025
PowerPoint PPCore.dll Sideloading Attempt
Detects potential DLL sideloading attempts through PowerPoint.exe loading ppcore.dll from suspicious locations. Adversary have been also observed using renamed powerpoint.exe to sideload ppcore.dll possibly to bypass detection.
23.04.2025
Suspicious NT Windows Autorun Key Modification
Detects suspicious NT Autorun Keys Modification patterns are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.
23.04.2025
Suspicious NT Windows Autorun Key Modification - Registry
Detects suspicious modifications patterns to the Windows NT autorun key. This could be an indication of an adversary's attempt to persist in a stealthy manner.
23.04.2025
Potential Webshell Upload in SharePoint or Exchange Directories
Detects the creation of suspicious files in SharePoint or Exchange directories that could indicate a webshell upload. Webshells are malicious scripts that threat actors install/upload on targeted websites to gain remote access to the system. Often, they serve as an initial point of infection in cyberattacks.
22.04.2025
TypeLib COM Hijacking Attempt
Detects attempts to hijack TypeLib COM objects through registry modifications via reg.exe or powershell. In this technique, adversary modify the typelib registry to redirect legitimate COM objects to malicious file found locally or hosted remotely.
22.04.2025
TypeLib COM Hijacking Attempt - Registry
Detects typelib registry modifications, potential TypeLib COM Hijacking attempts. Attackers may alter typelib registry entries to redirect COM objects to malicious local or remote files.
22.04.2025
Hacktool Katz Variants - Credential Dumping Tool Execution (Powershell)
Detects potential usage of unwanted credential dumping hack tools that follow naming conventions similar to mimikatz.exe. Red team developers frequently incorporate "katz" in their tool names to indicate credential dumping functionality of their tool.
21.04.2025
Hacktool - Credential Dumper Katz Variants Execution
Detects execution of potentially credential dumping hack tools with naming patterns similar to mimikatz.exe. It's a common practice among offensive tools developers to use "katz" string at the tool name, hinting the tool as a credential dumping tool.
21.04.2025
Internet Connection Discovery
Detects attempts to check internet connectivity to common destinations using ping or tracert commands. After a compromise, threat actors may use these commands to verify internet access or to check for network restrictions.
18.04.2025
Suspicious Process Spawned by CentreStack Portal AppPool
Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)
17.04.2025
Suspicious CrushFTP Child Process
Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests. The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.
10.04.2025
Suspicious Attempts to Disable Windows Event Logging Service - Powershell
Detects attempts to disable Windows Event Logging service through PowerShell using CimInstance or WmiObject or Set-Service. The Event Logging service is responsible for logging system events in Windows, which is critical for security monitoring and auditing. Disabling this service can prevent the logging of important security events, making it a potential indicator of malicious activity. Adversaries may use this technique to limit data available for detection and audits.
09.04.2025
Windows Event Logging Service Auto-Start Disabled
Detects service configuration modifications of event logging service to disable it. Windows Event Logging service is responsible for logging system events, that are critical for security monitoring and auditing. Disabling this service can prevent the logging of important security events, making it a potential indicator of malicious activity. Adversaries may use this technique to limit data available for detection and audits.
09.04.2025
Suspicious Attempts to Disable Windows Event Logging Service
Detects Suspicious Attempts to Disable Windows Event Logging Service by changing the startup type to "disabled". The Event Logging service records system events in Windows and is critical for security monitoring and auditing. Disabling this service prevents logging of security events, which can indicate malicious activity. Adversaries may use this technique to evade detection and limit data available for security monitoring.
09.04.2025
Registry Modification to Disable Event Logging - Process
Detects attempts to modify Windows Event Logging registry keys, which could indicate an adversary trying to disable system event logging. This is a common defense evasion technique where attackers try to prevent their activities from being logged by disabling the Windows Event Logging service. A successful attack would significantly impair system auditing and security monitoring capabilities.
09.04.2025
Registry Modification to Disable Event Logging - Registry
Detects registry modifications attempting to disable the Windows Event Log service. The Event Log service records critical system events in Windows systems. Adversaries may attempt to disable this service to evade detection by preventing the logging of security-relevant events. This technique is commonly used to limit data available for security monitoring and forensic analysis.
09.04.2025
PUA - GoodSync Execution
Detects execution of PUA - GoodSync, which is a legitimate tool used for file synchronization and backup, which adversaries can abuse for data exfiltration. GoodSync is a popular file synchronization and backup software that can be used to transfer files between systems and is very common application in many organizations. If you don't usually use GoodSync on your enterprise, this warrants further investigation as it could be a sign of data exfiltration.
08.04.2025
PUA - WinSCP Execution
Detects execution of WinSCP, a popular open-source SFTP clientthat can be used to transfer files between systems. Adversaries have been known to abuse WinSCP for data exfiltration by transferring files to remote servers. This rule might have false positives as WinSCP is very popular and widely used SFTP client, so it is possible that it may be installed on systems for legitimate purposes. But, If you see execution of WinSCP on the computers that you don't usually expects like accounting or finance departments etc., this warrants further investigation as it could be a sign of data exfiltration.
08.04.2025
PUA - MegaTools Execution
Detects the execution of Potentially Unwanted Application (PUA) - MegaTools. MegaTools is a command-line interface for the Mega.nz cloud storage service, which allows users to upload and download files. Adversaries have been known to abuse MegaTools for data exfiltration by uploading or downloading files to/from Mega.nz. If you don't usually use MegaTools on your enterprise, this warrants further investigation as it could be a sign of data exfiltration.
08.04.2025
PUA - WinSCP Installer Execution
Detects execution of WinSCP installer, that is used to install WinSCP, a popular open-source SFTP client. WinSCP is a file transfer client that can be used to transfer files between systems. Adversaries have been known to abuse WinSCP for data exfiltration by transferring files to remote servers. If you see WinSCP being installed on the computers that you don't usually expects like accounting or finance departments etc., this warrants further investigation as it could be a sign of data exfiltration.
08.04.2025
PUA - FreeFileSync Execution
Detects execution of FreeFileSync, which is a legitimate tool but can be abused for data exfiltration. FreeFileSync is a folder comparison and synchronization software that can be used to transfer files between systems. If you don't usually use FreeFileSync on your enterprise, this warrants further investigation as it could be a sign of data exfiltration.
08.04.2025

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
3212
19203
Sigma
3366
716

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1258
windows / registry_set
202
windows / file_event
194
windows / ps_script
166
windows / security
156
linux / process_creation
119
windows / image_load
107
webserver
78
windows / system
72
macos / process_creation
65
windows / network_connection
52
proxy
52
linux / auditd
48
aws / cloudtrail
46
azure / activitylogs
43
azure / auditlogs
38
windows / registry_event
38
windows / ps_module
33
windows / application
29
azure / signinlogs
24
okta / okta
22
windows / dns_query
22
windows / process_access
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
windows / create_remote_thread
13
windows / file_delete
13
github / audit
13
m365 / threat_management
13
cisco / aaa
12
kubernetes / application / audit
10
windows / driver_load
10
windows / codeintegrity-operational
10
windows / ps_classic_start
9
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
gcp / google_workspace.admin
7
windows / bits-client
7
windows / registry_delete
7
zeek / smb_files
7
windows / dns-client
6
windows / file_access
6
linux / network_connection
5
jvm / application
5
kubernetes / audit
5
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
zeek / dns
4
windows / sysmon
4
zeek / http
4
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
m365 / audit
3
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
windows / file_change
2
firewall
2
spring / application
2
windows / security-mitigations
2
linux / syslog
2
m365 / threat_detection
1
zeek / rdp
1
windows / sysmon_error
1
database
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_status
1
windows / dns-server-analytic
1
windows / driver-framework
1
windows
1
windows / printservice-admin
1
nginx
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
netflow
1
cisco / ldp
1
windows / lsa-server
1
windows / wmi
1
fortios / sslvpnd
1
linux / auth
1
cisco / bgp
1
django / application
1
cisco / syslog
1
windows / ldap
1
windows / smbclient-connectivity
1
linux / guacamole
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / process_tampering
1
nodejs / application
1
paloalto / file_event / globalprotect
1
cisco / duo
1
linux / cron
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
python / application
1
paloalto / appliance / globalprotect
1
linux / clamav
1
windows / appxpackaging-om
1
windows / raw_access_thread
1
windows / shell-core
1
velocity / application
1
zeek / x509
1
windows / capi2
1
windows / file_executable_detected
1
linux / sudo
1
windows / certificateservicesclient-lifecycle-system
1
ruby_on_rails / application
1
m365 / exchange
1
linux / vsftpd
1
windows / microsoft-servicebus-client
1
windows / file_rename
1
sql / application
1
windows / diagnosis-scripted
1
windows / smbclient-security
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
335
windows / registry_set
70
windows / ps_script
69
windows / image_load
40
windows / file_event
36
windows / wmi
29
windows / security
19
linux / process_creation
12
proxy
12
windows / network_connection
8
windows / system
8
windows / registry_event
7
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / sense
4
windows / pipe_created
4
windows / taskscheduler
4
windows / create_remote_thread
4
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / application-experience
3
windows / registry_delete
3
windows / hyper-v-worker
3
windows / driver_load
3
windows / bits-client
2
windows / process_access
2
windows / kernel-shimengine
2
windows / dns_query
1
macos / process_creation
1
windows / windefend
1
windows / application
1
windows / firewall-as
1
windows / codeintegrity-operational
1
windows / file_access
1
windows / amsi
1
windows / registry-setinformation
1
windows / audit-cve
1
windows / file_delete
1
windows / file_rename
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022