currently serving 22780 YARA rules and 4206 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
APT_UNC3944_VSphere_Forensic_Artifacts_Jul25
Detects forensic artifacts related to the UNC3944 group, specifically targeting vSphere environments. This rule identifies log entries that indicate unauthorized SSH access configuration changes on the vCenter Server Appliance (VCSA).
24.07.2025
SUSP_ESXi_Disable_ExecInstalledOnly_Jul25
Detects usage of the ESXi command to disable the 'execInstalledOnly' kernel setting, which allows execution of unauthorized binaries on the host. Commonly observed in post-exploitation scenarios to enable execution of attacker tools on ESXi systems.
24.07.2025
SUSP_VCSA_SSH_Configuration_Requests_Jul25
Detects log entries on the VCSA that enable unauthorized shell access, which is a common tactic used by threat actors to maintain persistence and control over compromised systems.
24.07.2025
PUA_Teleport_Jul25
Detects Teleport utility, which is often used for remote access and management. It is sometimes misused by threat actors and can be considered a Potentially Unwanted Application (PUA).
24.07.2025
SUSP_Implant_Indicators_ImplantDLL_Jul25
Detects indicators found in implant DLL files
24.07.2025
SUSP_Implant_Indicators_Imphash_Jul25
Detects suspicious implants indicators based on imphash
24.07.2025
HKTL_DreamWalker_Implants_Jul25
Detects DreamWalkers implants based on specific characteristics
24.07.2025
SUSP_Implant_Indicators_Jul25
Detects unknown implants based on indicators
24.07.2025
MAL_NightHawk_Loader_Jul25
Detects NightHawk loader
24.07.2025
APT_EXPL_Sharepoint_CVE_2025_53770_Encoded_Commandline_Jul25
Detects encoded command lines used during the exploitation of SharePoint RCE vulnerability CVE-2025-53770
24.07.2025
EXPL_LNX_Unknown_Exploit_Jul25
Detects unknown exploit codes for Linux
24.07.2025
SUSP_LNX_Exploit_Indicators_Jul25
Detects indicators found in Linux exploit files
24.07.2025
MAL_CVE_2025_53770_Jul25
Detects indicators of compromise and exploitation related to CVE-2025-53770
22.07.2025
MAL_SharePoint_MachineKeyExtraction_Jul25
Detects a page that invokes internal .NET methods to read the SharePoint server`s MachineKey configuration, including the ValidationKey and DecryptionKey. These keys are essential for generating valid __VIEWSTATE payloads, and gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunity
22.07.2025
MAL_Email_SharePoint_MachineKeyExtraction_Jul25
Detects an email that have code that invokes internal .NET methods to read the SharePoint server's MachineKey configuration, including the ValidationKey and DecryptionKey. These keys are essential for generating valid __VIEWSTATE payloads, and gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunity
22.07.2025
LOG_SUSP_EXPL_CVE_2025_53770_Jul25
Detects indicators of compromise and exploitation related to CVE-2025-53770
22.07.2025
MAL_PS1_CVE_2025_53770_Exploit_Activity_Jul25
Detects PowerShell that iterate through files on the endpoint and store the contents of those files into another file, seen in CVE-2025-53770 exploitation activity
22.07.2025
MAL_C_SharePoint_MachineKeyExtraction_Jul25
Detects C# code that invokes internal .NET methods to read the SharePoint server's MachineKey configuration, including the ValidationKey and DecryptionKey. These keys are essential for generating valid __VIEWSTATE payloads, and gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunity
22.07.2025
MAL_PYC_LAMEHUG_Jul25
Detects a compiled Python script that uses LLM to generate commands based on statically entered text
20.07.2025
WEBSHELL_ASPX_Sharepoint_Drop_CVE_2025_53770_Jul25
Detects ASPX web shell dropped during the exploitation of SharePoint RCE vulnerability CVE-2025-53770
20.07.2025
WEBSHELL_ASPX_Compiled_Sharepoint_Drop_CVE_2025_53770_Jul25_2
Detects compiled ASPX web shell dropped during the exploitation of SharePoint RCE vulnerability CVE-2025-53770
20.07.2025
APT_EXPL_Sharepoint_CVE_2025_53770_ForensicArtefact_Jul25_1
Detects URIs accessed during the exploitation of SharePoint RCE vulnerability CVE-2025-53770
20.07.2025
APT_EXPL_Sharepoint_CVE_2025_53770_ForensicArtefact_Jul25_2
Detects URIs accessed during the exploitation of SharePoint RCE vulnerability CVE-2025-53770
20.07.2025
MAL_ELF_Executor_Jul25
Detects binary that allows a user to execute commands or binaries as a root user on Linux hosts
20.07.2025
MAL_Chinese_Downloader_Jul25
Detects malicious Chinese downloader that uses API hashing
18.07.2025
MAL_Chinese_Stealer_Jul25
Detects malicious Chinese stealer that uses string obfuscation
18.07.2025
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_PS1_Characteristics_Jul23_1
13
0eb977ab821422fa1770524d3022075e93b3ec163659078f62a354a7a4448bab
AppLocker_Rundll32_Bypass_Method
13
0eb977ab821422fa1770524d3022075e93b3ec163659078f62a354a7a4448bab
SUSP_EXPL_UserAdd_Administrators_Aug22_1
13
0eb977ab821422fa1770524d3022075e93b3ec163659078f62a354a7a4448bab
HKTL_CobaltStrike_C2_Profile_Indicator_May21_1
13
0eb977ab821422fa1770524d3022075e93b3ec163659078f62a354a7a4448bab
HKTL_Reverse_Shell_Patterns_Jan23_1
13
0eb977ab821422fa1770524d3022075e93b3ec163659078f62a354a7a4448bab
SUSP_PS1_IEX_From_Download_Dec22_1
13
26b1746bf2d742e6d1e9c784d771044e5469432f6307e24824f368d428a951d6
HKTL_CobaltStrike_C2_Profile_Indicator_May21_1
13
26b1746bf2d742e6d1e9c784d771044e5469432f6307e24824f368d428a951d6
SUSP_HKTL_Defender_Bypass_Patterns_Jan22_1
13
26b1746bf2d742e6d1e9c784d771044e5469432f6307e24824f368d428a951d6
AppLocker_InstallUtil_Bypass_Method
13
0eb977ab821422fa1770524d3022075e93b3ec163659078f62a354a7a4448bab
SUSP_PS1_IEX_From_Download_Dec22_1
13
0eb977ab821422fa1770524d3022075e93b3ec163659078f62a354a7a4448bab
AppLocker_InstallUtil_Bypass_Method
13
26b1746bf2d742e6d1e9c784d771044e5469432f6307e24824f368d428a951d6
SUSP_Encoded_NewObject_NetWebclient_2
13
26b1746bf2d742e6d1e9c784d771044e5469432f6307e24824f368d428a951d6
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7004
Threat Hunting (not subscribable, only in THOR scanner)
5498
APT
5002
Hacktools
4721
Webshells
2382
Exploits
681
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
21.07.2025
Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
21.07.2025
SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS
Detects access to vulnerable SharePoint components potentially being exploited in CVE-2025-53770 through IIS web server logs.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
21.07.2025
Potential SSH Tunnel Persistence Install Using A Scheduled Task
Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
14.07.2025
ADExplorer Writing Complete AD Snapshot Into .dat File
Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
09.07.2025
Failed Logon from Known Bad Hostname
Detects failed RDP logon attempts or accessing of a network share from a system using a known bad hostname. This hostname is probably part of a golden image attackers use for their attacks.
09.07.2025
Logon from Known Bad Hostname
Detects a successful RDP logon or accessing of a network share from a system using a known bad hostname. This hostname is probably part of a golden image attackers use for their attacks.
09.07.2025
FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse
Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
05.07.2025
HackTool - Doppelanger LSASS Dumper Execution
Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
01.07.2025
HackTool - HollowReaper Execution
Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing.
It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.
01.07.2025
FileFix - Suspicious Child Process from Browser File Upload Abuse
Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the "FileFix" social engineering technique,
where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar.
The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities.
26.06.2025
Potential Notepad++ CVE-2025-49144 Exploitation
Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path.
This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer.
The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++.
26.06.2025
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
20.06.2025
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob
matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure,
commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to
attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,.
where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.
20.06.2025
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
20.06.2025
Attempts of Kerberos Coercion Via DNS SPN Spoofing
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
or checking for the presence of such records through the `nslookup` command.
20.06.2025
SystemRoot Environment Variable Hijacking
Detects potential environment variable hijacking of `SystemRoot` or `windir` variables.
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries.
17.06.2025
Potential Service Environment Variable Tampering
Detects modifications to service environment variables in the Windows registry that could indicate an attempt to tamper with system environment variables.
This technique is often used for privilege escalation or persistence by modifying the `SystemRoot` or `windir` variables to point to malicious locations.
17.06.2025
Trusted Path Bypass via Windows Directory Spoofing
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification.
This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
17.06.2025
Suspicious Download and Execute Pattern via Curl/Wget
Detects suspicious use of command-line tools such as curl or wget to download remote
content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
immediate execution, indicating potential malicious activity. This pattern is commonly used
by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
17.06.2025
Suspicious Remote Shares Process Execution Patterns
Detects process execution from WebDAV or other remote shares with suspicious command line parameters like direct public IPs or suspicious domain patterns.
It could be indication of potential lateral movement or exploitation attempts where processes are executed from remote locations, especially if they involve
known utilities or scripts that could be abused for malicious purposes.
16.06.2025
Potential Exploitation of RCE Vulnerability CVE-2025-33053
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
which involves unauthorized code execution via WebDAV through external control of file names or paths.
The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating
their working directories to point to attacker-controlled WebDAV servers, causing them to execute
malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries
through Process.Start() search order manipulation.
13.06.2025
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe)
accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting
Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers
instead of legitimate system binaries. The vulnerability allows unauthorized code execution through
external control of file names or paths via WebDAV.
13.06.2025
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from
attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.
13.06.2025
System Information Discovery via Registry Queries
Detects attempts to query system information directly from the Windows Registry.
12.06.2025
Inverted HTTP Protocol Handler In Command Line
Detects the use of inverted HTTP protocol handler which may be used by malware to evade detection when downloading payloads.
Threat actors may use inverted protocol handlers to obfuscate their command, trying to bypass security controls that look for specific patterns in command lines.
11.06.2025
Usage of Inverted HTTP Protocol Handler - PowerShell
Detects the use of inverted HTTP protocol handler in PowerShell commands or scripts.
Threat actors may use inverted protocol handlers in the malware loaders/dropper to obfuscate their command, while trying to download
second stage payloads or other malicious content, trying to bypass security controls that look for specific patterns in command lines.
11.06.2025
Potential AMSI Bypass Attempt Using CDB Debugger
Detects potential AMSI bypass attempts using CDB debugger to manipulate AmsiScanBuffer function.
It's not a common behavior to use CDB debugger with "-cf" flag and "powershell" command line.
10.06.2025
Suspicious SSH Execution With Custom Config From Unusual Location
Detects SSH being executed with a custom configuration file in the suspicious location.
Threat actors may use this technique to establish a backdoor or maintain persistence by using a custom SSH configuration file.
09.06.2025
HKTL - SharpSuccessor Privilege Escalation Tool Execution
Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments.
Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.
06.06.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2685
20095
Sigma
3414
792
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1276
windows / registry_set
203
windows / file_event
198
windows / ps_script
165
windows / security
158
linux / process_creation
120
windows / image_load
110
webserver
82
windows / system
73
macos / process_creation
67
linux / auditd
53
proxy
52
windows / network_connection
52
aws / cloudtrail
46
azure / activitylogs
43
azure / auditlogs
38
windows / registry_event
38
windows / ps_module
33
windows / application
30
windows / dns_query
25
azure / signinlogs
24
windows / process_access
23
okta / okta
22
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
windows / file_delete
13
github / audit
13
m365 / threat_management
13
cisco / aaa
12
windows / create_remote_thread
12
kubernetes / application / audit
10
windows / driver_load
10
windows / codeintegrity-operational
10
windows / ps_classic_start
9
windows / create_stream_hash
9
dns
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
azure / pim
7
windows / appxdeployment-server
7
windows / file_access
7
gcp / google_workspace.admin
7
windows / bits-client
7
windows / registry_delete
7
zeek / smb_files
7
antivirus
7
windows / dns-client
6
jvm / application
5
kubernetes / audit
5
zeek / dns
5
zeek / http
5
linux / network_connection
5
windows / iis-configuration
4
zeek / dce_rpc
4
windows / sysmon
4
windows / taskscheduler
4
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
m365 / audit
3
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
firewall
2
windows / file_change
2
windows / security-mitigations
2
linux / syslog
2
spring / application
2
windows / dns-server
2
windows / driver-framework
1
windows
1
windows / dns-server-analytic
1
nginx
1
windows / printservice-admin
1
netflow
1
cisco / bgp
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
linux / auth
1
cisco / ldp
1
fortios / sslvpnd
1
linux / cron
1
windows / appmodel-runtime
1
django / application
1
cisco / syslog
1
linux / guacamole
1
huawei / bgp
1
windows / ldap
1
nodejs / application
1
windows / smbclient-connectivity
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
windows / process_tampering
1
paloalto / file_event / globalprotect
1
cisco / duo
1
linux / clamav
1
windows / appxpackaging-om
1
python / application
1
paloalto / appliance / globalprotect
1
windows / shell-core
1
windows / raw_access_thread
1
windows / capi2
1
ruby_on_rails / application
1
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
m365 / exchange
1
linux / sudo
1
velocity / application
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
sql / application
1
m365 / threat_detection
1
zeek / rdp
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_status
1
zeek / kerberos
1
windows / sysmon_error
1
database
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
369
windows / registry_set
75
windows / ps_script
73
windows / image_load
41
windows / file_event
38
linux / process_creation
33
windows / wmi
29
windows / security
22
proxy
12
windows / system
9
windows / network_connection
8
windows / registry_event
8
windows / kernel-event-tracing
6
windows / ps_module
5
windows / ntfs
5
windows / pipe_created
4
windows / sense
4
windows / taskscheduler
4
windows / registry_delete
4
windows / create_remote_thread
4
windows / ps_classic_script
3
windows / vhd
3
windows / application-experience
3
windows / hyper-v-worker
3
windows / driver_load
3
webserver
3
windows / windefend
2
windows / process_access
2
windows / bits-client
2
windows / codeintegrity-operational
2
windows / kernel-shimengine
2
macos / process_creation
1
windows / application
1
windows / firewall-as
1
windows / file_delete
1
windows / registry-setinformation
1
windows / audit-cve
1
windows / file_access
1
linux / file_event
1
windows / dns_query
1
windows / file_rename
1
windows / amsi
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR