currently serving 22917 YARA rules and 4224 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
MAL_LNX_SSH_Server_Sep25
Detects malicious SSH client with backdoor, noticed in November 2022
02.09.2025
HKTL_VCenter_Abuse_Sep25
Detects Python scripts which can be used to forged authentication cookies or extract certificates
01.09.2025
SUSP_PY_SubProcess_Install_Pip_Aug25_1
Detects suspicious Python subprocess calls to install other modules via pip (which should be an administrative task and not performed by user scripts)
30.08.2025
SUSP_OBFUSC_PY_Import_Function_Combo_Aug25_1
Detects suspicious chain of imported Python functions often used in obfuscated loaders
30.08.2025
SUSP_OBFUSC_PY_Loader_Indicators_Aug25_1
Detects suspicious patterns in Python loader scripts
30.08.2025
SUSP_OBFUSC_PY_Loader_Indicators_Encoded_Aug25_1
Detects suspicious patterns in encoded Python loader scripts
30.08.2025
SUSP_OBFUSC_PY_Import_Function_Combo_Base85_Aug25_1
Detects suspicious combination of function including b85decode() and exec() often found in loaders
30.08.2025
SUSP_OBFUSC_PY_Import_Function_Base64_Exec_Combo_Aug25_1
Detects suspicious chain of Python functions often used in obfuscated loaders
30.08.2025
SUSP_OBFUSC_PY_Import_Function_Exec_Combo_Aug25_1
Detects suspicious combinations of Python functions often used in obfuscators
30.08.2025
SUSP_OBFUSC_PY_Imports_Exec_Combo_Aug25_1
Detects suspicious combinations of Python functions often used in obfuscated loaders
30.08.2025
SUSP_OBFUSC_PY_Imports_Exec_Combo_Encoded_Aug25_1
Detects suspicious base64 encoded combinations of Python functions often used in obfuscated loaders
30.08.2025
SUSP_OBFUSC_PY_Imports_Combo_Aug25_1
Detects suspicious combinations of Python functions often used in obfuscators like PyByteObfuscator
30.08.2025
SUSP_OBFUSC_PY_B85Decode_Function_Combo_Aug25_3
Detects suspicious combinations of Python base64.b85decode function usage often found in obfuscated Python code
30.08.2025
SUSP_OBFUSC_PY_Function_Combo_Aug25_4
Detects suspicious combinations of Python function usage often found in obfuscated Python code
30.08.2025
SUSP_OBFUSC_PY_Function_Combo_Encoded_Aug25_4
Detects suspicious combinations of Python function usage often found in obfuscated Python code
30.08.2025
EXPL_Citrix_Netscaler_CoreDump_Indicators_Aug25
Detects indicators of exploitation in Citrix Netscaler CoreDump files
29.08.2025
SUSP_OBFUSC_PY_B85Decode_Function_Combo_Aug25_1
Detects suspicious combinations of Python base64.b85decode function usage often found in malicious code
29.08.2025
SUSP_OBFUSC_PY_B85Decode_Function_Combo_Aug25_2
Detects suspicious combinations of Python base64.b85decode function usage often found in obfuscated Python code
29.08.2025
SUSP_LNX_Sindoor_ELF_Obfuscation_Aug25
Detects ELF obfuscation technique used by Sindoor dropper related to APT 36
29.08.2025
SUSP_LNX_Sindoor_DesktopFile_Aug25
Detects ELF obfuscation technique used by Sindoor dropper related to APT 36
29.08.2025
MAL_Sindoor_Decryptor_Aug25
Detects AES decryptor used by Sindoor dropper related to APT 36
29.08.2025
MAL_Sindoor_Downloader_Aug25
Detects Sindoor downloader related to APT 36
29.08.2025
SUSP_LNX_DesktopFile_Phishing_Aug25
Detects phishing attempt using Linux desktop file masquerading PDF files
28.08.2025
MAL_PromptLock_Aug25
Detects AI-powered PromptLock ransomware written in Go which generates malicious Lua scripts on the fly
27.08.2025
APT_CN_Salt_Typhoon_SFTP_Client_New2_Aug25
Detects SFTP client indicators related to Chinese state-sponsored actors
27.08.2025
APT_CN_Salt_Typhoon_SFTP_Client_Aug25
Detects SFTP client indicators related to Chinese state-sponsored actors
27.08.2025
APT_CN_Salt_Typhoon_Forensic_Artifacts_Aug25
Detects indicators often found in forensic artifacts related to Chinese state-sponsored actors
27.08.2025
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
HKTL_Nightmangle_Indicators_Sep23
1
0a7d9ee934552d4bce7da90b684fe56770c1ff44d008f35402967ed44643d2a5
SUSP_Go_Process_Injection_Indicators_Jan23
8
afa33a9e354a1a731f4970b9a1e477ba514dc2224a8cd654040d2ec768f0d0de
SUSP_HKTL_Hacktool_Strings_Oct21_1
2
c9203c4f6bcb02ed9cf0cb72b79529cb4b1578801eee9e009107bf0257e018ec
SUSP_Double_Base64Encoded_Kernel32_Functions
2
cc59dadbe74ca537a920f561ceb442fcd53a6cf2952aa748944bbb94f0e2542d
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7069
Threat Hunting (not subscribable, only in THOR scanner)
5543
APT
5012
Hacktools
4731
Webshells
2391
Exploits
693
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
PowerShell Creating Hidden File
Detects PowerShell commands that create hidden files in the Windows file system, which may indicate malicious activity or an attempt to hide persistence mechanisms.
Threat actors may use PowerShell to create hidden files often containing malicious scripts or payloads, leveraging the 'Hidden' attribute.
13.08.2025
PowerShell Executing Base64 Code From Registry
Detects PowerShell command lines that retrieve base64-encoded content from the registry and execute it.
Threat actors often stage their payloads in the registry in fileless attacks, using PowerShell to decode and execute the malicious code.
13.08.2025
Suspicious Hex-Encoded Values in Registry Keys
Detects suspicious registry modifications where LOLBins (Living Off The Land Binaries) write long hexadecimal-encoded strings to user-writable registry keys.
This pattern is commonly observed in fileless malware attacks where threat actors store encoded payloads (shellcode, scripts, or commands) in the registry to evade detection and maintain persistence.
The rule specifically monitors PowerShell, reg.exe, script engines, and other commonly abused Windows binaries that adversaries leverage for registry manipulation.
13.08.2025
Windows MFA Tool Uninstallation via WMI
Detects the uninstallation of the Windows Multi-Factor Authentication (MFA) tool such as Duo Authentication for Windows Logon through Windows Management Instrumentation (WMI).
These MFA tools are used to enhance security by requiring additional verification during the login process. Thus, threat actors may attempt to uninstall these tools to bypass mfa.
01.08.2025
Windows Recovery Environment Disabled Via Reagentc
Detects attempts to disable windows recovery environment using Reagentc.
ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE).
It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
31.07.2025
Password Set to Never Expire via WMI
Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
30.07.2025
Potential JLI.dll Side-Loading
Detects potential DLL side-loading of jli.dll.
JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm,
and others in order to load malicious payloads in context of legitimate Java processes.
25.07.2025
SharePoint CVE-2025-53770 ToolShell Exploitation Commandline
Detects potential SharePoint exploitation (CVE-2025-53770) using ToolShell.
This rule looks for suspicious command lines that may indicate the use of ToolShell
to exploit SharePoint vulnerabilities. The detection is based on known patterns
of exploitation, such as the presence of specific paths and commands related to
SharePoint installations.
24.07.2025
Suspicious File Write to SharePoint Layouts Directory
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
24.07.2025
Suspicious File Created in Outlook Temporary Directory
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
22.07.2025
SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS
Detects access to vulnerable SharePoint components potentially being exploited in CVE-2025-53770 through IIS web server logs.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
21.07.2025
Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
21.07.2025
Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
21.07.2025
Potential SSH Tunnel Persistence Install Using A Scheduled Task
Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
14.07.2025
Delete Defender Scan ShellEx Context Menu Registry Key
Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
11.07.2025
Windows Defender Threat Severity Default Action Modified
Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.
This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,
allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
11.07.2025
PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').
This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.
An attacker might use this technique via the command line to bypass defenses before executing payloads.
11.07.2025
ADExplorer Writing Complete AD Snapshot Into .dat File
Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
09.07.2025
Failed Logon from Known Bad Hostname
Detects failed RDP logon attempts or accessing of a network share from a system using a known bad hostname. This hostname is probably part of a golden image attackers use for their attacks.
09.07.2025
Windows Defender Context Menu Removed
Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys.
This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives.
Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.
09.07.2025
Disabling Windows Defender WMI Autologger Session via Reg.exe
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
09.07.2025
Logon from Known Bad Hostname
Detects a successful RDP logon or accessing of a network share from a system using a known bad hostname. This hostname is probably part of a golden image attackers use for their attacks.
09.07.2025
FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse
Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
05.07.2025
HackTool - Doppelanger LSASS Dumper Execution
Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
01.07.2025
HackTool - HollowReaper Execution
Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing.
It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.
01.07.2025
FileFix - Suspicious Child Process from Browser File Upload Abuse
Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the "FileFix" social engineering technique,
where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar.
The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities.
26.06.2025
Potential Notepad++ CVE-2025-49144 Exploitation
Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path.
This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer.
The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++.
26.06.2025
Suspicious URL Opening via PowerShell
Detects usage of PowerShell to start a URL as a process, which opens a web browser and may trigger a file download if the content cannot be rendered.
Threat Actors may use this PowerShell command to download second-stage payloads for execution.
25.06.2025
Suspicious URL Opening via CMD Start Command
Detects usage of cmd.exe to start a URL, which opens a web browser and may trigger a file download if the content cannot be rendered.
Threat Actors may use this cmd one-liner to download second-stage payloads for execution.
25.06.2025
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
20.06.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2702
20215
Sigma
3422
802
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1280
windows / registry_set
203
windows / file_event
199
windows / ps_script
165
windows / security
158
linux / process_creation
120
windows / image_load
111
webserver
82
windows / system
73
macos / process_creation
67
linux / auditd
53
windows / network_connection
52
proxy
52
aws / cloudtrail
46
azure / activitylogs
43
windows / registry_event
39
azure / auditlogs
38
windows / ps_module
33
windows / application
30
windows / dns_query
25
azure / signinlogs
24
windows / process_access
23
okta / okta
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / file_delete
13
github / audit
13
cisco / aaa
12
windows / create_remote_thread
12
kubernetes / application / audit
10
windows / driver_load
10
windows / codeintegrity-operational
10
windows / ps_classic_start
9
windows / create_stream_hash
9
dns
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
windows / registry_delete
8
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / file_access
7
windows / bits-client
7
gcp / google_workspace.admin
7
zeek / smb_files
7
windows / dns-client
6
zeek / http
5
linux / network_connection
5
jvm / application
5
kubernetes / audit
5
zeek / dns
5
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
m365 / audit
3
windows / dns-server
2
apache
2
onelogin / onelogin.events
2
macos / file_event
2
qualys
2
windows / file_change
2
firewall
2
windows / security-mitigations
2
linux / syslog
2
spring / application
2
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
sql / application
1
m365 / threat_detection
1
linux / sudo
1
zeek / rdp
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
database
1
windows / sysmon_status
1
windows / driver-framework
1
windows
1
windows / dns-server-analytic
1
nginx
1
windows / printservice-admin
1
cisco / bgp
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
netflow
1
cisco / ldp
1
fortios / sslvpnd
1
linux / auth
1
windows / ldap
1
django / application
1
cisco / syslog
1
linux / cron
1
huawei / bgp
1
windows / applocker
1
nodejs / application
1
windows / smbclient-connectivity
1
linux / guacamole
1
juniper / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
windows / process_tampering
1
paloalto / file_event / globalprotect
1
linux / clamav
1
windows / appxpackaging-om
1
python / application
1
paloalto / appliance / globalprotect
1
cisco / duo
1
windows / shell-core
1
windows / raw_access_thread
1
windows / capi2
1
ruby_on_rails / application
1
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
velocity / application
1
m365 / exchange
1
linux / vsftpd
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
377
windows / registry_set
76
windows / ps_script
73
windows / image_load
42
windows / file_event
38
linux / process_creation
33
windows / wmi
29
windows / security
22
proxy
12
windows / system
9
windows / network_connection
8
windows / registry_event
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / pipe_created
4
windows / sense
4
windows / taskscheduler
4
windows / registry_delete
4
windows / create_remote_thread
4
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / application-experience
3
windows / driver_load
3
windows / hyper-v-worker
3
windows / codeintegrity-operational
2
windows / kernel-shimengine
2
windows / windefend
2
windows / process_access
2
windows / bits-client
2
windows / dns_query
1
windows / file_rename
1
macos / process_creation
1
windows / amsi
1
windows / application
1
windows / audit-cve
1
windows / file_access
1
windows / registry-setinformation
1
windows / file_delete
1
linux / file_event
1
windows / firewall-as
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR