currently serving 21642 YARA rules and 3880 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
SUSP_SMBLibrary_Nov24
Detects unsigned C# binaries using SMBLibrary a, free, Open Source, user-mode SMB 1.0/CIFS, SMB 2.0, SMB 2.1 and SMB 3.0 server and client library. It is used by legitimate software but also many hacktools
04.11.2024
PUA_RMM_Meshagent_Nov24
Detects Meshagent, a remote management tool sometimes abused by threat actors
04.11.2024
HKTL_CSHARP_SOAPHound_Nov24
Detects SOADHound, a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.
04.11.2024
SUSP_HTML_HTMLSmuggling_Payload_Nov24
Detects characteristics found in HTML smuggling payloads
01.11.2024
SUSP_PE_Characteristics_Nov24
Detects suspicious characteristics in PE files
01.11.2024
SUSP_VBS_GuLoader_Payload_Nov24
Detects suspicious code fragments found in the final decoded Guloader stages
01.11.2024
SUSP_OBFUSC_Base64_Encoded_VBS_Payloads_Nov24
Detects suspicious Base64 encoded VBS payloads
01.11.2024
SUSP_PE_Notepad_Reference_Oct24
Detects a reference to notepad.exe in a PE file
31.10.2024
SUSP_PE_Debug_Privilege_Oct24
Detects suspicious indicator for debug privileges often used by process dumpers or injectors
31.10.2024
SUSP_PE_LSASS_Reference_Oct24
Detects a reference to lsass.exe in a PE file, which is a common indicator for process dumpers
31.10.2024
HKTL_Chrome_App_Bound_Encryption_Decryption_Oct24
Detects tools that decrypt App-Bound encrypted keys in Chrome 127+, using the IElevator COM interface with path validation and encryption protections
31.10.2024
SUSP_Chrome_Stealer_Indicators_Oct24_1
Detects indicators often found in Chrome credential stealers
31.10.2024
HKTL_PY_ADCSync_Oct24
Detects ADCSync, a hacktool to use ADCS-ESC1 to perform a makeshift DCSync and dump hashes
28.10.2024
SUSP_Go_Binary_Function_Name_Oct24
Detects Go binaries with suspicious main function names
28.10.2024
HKTL_Go_Nifo_Oct24
Detects nifo - a tool that removes AVs / EDRs with physical access - files nifo-arm64.exe, nifo-x64.exe
27.10.2024
MAL_VBS_PUFFPASTRY_Backdoor_Oct24
Detects characteristics found in PUFFPASTRY samples mentioned in A LNK Between Browsers report by Mandiant
27.10.2024
SUSP_VBS_Characteristics_Oct24_1
Detects samples with similarity to PUFFPASTRY samples mentioned in A LNK Between Browsers report by Mandiant
27.10.2024
SUSP_VBS_Loader_Oct24_1
Detects characteristics found in malicious VBS code (probably a common loader)
27.10.2024
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_OBFUSC_Hex_Encoded_Wscript_Case_Anomaly_Sep20_1
2
40c92031cdc4ad9c21a51c419596c1ffce18a89e58064beaced1b45d0554016c
SUSP_PS1_Loader_Indicators_Oct23_1
14
d2a3420b6a3ffd3c230dc1c42b2cc86c47456344d7a314f75950bcbee6fb7b1f
SUSP_FromBase64_StartProcess_Combo_Mar21_1
14
d2a3420b6a3ffd3c230dc1c42b2cc86c47456344d7a314f75950bcbee6fb7b1f
Casing_Anomaly_verbosepreference
14
d2a3420b6a3ffd3c230dc1c42b2cc86c47456344d7a314f75950bcbee6fb7b1f
SUSP_EtwEventWrite_Import_Aug21_1
2
b1876f3bf15980d21ea795133bbf6f7a2e67291a25cc6adfc0081ab4ece2a10a
SUSP_EtwEventWrite_Import_Aug21_1
1
4c0131d5ba83cceed029f500bb4230dbf19b8a0cb04d133e892b89bb48145fed
SUSP_Combo_DOMDocument_Base64Data_May22
2
940de64f86be54d49d3883532e1ea0aeaafc35270c9efd7cd5275f5dc444f5f3
SUSP_EtwEventWrite_Import_Aug21_1
1
3701f848d8a4379781258281eae8ab5399740ef4899d97f6a37640dc6f2963f0
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
6441
Threat Hunting (not subscribable, only in THOR scanner)
5177
APT
4891
Hacktools
4575
Webshells
2339
Exploits
636
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
01.11.2024
.RDP File Created by Outlook Process
Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use RDP files as attachments.
01.11.2024
ValleyRAT Malware Registry Modification
Detects creation of registry keys used to store C2 seen used by the ValleyRAT malware
28.10.2024
Registry Modifications to Change Default Programs Handling Files
Detects change to the default program handling file extension, which could be used by threat actors to run there malware when a certain extension is opened.
28.10.2024
Hacktool Nifo Usage
Detects Nifo - a tool that disables Windows AV/EDR software by corrupting their files offline via physical access
27.10.2024
Curl Variable Execution
Detecting curl execution with variable being passed as the domain to fetch data, could be used by threat actor to hide the actul malicious domain.
20.10.2024
Domain Obfuscation
Detecting domain obfuscation used by threat actor to hide the actual C2 used.
20.10.2024
MSC File Execution From Potential Suspicious Location
Detecting execution of Microsoft Management Console (MMC) files from potentially suspicious locations.
20.10.2024
IMEEX Framework Registry Modification Detected
Detects modifications to registry keys associated with the IMEEX malware framework, a tool used by attackers to gain extensive control over compromised Windows systems.
12.10.2024
Potential Conti Ransomware Activity
Detects a specific command line pattern based on flags used by the Conti ransomware
07.10.2024
Wazuh Agent Remote Execution
Detects enabling of remote commands in the Wazuh agent. By setting this value to 1, the agent is allowed to accept and execute remote commands from the Wazuh manager or other controlling systems. This could be used for legitimate remote administration, but it also opens up the potential for misuse if the Wazuh manager or server it's connecting to is malicious or compromised, as it grants significant control over the agent.
07.10.2024
ETW Logging/Processing Option Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
06.10.2024
HTTP Logging Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
06.10.2024
New Module Module Added To IIS Server
Detects the addition of a new module to an IIS server.
06.10.2024
Previously Installed IIS Module Was Removed
Detects the removal of a previously installed IIS module.
06.10.2024
Possible Windows Defender Exclusion Discovery
Detects a suspicious MpCmdRun.exe process command line that looks as if someone was trying to find Windows Defender exclusions
06.10.2024
Toneshell Registry Activity
Detects 'Demeter' registry key used to store a randomly generated victim identifier used by 'Toneshell' malware
05.10.2024
Renamed Python.exe Execution
Detects the execution of python.exe that has been renamed to a different name to avoid detection
01.10.2024
Detection of Renamed ADExplorer.exe
Detects instances of ADExplorer.exe that have been renamed, indicating potential malicious activity.
30.09.2024
Detection of Renamed WinRAR
Detects instances of WinRAR that have been renamed to fsutil.exe, indicating potential malicious packing of files.
30.09.2024
Detection of Renamed PuTTY.exe
Detects instances of PuTTY.exe clients that have been renamed, indicating potential malicious activity utilizing legitimate remote access tools.
30.09.2024
Registry Modifications to Disable Windows Security Center Features
Detects modifications to the Windows Registry intended to disable various Security Center features, these changes can indicate an attempt by malicious actors to evade security measures, suppress important security notifications, or establish persistence on the system by disabling critical security functionalities.
29.09.2024
Renamed RCLONE.EXE Execution
Detects the execution of a renamed "RCLONE.exe" binary based on the PE metadata fields
27.09.2024
Renamed SharpHound.EXE Execution
Detects the execution of a renamed "SharpHound.exe" binary based on the PE metadata fields
25.09.2024
Potential StarRailBase.dll Sideloading
Detects potential DLL sideloading of "StarRailBase.dll", which is part of the Honkai game.
23.09.2024
Remote Access Tool - MeshAgent Command Execution via MeshCentral
Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.
MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
22.09.2024
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
3197
18445
Sigma
3341
539
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1246
windows / registry_set
201
windows / file_event
190
windows / ps_script
165
windows / security
157
linux / process_creation
120
windows / image_load
105
webserver
78
windows / system
72
macos / process_creation
65
windows / network_connection
52
proxy
52
linux / auditd
48
azure / activitylogs
43
aws / cloudtrail
42
azure / auditlogs
38
windows / registry_event
38
windows / ps_module
33
windows / application
28
azure / signinlogs
24
okta / okta
22
windows / process_access
22
windows / dns_query
21
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
windows / create_remote_thread
13
windows / file_delete
13
github / audit
13
m365 / threat_management
13
cisco / aaa
12
windows / ps_classic_start
10
kubernetes / application / audit
10
windows / driver_load
10
windows / codeintegrity-operational
10
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / registry_delete
7
gcp / google_workspace.admin
7
windows / bits-client
7
zeek / smb_files
7
windows / file_access
6
windows / dns-client
6
jvm / application
5
kubernetes / audit
5
linux / network_connection
5
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dns
4
zeek / dce_rpc
4
windows / sysmon
4
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
zeek / http
3
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
windows / file_change
2
firewall
2
spring / application
2
windows / security-mitigations
2
m365 / audit
2
linux / syslog
2
windows / diagnosis-scripted
1
windows / sysmon_status
1
m365 / threat_detection
1
linux / vsftpd
1
zeek / rdp
1
windows / terminalservices-localsessionmanager
1
zeek / kerberos
1
windows / sysmon_error
1
database
1
windows
1
windows / dns-server-analytic
1
windows / driver-framework
1
windows / printservice-admin
1
nginx
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
netflow
1
cisco / ldp
1
fortios / sslvpnd
1
linux / auth
1
cisco / bgp
1
windows / ldap
1
django / application
1
cisco / syslog
1
linux / cron
1
windows / smbclient-connectivity
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
windows / process_tampering
1
nodejs / application
1
paloalto / file_event / globalprotect
1
cisco / duo
1
linux / guacamole
1
juniper / bgp
1
windows / applocker
1
python / application
1
paloalto / appliance / globalprotect
1
linux / clamav
1
windows / appxpackaging-om
1
windows / capi2
1
windows / shell-core
1
windows / raw_access_thread
1
windows / certificateservicesclient-lifecycle-system
1
windows / file_executable_detected
1
velocity / application
1
linux / sudo
1
windows / microsoft-servicebus-client
1
ruby_on_rails / application
1
m365 / exchange
1
zeek / x509
1
windows / smbclient-security
1
windows / file_rename
1
sql / application
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
230
windows / registry_set
62
windows / ps_script
56
windows / wmi
29
windows / file_event
23
windows / image_load
18
proxy
12
windows / security
11
linux / process_creation
11
windows / network_connection
7
windows / system
7
windows / registry_event
6
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / sense
4
windows / pipe_created
4
windows / create_remote_thread
4
windows / hyper-v-worker
3
windows / ps_classic_script
3
webserver
3
windows / vhd
3
windows / application-experience
3
windows / registry_delete
3
windows / bits-client
2
windows / driver_load
2
windows / kernel-shimengine
2
windows / taskscheduler
2
windows / codeintegrity-operational
1
windows / windefend
1
windows / audit-cve
1
windows / dns_query
1
windows / registry-setinformation
1
windows / firewall-as
1
windows / file_delete
1
windows / file_access
1
windows / file_rename
1
macos / process_creation
1
windows / amsi
1
windows / process_access
1
windows / application
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR