currently serving 22202 YARA rules and 4020 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
HKTL_NET_Rubeus_Mar25
Detects Rubeus post exploitation tool. Rubeus is used for privilege escalation and credential extraction.
25.03.2025
MAL_LSASS_Stealer_Mar25
Detects lsassStealer - a tool to exfiltrate Lsass dumps disguised as NTP requests
24.03.2025
SUSP_NET_Base64_Xor_Implementation_Mar25
Detects .NET applications using XOR-based encryption/decryption for Base64 strings. This is commonly observed in packed malware and may indicate obfuscation or malicious intent, warranting further analysis.
24.03.2025
SUSP_PY_Malware_Indicators_Mar25
Detects suspicious Python malware indicators. This rule is a generic rule that might generate false positives. A match should be further investigated.
21.03.2025
SUSP_Base64_UserAgent_Definition_Mar25
Detects suspicious base64 encoded user agent definition in small files
21.03.2025
SUSP_PS1_OBFUSC_Patterns_Mar25
Detects suspicious obfuscated PowerShell scripts. This rule is a generic rule that might generate false positives. A match should be further investigated.
21.03.2025
SUSP_SchTasks_Create_OnLogon_Mar25
Detects suspicious schtasks command line that creates a task on logon with highest privileges
21.03.2025
SUSP_UAC_ByPass_Indicators_Mar25
Detects suspicious UAC bypass indicators
21.03.2025
SUSP_ShellCode_Injection_Indicators_Mar25
Detects suspicious shellcode injection indicators
21.03.2025
MAL_XML_Injector_Mar25
Detects XML which is used to store FaceXInjector that written in C#
20.03.2025
MAL_APT_MirrorFace_Injector_Mar25
Detects MirrorFace injector, seen being used by MirrorFace APT group
20.03.2025
SUSP_PY_Base64_Code_Mar25
Detects suspicious Base64 encoded Python code. This rule is a generic rule that might generate false positives. A match should be further investigated.
20.03.2025
SUSP_SVG_JS_Payload_Mar25
Detects a suspicious SVG file that contains a JavaScript payload. This rule is a generic rule that might generate false positives. A match should be further investigated.
20.03.2025
MAL_ELF_AutoColor_Backdoor_Mar25
Detects AutoColor backdoor which is used for stealth and persistence, using evasive techniques to avoid detection while maintaining remote control over infected machines
19.03.2025
SUSP_Github_Repo_Name_Mar25
Detects suspicious GitHub repository names. This rule is a generic rule that might generate false positives. A match should be further investigated.
19.03.2025
SUSP_JAVA_ByteCode_Indicators_Mar25_1
Detects suspicious contents in JAVA classes (previously subset of SUSP_JAVA_ByteCode_Indicators_Feb22_1)
19.03.2025
SUSP_PS1_OBFUSC_Xor_Mar25
Detects PowerShell xor obfuscation designed to obscure payloads.
18.03.2025
MAL_RANSOM_PrincessLocker_Varients_Mar25
Detects PrincessLocker ransomware variants written in Go
18.03.2025
SUSP_LNK_PS1_Download_Mar25
Detects LNK file that downloads a file using PowerShell.
18.03.2025
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
MAL_Sednit_DelphiDownloader_Apr18_2
2
276ffbbb97910368db6479cc59dd36e75744229c13b6212de44c8ef05a40726f
WEBSHELL_PHP_By_String_Known_Webshell
14
61590864886ad5f5f67faba542677b8ca71b9587df7b65a566d16e5867975869
SUSP_OBF_NET_Reactor_JIT_Encryption_Feb25
1
ff13c0e2c34297865b4140948cd42121baad1694678aadc8efbba4535dbcbf5e
SUSP_OBF_NET_Reactor_JIT_Encryption_Feb25
3
b0a498739c42fc28665972dd96a8e547ff764554d6fb21f8e89bb686a1069994
SUSP_MSIL_NET_ConfuserEx_Module_Encryption_Sep23
2
3c0beafe10ed810a9ab8beafb0dd5db554b75e2f7f0d94a3ed41eb2b10d11cc8
SUSP_Encoded_GetCurrentThreadId_Ext1_Aug20
4
056dcf38a1f9e6e30883e3049cf4f7b0cbc0b08c743db795ed7d80c749da478a
SUSP_Base64_Encoded_GetEnvironmentVariable
13
d2d05ec8647c5ccc418c4767b6e214dd7511454e6a11edcf4e6cb0a0074cfcf7
PUA_ConnectWise_ScreenConnect_Mar23
1
ff1ac7601399cfc74a53fdc64891d1f70c9aceef6ca27f03e83a560c578ab548
PUA_ConnectWise_ScreenConnect_Mar23
1
dd364e78020d3c86322cc3dc2fbd4ee1cc1e4818f322e718ead0631350e53a12
SUSP_Base64_Encoded_GetEnvironmentVariable
9
254d7a86acaac4d6d31d9c77207a8f16ba16a2a1cf1cb27e90588da27731c3e6
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
6732
Threat Hunting (not subscribable, only in THOR scanner)
5337
APT
4929
Hacktools
4656
Webshells
2364
Exploits
658
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Potential ArphaDump64.DLL Sideloading
Detects potential DLL sideloading of "arphaDump.dll", a technique where attackers place a malicious DLL alongside a legitimate vulnerable application to evade detection, gain persistence, and execute malicious code.
24.03.2025
HackTool - Ladon Penetration Testing Tool Execution
Detects execution of Ladon, a penetration testing tool used for network scanning and exploitation.
Ladon is a multi-threaded plug-in comprehensive scanning artifact for large-scale network penetration,
including port scanning, service identification, network assets, password blasting, high-risk vulnerability detection and one click getshell.
18.03.2025
Windows Defender Disable Attempt via DISM
Detects attempts to disable Windows Defender using Deployment Image Servicing and Management (DISM.exe) utility.
DISM is a legitimate Windows utility, which is used to install, uninstall, configure, and update the features and packages in offline Windows images and offline Windows Preinstallation Environment (WinPE) images.
Adversaries may attempt to disable Windows Defender using DISM to evade detection and prevent their malware from being caught.
This technique is particularly concerning as DISM is a legitimate Windows utility, making the malicious activity harder to distinguish from normal system administration.
18.03.2025
HackTool - SharpNBTScan Execution
Detects execution of SharpNBTScan, a tool used for NetBios Scanning. Adversaries use this tool for hostname and IP address enumeration.
18.03.2025
PUA - Angry IP Scanner Execution
Detects execution of Angry IP Scanner, a network scanning tool.
Adversaries may use this tool for network discovery, identifying potential targets, and mapping out network infrastructure during the reconnaissance phase of an attack.
18.03.2025
Suspicious Execution From Public Folder
Detects execution of suspicious files (like .bat, .exe, .ps1, etc.) from the Public folder, which may indicate execution of dropped malicious payloads.
This technique is commonly used by ransomware actors, including BlackBasta, to execute their malware from publicly accessible locations.
Legitimate software rarely installs executables in Public folders, making this behavior suspicious.
18.03.2025
PowerShell Enumeration of Security Products via WMI/CIM - Powershell
Detects Powershell commands that query the SecurityCenter2 namespace using Get-WmiObject or Get-CimInstance, potentially for AV/AntiSpyware reconnaissance.
Threat actors often use these powershell commands to enumerate installed security products on a system to identify security solutions present on the system,
plan evasion tactics based on discovered security products, and determine potential weaknesses in the security posture.
This technique is commonly used in the initial reconnaissance phase of an attack.
17.03.2025
Windows Defender Exclusion of C Drive - PowerShell
Detects attempts to exclude the entire C:\ drive from Microsoft Defender Antivirus scanning.
Adversaries may attempt to exclude the entire C:\ drive from Microsoft Defender Antivirus scanning to avoid detection of their malicious activities.
The entire C:\ drive, including all its subdirectories (C:\Windows\, C:\Program Files\, C:\Users\, etc.), will not be scanned. This can be used to hide malware from being detected by Microsoft Defender Antivirus.
13.03.2025
Windows Defender Exclusion of C Drive
Detects attempts to exclude the entire C:\ drive from Microsoft Defender Antivirus scanning.
Adversaries may attempt to exclude the entire C:\ drive from Microsoft Defender Antivirus scanning to avoid detection of their malicious activities.
The entire C:\ drive, including all its subdirectories (C:\Windows\, C:\Program Files\, C:\Users\, etc.), will not be scanned. This can be used to hide malware from being detected by Microsoft Defender Antivirus.
13.03.2025
Cmd Querying For Virtualization Software
Detects commandline querying for virtualization software, which may indicate an attempt to detect virtual environments as part of evasion techniques used by malware.
11.03.2025
Windows Defender Deletion Attempt
Detects attempts to delete Windows Defender related files and folders.
Adversaries may attempt to disable Windows Defender by deleting its files and folders to carry out their further malicious activities without getting caught
11.03.2025
Suspicious Scheduled Task Creation of Legitimate MSC File - Security
Detection the creation of suspicious Windows Scheduled Tasks related to .msc files such as 'CompMgmt' or 'eventvwr'.
These are legitimate Windows files to launch used to launch management tools and configure system settings.
During their execution, they check the registry key `HKCU\Software\Classes\mscfile\shell\open\command`
to determine the location of `mmc.exe`, which is used to open these files such as the `eventvwr.msc` or `CompMgmt.msc`.
If the registry value is modified to point to a malicious binary, that binary will be executed instead of `mmc.exe` as a privileged process, bypassing the UAC prompt.
Adversaries could exploit this by modifying the `HKCU\Software\Classes\mscfile\shell\open\command` registry key to point to a malicious binary,
allowing it to run with elevated privileges without user consent bypassing UAC.
For persistence, they could create a scheduled task to ensure the malicious binary is executed.
Therefore, it is also recommended to verify whether the registry value has been tampered with or not to verify malicious activity.
07.03.2025
Suspicious Scheduled Task Creation of Legitimate MSC File - Process
Detects the creation of suspicious Windows Scheduled Tasks via `schtasks.exe`, related to .msc files such as 'CompMgmt' or 'eventvwr'.
These are legitimate Windows services, but during their execution, they check the registry key
`HKCU\Software\Classes\mscfile\shell\open\command` to determine the location of `mmc.exe`,
which is used to open the `eventvwr.msc` or `CompMgmt.msc`. If the registry value is modified to point to a malicious binary,
that binary will be executed instead of `mmc.exe` as a privileged process, bypassing the UAC prompt.
Adversaries could exploit this by modifying the `HKCU\Software\Classes\mscfile\shell\open\command` registry key to point to a malicious binary,
allowing it to run with elevated privileges without user consent bypassing UAC.
For persistence, they could create a scheduled task of these services to ensure the malicious binary is executed.
Therefore, it is also recommended to verify whether the registry value has been tampered with or not to verify malicious activity.
07.03.2025
UAC Bypass via Mscfile Registry Key Modification
Detects attempts to modify the registry key HKCU\Software\Classes\mscfile\shell\open\command
to point to a malicious binary (e.g., c:\Users\AppData\Local\Temp\Malware.exe) for potential exploitation.
This could be indicative of adversaries attempting to replace mmc.exe with a malicious binary
for privilege escalation without triggering a UAC prompt. Executing any kind of .msc file will
then execute the malicious binary with elevated privileges.
07.03.2025
Hiding Files or Folders in Uncommon Location Using Attrib.exe
Detects the suspicious usage of attrib.exe to hide files or folders in suspicious or uncommon location. Adversaries often drop their malicious files on suspicious locations like public folders, temporary directories, etc.
To avoid being visible to the user, they may use attrib.exe to hide the files.
04.03.2025
Disable UAC via EnableLUA Registry Modification
Detects attempts to disable User Account Control (UAC) by modifying the EnableLUA registry key.
Disabling UAC lowers system security by allowing processes to run with elevated privileges without user consent.
Adversaries may disable UAC to escalate privileges or execute malicious code without triggering security prompts, making detection and containment more difficult.
03.03.2025
Uncommon CDB Child Processes
Detects Uncommon child processes spawned by Microsoft Console Debugger
27.02.2025
Potential Data Exfiltration Via Powershell
Detects powershell commands that potentially performing data exfiltration.
27.02.2025
Potential AV Reconnaissance Via Powershell
Detects Powershell commands that query the SecurityCenter2 namespace using Get-WmiObject or Get-CimInstance, potentially for AV/AntiSpyware reconnaissance.
Threat actors often use these powershell commands to enumerate installed security products on a system to identify security solutions present on the system,
plan evasion tactics based on discovered security products, and determine potential weaknesses in the security posture.
This technique is commonly used in the initial reconnaissance phase of an attack.
27.02.2025
Suspicious File Creation Inside Masqueraded System32 Path
Detects suspicious file creation event in the System32 directory where an adversary attempts to masquerade the path using a space between "Windows" and "\System32".
This technique may be used for to bypass UAC through hijacking dll load flow abuse, logging mechanisms, or detection rules that rely on exact path matching.
Attackers may leverage this to deploy malware, persistence mechanisms, or execute payloads stealthily.
27.02.2025
Renamed CDB.exe Execution
Detects the execution of a renamed Microsoft Console Debugger "CDB.exe" binary based on the PE metadata fields
27.02.2025
Suspicious Process Loading PowerShell Engine
Detects suspicious processes loading the PowerShell engine, which may indicate the execution of PowerShell commands outside of powershell.exe. Adversaries often abuse this technique for stealthy execution of malicious scripts, defense evasion. Common benign applications rarely load this DLL, making it a useful indicator of suspicious activity.
27.02.2025
Potentially Suspicious Execution of Printui
Detects suspicious execution of printui.exe, running from outside its legitimate path, which is highly unusual.
This may indicate attempt for DLL search order hijacking or side-loading.
27.02.2025
Suspicious Standard Tool Injection And Lateral Movement
Detects suspicious activity where payloads are injected into legit windows executables. The injected module facilitate lateral movement, execute commands on remote endpoints, and exfiltrate data. This behavior is associated with the SquidDoor backdoor and could be used by diffrent actors/malwares.
27.02.2025
Suspicious PowerShell Execution Using Curl And IEX
Detects suspicious execution of PowerShell processes that utilize curl and iex in the command line. This behavior is commonly associated with malicious script execution, remote code retrieval, and execution from external sources.
27.02.2025
Potential FMAPP.DLL Sideloading
Detects potential DLL sideloading of "fmApp.dll", a technique where attackers place a malicious DLL alongside a legitimate vulnerable application to evade detection, gain persistence, and execute malicious code
26.02.2025
Potential Logexts.DLL Sideloading
Detects potential DLL sideloading of "logexts.dll", a technique where attackers place a malicious DLL alongside a legitimate vulnerable application to evade detection, gain persistence, and execute malicious code
26.02.2025
Potential McUtil.DLL Sideloading
Detects potential DLL sideloading of "mcutil.dll", a technique where attackers place a malicious DLL alongside a legitimate vulnerable application to evade detection, gain persistence, and execute malicious code
26.02.2025
Potential Sensapi.DLL Sideloading
Detects potential DLL sideloading of "sensapi.dll", a technique where attackers place a malicious DLL alongside a legitimate vulnerable application to evade detection, gain persistence, and execute malicious code
26.02.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
3212
18990
Sigma
3361
659
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1254
windows / registry_set
202
windows / file_event
194
windows / ps_script
165
windows / security
156
linux / process_creation
119
windows / image_load
107
webserver
78
windows / system
72
macos / process_creation
65
windows / network_connection
52
proxy
52
linux / auditd
48
aws / cloudtrail
46
azure / activitylogs
43
azure / auditlogs
38
windows / registry_event
38
windows / ps_module
33
windows / application
29
azure / signinlogs
24
okta / okta
22
windows / dns_query
22
windows / process_access
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / create_remote_thread
13
windows / file_delete
13
github / audit
13
cisco / aaa
12
kubernetes / application / audit
10
windows / driver_load
10
windows / codeintegrity-operational
10
windows / ps_classic_start
9
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
dns
8
windows / msexchange-management
8
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
gcp / google_workspace.admin
7
windows / bits-client
7
windows / registry_delete
7
zeek / smb_files
7
windows / dns-client
6
windows / file_access
6
linux / network_connection
5
kubernetes / audit
5
jvm / application
5
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
zeek / dns
4
zeek / http
4
windows / sysmon
4
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
m365 / audit
3
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
windows / file_change
2
firewall
2
windows / security-mitigations
2
spring / application
2
linux / syslog
2
windows / sysmon_error
1
zeek / rdp
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_status
1
database
1
windows / dns-server-analytic
1
windows / driver-framework
1
windows
1
windows / printservice-operational
1
nginx
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
netflow
1
cisco / bgp
1
windows / lsa-server
1
windows / wmi
1
fortios / sslvpnd
1
linux / auth
1
cisco / ldp
1
windows / ldap
1
django / application
1
cisco / syslog
1
linux / guacamole
1
nodejs / application
1
windows / smbclient-connectivity
1
linux / cron
1
juniper / bgp
1
windows / appmodel-runtime
1
windows / process_tampering
1
paloalto / file_event / globalprotect
1
linux / clamav
1
huawei / bgp
1
windows / applocker
1
windows / openssh
1
python / application
1
paloalto / appliance / globalprotect
1
cisco / duo
1
windows / appxpackaging-om
1
windows / raw_access_thread
1
windows / shell-core
1
ruby_on_rails / application
1
windows / capi2
1
linux / sudo
1
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
velocity / application
1
m365 / exchange
1
windows / file_rename
1
sql / application
1
m365 / threat_detection
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
301
windows / registry_set
67
windows / ps_script
66
windows / image_load
38
windows / wmi
29
windows / file_event
28
windows / security
17
proxy
12
linux / process_creation
11
windows / network_connection
7
windows / system
7
windows / registry_event
7
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / pipe_created
4
windows / sense
4
windows / create_remote_thread
4
windows / ps_classic_script
3
windows / taskscheduler
3
webserver
3
windows / vhd
3
windows / registry_delete
3
windows / application-experience
3
windows / hyper-v-worker
3
windows / kernel-shimengine
2
windows / process_access
2
windows / bits-client
2
windows / driver_load
2
windows / firewall-as
1
windows / file_rename
1
macos / process_creation
1
windows / windefend
1
windows / application
1
windows / amsi
1
windows / codeintegrity-operational
1
windows / registry-setinformation
1
windows / audit-cve
1
windows / file_access
1
windows / dns_query
1
windows / file_delete
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR