currently serving 23028 YARA rules and 4230 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
APT_MAL_BRICKSTORM_Sep25
Detects BRICKSTORM that employs sophisticated techniques to maintain persistence and minimize the visibility of traditional security tools, seen being used by UNC5221
25.09.2025
SUSP_LNX_Init_Persistence_Sep25
Detects possible evidence that an actor persisted an implant by modifying init scripts, /etc/sysconfig files, rc.local, or systemd-related config
25.09.2025
SUSP_WIN_Task_ServiceUI_Sep25
Detects possible misuse of ServiceUI.exe via Windows task scheduler
23.09.2025
SUSP_SC_Change_Service_Permissions_Sep25
Detects suspicious service permission changes via SC.EXE. Threat actors have been observed changing service permissions using SC.EXE escalate privileges and also load malicious drivers in some cases.
17.09.2025
SUSP_Encoded_VBA_Downloader_Sep25
Detects hex encoded VBA downloader that downloads a payload and execute it
17.09.2025
MAL_JS_NPM_SupplyChain_Attack_Github_Workflow_Sep25
Detects webpacked JavaScript used in supply-chain attack on NPM packages
16.09.2025
SUSP_JS_NPM_SupplyChain_Attack_PostInstallScript_Sep25
Detects postinstall script in package.json used in supply-chain attack on NPM packages
16.09.2025
MAL_JS_NPM_SupplyChain_Compromise_Sep25
Detects a supply chain compromise in NPM packages (TinyColor, CrowdStrike etc.)
16.09.2025
SUSP_TruffleHog_Indicators_Sep25
Detects suspicious references to TruffleHog download URLs on Github
16.09.2025
SUSP_PS1_Loader_Patterns_Sep25
Detects PowerShell loaders
15.09.2025
SUSP_HKTL_Tor_Browser_Loaders_Sep25
Detects PowerShell Tor browser loaders
15.09.2025
HKTL_PS1_Loader_Characteristics_Sep25_2
Detects PowerShell loader characteristics
15.09.2025
HKTL_Loader_Indicators_Sep25_1
Detects characteristics found in unknown loaders
15.09.2025
HKTL_ShellCode_Loader_Indicators_Sep25
Detects characteristics found in various shell code loaders
15.09.2025
SUSP_HKTL_Veeam_Export_Sep25
Detects characteristics found in Veeam Backup and Replication scripts that export the passwords for decryption
15.09.2025
HKTL_WerfaultSecure_Dumper_Sep25_1
Detects a tool that uses WerfaultSecure.exe program to dump the memory of processes protected by PPL (Protected Process Light), such as LSASS.EXE
15.09.2025
MAL_JS_NPM_SupplyChain_Attack_Sep25
Detects obfuscated JavaScript in NPM packages used in supply chain crypto stealer attacks in September 2025
09.09.2025
MAL_Go_Tunneler_Sep25
Detects Go based Tunneler malware
08.09.2025
HKTL_KillAV_Sep25
Detects KillAV tool that drops an encrypted driver to repeatedly terminate security processes, seen being used by Warlock ransomware
08.09.2025
SUSP_TXT_File_Association_Hijack_Sep25
Detects software that modifies the Windows file association for .txt files, modifying the registry - malware uses this technique so that every time a .txt file is opened, a malicious payload is executed.
05.09.2025
SUSP_C2_Communication_Using_SOCKET_APIs_Sep25
Detects suspicious C2 communication using socket connections in x64 binaries
05.09.2025
SUSP_JS_Reverse_Shell_Indicators_Sep25
Detects suspicious indicators found in JavaScript reverse shell scripts.
05.09.2025
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
PUA_ConnectWise_ScreenConnect_Mar23
5
d21ea44518c59122faf6b606cd0c2b957791cda4f18b192466ef8a5a8424bb0c
PUA_ConnectWise_ScreenConnect_Mar23
7
26e71f5768e466ffd12c0e868f7fb135700cc19b86f089a0a808498bbbf5cc64
PUA_ConnectWise_ScreenConnect_Mar23
7
11e94d8898c6ac9c2b3f4c21a46ce8ccdd782149f599ed48daa810b51c93a670
PUA_ConnectWise_ScreenConnect_Mar23
13
a11d6b647e29a9f60c222c81bcff7f0f5e30dfe19244716fdc97ce824335bfa6
PUA_ConnectWise_ScreenConnect_Mar23
13
d4e33bd657a998807dcfa74e60f11b8eb1b2e6470e436e18ad19265849cea197
PUA_ConnectWise_ScreenConnect_Mar23
11
6809cb609fb0d35da00feb6025aba55f11067141934660652f23faa2cdfae08f
HKTL_Injection_ShellCode_Keywords
9
515a6e35397dd6ce69da43a29666420a7ab33540c4e75cc7cb0cfa13e3ada1aa
PUA_ConnectWise_ScreenConnect_Mar23
12
0f5f3673d2ab4128602f88f424614fe641380b601b0dea1765190083701aea1e
CobaltStrike_Resources_Reverse_Bin_v2_5_through_v4_x
13
4abf9f9168022e5edae21cc35c2a208ab9b11301851ec4c2cfd7854e94726fdd
PUA_ConnectWise_ScreenConnect_Mar23
13
9377a81f03916f0d7e9460b5c64914e51f67cbaab8124307335e4c1be71468be
PUA_ConnectWise_ScreenConnect_Mar23
13
9d41e628c529b224697520ae642322651e7f5895790876e3d7b55832dc3716ca
PUA_ConnectWise_ScreenConnect_Mar23
12
8b9579a4c31e11be2e314bfe03092f909e762fe37ee99735c1ee8d3bc47c8e08
PUA_ConnectWise_ScreenConnect_Mar23
13
4b4d2f2a8853b84a471daa96b87c85841cc6318bb950359b509954c48bb4759f
PUA_ConnectWise_ScreenConnect_Mar23
4
3c085458ecf353beddf83fbd3ea150503455d64e3d6fbdfa48036910808282f9
PUA_ConnectWise_ScreenConnect_Mar23
10
d61060111f16d567eb14b6e1544cc48fd2ad7b8eb32ba3d61f9c231d5a76245d
HKTL_MAL_CobaltStrike_Loader_Feb23_1
10
bba369ad719ac0fc47f0b90341c6046ecb66c1b603e07265fcadb122599225f3
PUA_ConnectWise_ScreenConnect_Mar23
5
7b661a7e4f7b0489bd8506e0fdc5be2beab58f98b74b95c39de14b1837477012
PUA_ConnectWise_ScreenConnect_Mar23
13
be36161638ed802c516f86eeb3905ea082ea51b8cffb882562f9ac837cfce043
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7109
Threat Hunting (not subscribable, only in THOR scanner)
5607
APT
5015
Hacktools
4740
Webshells
2392
Exploits
693
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Service Permissions Change via SC.EXE
Detects attempts to modify service permissions using sc.exe command with privs parameter
17.09.2025
Suspicious Python Base64 One-liner Execution
Detects execution of Python one-liner command associated with invoking base64 module, potentially for obfuscation or evasion purposes.
03.09.2025
PowerShell Creating Hidden File
Detects PowerShell commands that create hidden files in the Windows file system, which may indicate malicious activity or an attempt to hide persistence mechanisms.
Threat actors may use PowerShell to create hidden files often containing malicious scripts or payloads, leveraging the 'Hidden' attribute.
13.08.2025
PowerShell Executing Base64 Code From Registry
Detects PowerShell command lines that retrieve base64-encoded content from the registry and execute it.
Threat actors often stage their payloads in the registry in fileless attacks, using PowerShell to decode and execute the malicious code.
13.08.2025
Suspicious Hex-Encoded Values in Registry Keys
Detects suspicious registry modifications where LOLBins (Living Off The Land Binaries) write long hexadecimal-encoded strings to user-writable registry keys.
This pattern is commonly observed in fileless malware attacks where threat actors store encoded payloads (shellcode, scripts, or commands) in the registry to evade detection and maintain persistence.
The rule specifically monitors PowerShell, reg.exe, script engines, and other commonly abused Windows binaries that adversaries leverage for registry manipulation.
13.08.2025
Windows MFA Tool Uninstallation via WMI
Detects the uninstallation of the Windows Multi-Factor Authentication (MFA) tool such as Duo Authentication for Windows Logon through Windows Management Instrumentation (WMI).
These MFA tools are used to enhance security by requiring additional verification during the login process. Thus, threat actors may attempt to uninstall these tools to bypass mfa.
01.08.2025
Windows Recovery Environment Disabled Via Reagentc
Detects attempts to disable windows recovery environment using Reagentc.
ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE).
It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
31.07.2025
Password Set to Never Expire via WMI
Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
30.07.2025
Potential JLI.dll Side-Loading
Detects potential DLL side-loading of jli.dll.
JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm,
and others in order to load malicious payloads in context of legitimate Java processes.
25.07.2025
SharePoint CVE-2025-53770 ToolShell Exploitation Commandline
Detects potential SharePoint exploitation (CVE-2025-53770) using ToolShell.
This rule looks for suspicious command lines that may indicate the use of ToolShell
to exploit SharePoint vulnerabilities. The detection is based on known patterns
of exploitation, such as the presence of specific paths and commands related to
SharePoint installations.
24.07.2025
Suspicious File Write to SharePoint Layouts Directory
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
24.07.2025
Suspicious File Created in Outlook Temporary Directory
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
22.07.2025
Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
21.07.2025
Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
21.07.2025
SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS
Detects access to vulnerable SharePoint components potentially being exploited in CVE-2025-53770 through IIS web server logs.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
21.07.2025
Suspicious PowerShell Spawning CMD with Whoami
Detects PowerShell spawning cmd.exe which then executes whoami.exe, a pattern commonly observed in Meterpreter PowerShell shells.
This behavior is often indicative of a post-exploitation phase where adversaries attempt to gather system information or escalate privileges.
15.07.2025
Potential SSH Tunnel Persistence Install Using A Scheduled Task
Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
14.07.2025
Delete Defender Scan ShellEx Context Menu Registry Key
Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
11.07.2025
Windows Defender Threat Severity Default Action Modified
Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.
This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,
allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
11.07.2025
PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').
This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.
An attacker might use this technique via the command line to bypass defenses before executing payloads.
11.07.2025
ADExplorer Writing Complete AD Snapshot Into .dat File
Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
09.07.2025
Failed Logon from Known Bad Hostname
Detects failed RDP logon attempts or accessing of a network share from a system using a known bad hostname. This hostname is probably part of a golden image attackers use for their attacks.
09.07.2025
Windows Defender Context Menu Removed
Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys.
This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives.
Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.
09.07.2025
Disabling Windows Defender WMI Autologger Session via Reg.exe
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
09.07.2025
Logon from Known Bad Hostname
Detects a successful RDP logon or accessing of a network share from a system using a known bad hostname. This hostname is probably part of a golden image attackers use for their attacks.
09.07.2025
FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse
Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
05.07.2025
HackTool - Doppelanger LSASS Dumper Execution
Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
01.07.2025
HackTool - HollowReaper Execution
Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing.
It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.
01.07.2025
FileFix - Suspicious Child Process from Browser File Upload Abuse
Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the "FileFix" social engineering technique,
where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar.
The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities.
26.06.2025
Potential Notepad++ CVE-2025-49144 Exploitation
Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path.
This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer.
The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++.
26.06.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2704
20324
Sigma
3422
808
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1280
windows / registry_set
203
windows / file_event
199
windows / ps_script
165
windows / security
158
linux / process_creation
120
windows / image_load
111
webserver
82
windows / system
73
macos / process_creation
67
linux / auditd
53
windows / network_connection
52
proxy
52
aws / cloudtrail
46
azure / activitylogs
43
windows / registry_event
39
azure / auditlogs
38
windows / ps_module
33
windows / application
30
windows / dns_query
25
azure / signinlogs
24
windows / process_access
23
okta / okta
22
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
linux
17
rpc_firewall / application
17
gcp / gcp.audit
16
windows / windefend
16
bitbucket / audit
14
windows / file_delete
13
github / audit
13
m365 / threat_management
13
windows / create_remote_thread
12
cisco / aaa
12
windows / codeintegrity-operational
10
kubernetes / application / audit
10
windows / driver_load
10
windows / registry_add
9
linux / file_event
9
windows / ps_classic_start
9
windows / create_stream_hash
9
dns
9
windows / registry_delete
8
windows / firewall-as
8
windows / msexchange-management
8
windows / file_access
7
windows / bits-client
7
gcp / google_workspace.admin
7
zeek / smb_files
7
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / dns-client
6
zeek / dns
5
zeek / http
5
linux / network_connection
5
jvm / application
5
kubernetes / audit
5
zeek / dce_rpc
4
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
linux / sshd
3
m365 / audit
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
windows / file_change
2
spring / application
2
firewall
2
windows / security-mitigations
2
linux / syslog
2
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
windows / applocker
1
windows / openssh
1
windows / process_tampering
1
paloalto / file_event / globalprotect
1
cisco / duo
1
linux / guacamole
1
juniper / bgp
1
windows / appxpackaging-om
1
python / application
1
paloalto / appliance / globalprotect
1
windows / shell-core
1
windows / raw_access_thread
1
windows / capi2
1
windows / microsoft-servicebus-client
1
linux / sudo
1
windows / certificateservicesclient-lifecycle-system
1
windows / file_executable_detected
1
velocity / application
1
zeek / x509
1
ruby_on_rails / application
1
m365 / exchange
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
sql / application
1
linux / vsftpd
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_status
1
m365 / threat_detection
1
zeek / rdp
1
windows / sysmon_error
1
database
1
zeek / kerberos
1
windows / driver-framework
1
windows
1
windows / dns-server-analytic
1
windows / printservice-operational
1
nginx
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
netflow
1
cisco / ldp
1
windows / ldap
1
fortios / sslvpnd
1
linux / auth
1
cisco / bgp
1
windows / appmodel-runtime
1
django / application
1
cisco / syslog
1
linux / cron
1
nodejs / application
1
windows / smbclient-connectivity
1
linux / clamav
1
huawei / bgp
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
381
windows / registry_set
76
windows / ps_script
74
windows / image_load
43
windows / file_event
38
linux / process_creation
33
windows / wmi
29
windows / security
22
proxy
12
windows / system
9
windows / registry_event
8
windows / network_connection
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / create_remote_thread
4
windows / registry_delete
4
windows / pipe_created
4
windows / sense
4
windows / taskscheduler
4
windows / application-experience
3
windows / hyper-v-worker
3
windows / driver_load
3
windows / ps_classic_script
3
webserver
3
windows / vhd
3
windows / bits-client
2
windows / windefend
2
windows / codeintegrity-operational
2
windows / kernel-shimengine
2
windows / process_access
2
windows / file_delete
1
windows / amsi
1
windows / file_access
1
windows / registry-setinformation
1
linux / file_event
1
windows / firewall-as
1
windows / dns_query
1
windows / audit-cve
1
windows / file_rename
1
macos / process_creation
1
windows / application
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR