currently serving 22207 YARA rules and 4020 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
HKTL_NET_Rubeus_Mar25
Detects Rubeus post exploitation tool. Rubeus is used for privilege escalation and credential extraction.
25.03.2025
MAL_LSASS_Stealer_Mar25
Detects lsassStealer - a tool to exfiltrate Lsass dumps disguised as NTP requests
24.03.2025
SUSP_NET_Base64_Xor_Implementation_Mar25
Detects .NET applications using XOR-based encryption/decryption for Base64 strings. This is commonly observed in packed malware and may indicate obfuscation or malicious intent, warranting further analysis.
24.03.2025
SUSP_SchTasks_Create_OnLogon_Mar25
Detects suspicious schtasks command line that creates a task on logon with highest privileges
21.03.2025
SUSP_UAC_ByPass_Indicators_Mar25
Detects suspicious UAC bypass indicators
21.03.2025
SUSP_ShellCode_Injection_Indicators_Mar25
Detects suspicious shellcode injection indicators
21.03.2025
SUSP_PY_Malware_Indicators_Mar25
Detects suspicious Python malware indicators. This rule is a generic rule that might generate false positives. A match should be further investigated.
21.03.2025
SUSP_Base64_UserAgent_Definition_Mar25
Detects suspicious base64 encoded user agent definition in small files
21.03.2025
SUSP_PS1_OBFUSC_Patterns_Mar25
Detects suspicious obfuscated PowerShell scripts. This rule is a generic rule that might generate false positives. A match should be further investigated.
21.03.2025
MAL_XML_Injector_Mar25
Detects XML which is used to store FaceXInjector that written in C#
20.03.2025
MAL_APT_MirrorFace_Injector_Mar25
Detects MirrorFace injector, seen being used by MirrorFace APT group
20.03.2025
HKTL_Whisper_EBPF_Credential_Stealer_Mar25
Detects whisper's eBPF module used to dump PAM credentials
20.03.2025
SUSP_PY_Base64_Code_Mar25
Detects suspicious Base64 encoded Python code. This rule is a generic rule that might generate false positives. A match should be further investigated.
20.03.2025
SUSP_SVG_JS_Payload_Mar25
Detects a suspicious SVG file that contains a JavaScript payload. This rule is a generic rule that might generate false positives. A match should be further investigated.
20.03.2025
MAL_ELF_AutoColor_Backdoor_Mar25
Detects AutoColor backdoor which is used for stealth and persistence, using evasive techniques to avoid detection while maintaining remote control over infected machines
19.03.2025
SUSP_Python_OBF_Pyobfuscate_Mar25
Detects Python scripts obfuscated with pyobfuscate sometimes used by threat actors
19.03.2025
SUSP_Github_Repo_Name_Mar25
Detects suspicious GitHub repository names. This rule is a generic rule that might generate false positives. A match should be further investigated.
19.03.2025
SUSP_JAVA_ByteCode_Indicators_Mar25_1
Detects suspicious contents in JAVA classes (previously subset of SUSP_JAVA_ByteCode_Indicators_Feb22_1)
19.03.2025
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
PUA_ConnectWise_ScreenConnect_Mar23
1
5904cbfa4ae5ee70eaf2d297c802665eac99150ae45dbf955090ff00c6757f4a
SUSP_Script_Obfuscation_Char_Concat
13
dc2f1097b4cb7c70bc3e4ff2ce69b5eff323233bdd3bedf957f2b7734b65964d
PUA_ConnectWise_ScreenConnect_Mar23
1
d746b389622966fe710b1aba398d138bc6755fdd94a446b5f9ecb5505b334dca
PUA_ConnectWise_ScreenConnect_Mar23
2
3add5efdf33fdb52bc4d28b45dfeacf33af1cc79e62f4cfa317bd1ded20e60d5
PUA_ConnectWise_ScreenConnect_Mar23
1
892a90ff9dce6edd4f64cc1acb6ee281ec8e1f49654520e4426d3e3133dfebe2
PUA_RuskDesk_Remote_Desktop_Jun23_1
8
cbea582935bc8d14270cced4bcc8918e07fdb8ba165411cfb7f5a1122829a732
PUA_ConnectWise_ScreenConnect_Mar23
1
2362a3beb1776c6b8b040c0bf351833d73e99e5ffaaf243525faee05fb0b7b2a
PUA_ConnectWise_ScreenConnect_Mar23
11
fa8ac72dbb1fefcf9258545a4a06dc83d839f0202f66f311c32bd0d84a28f14d
PUA_ConnectWise_ScreenConnect_Mar23
1
6e82f8b361490231217ce77263f0abdbff42b1bf456bee62a9dc9cbedf27bbe2
SUSP_WEBSHELL_ASPX_DLL_Indicators_Jul22_1
11
2dfd348a7eac7e7b27877a9416bf3e3ee0c085a2f79cd4c6d3fd67a5fe8d5519
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
6732
Threat Hunting (not subscribable, only in THOR scanner)
5338
APT
4929
Hacktools
4660
Webshells
2364
Exploits
658
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Potential ArphaDump64.DLL Sideloading
Detects potential DLL sideloading of "arphaDump.dll", a technique where attackers place a malicious DLL alongside a legitimate vulnerable application to evade detection, gain persistence, and execute malicious code.
24.03.2025
Windows Defender Disable Attempt via DISM
Detects attempts to disable Windows Defender using Deployment Image Servicing and Management (DISM.exe) utility.
DISM is a legitimate Windows utility, which is used to install, uninstall, configure, and update the features and packages in offline Windows images and offline Windows Preinstallation Environment (WinPE) images.
Adversaries may attempt to disable Windows Defender using DISM to evade detection and prevent their malware from being caught.
This technique is particularly concerning as DISM is a legitimate Windows utility, making the malicious activity harder to distinguish from normal system administration.
18.03.2025
HackTool - SharpNBTScan Execution
Detects execution of SharpNBTScan, a tool used for NetBios Scanning. Adversaries use this tool for hostname and IP address enumeration.
18.03.2025
HackTool - Ladon Penetration Testing Tool Execution
Detects execution of Ladon, a penetration testing tool used for network scanning and exploitation.
Ladon is a multi-threaded plug-in comprehensive scanning artifact for large-scale network penetration,
including port scanning, service identification, network assets, password blasting, high-risk vulnerability detection and one click getshell.
18.03.2025
PUA - Angry IP Scanner Execution
Detects execution of Angry IP Scanner, a network scanning tool.
Adversaries may use this tool for network discovery, identifying potential targets, and mapping out network infrastructure during the reconnaissance phase of an attack.
18.03.2025
Suspicious Execution From Public Folder
Detects execution of suspicious files (like .bat, .exe, .ps1, etc.) from the Public folder, which may indicate execution of dropped malicious payloads.
This technique is commonly used by ransomware actors, including BlackBasta, to execute their malware from publicly accessible locations.
Legitimate software rarely installs executables in Public folders, making this behavior suspicious.
18.03.2025
PowerShell Enumeration of Security Products via WMI/CIM - Powershell
Detects Powershell commands that query the SecurityCenter2 namespace using Get-WmiObject or Get-CimInstance, potentially for AV/AntiSpyware reconnaissance.
Threat actors often use these powershell commands to enumerate installed security products on a system to identify security solutions present on the system,
plan evasion tactics based on discovered security products, and determine potential weaknesses in the security posture.
This technique is commonly used in the initial reconnaissance phase of an attack.
17.03.2025
Windows Defender Exclusion of C Drive
Detects attempts to exclude the entire C:\ drive from Microsoft Defender Antivirus scanning.
Adversaries may attempt to exclude the entire C:\ drive from Microsoft Defender Antivirus scanning to avoid detection of their malicious activities.
The entire C:\ drive, including all its subdirectories (C:\Windows\, C:\Program Files\, C:\Users\, etc.), will not be scanned. This can be used to hide malware from being detected by Microsoft Defender Antivirus.
13.03.2025
Windows Defender Exclusion of C Drive - PowerShell
Detects attempts to exclude the entire C:\ drive from Microsoft Defender Antivirus scanning.
Adversaries may attempt to exclude the entire C:\ drive from Microsoft Defender Antivirus scanning to avoid detection of their malicious activities.
The entire C:\ drive, including all its subdirectories (C:\Windows\, C:\Program Files\, C:\Users\, etc.), will not be scanned. This can be used to hide malware from being detected by Microsoft Defender Antivirus.
13.03.2025
Cmd Querying For Virtualization Software
Detects commandline querying for virtualization software, which may indicate an attempt to detect virtual environments as part of evasion techniques used by malware.
11.03.2025
Windows Defender Deletion Attempt
Detects attempts to delete Windows Defender related files and folders.
Adversaries may attempt to disable Windows Defender by deleting its files and folders to carry out their further malicious activities without getting caught
11.03.2025
Suspicious Scheduled Task Creation of Legitimate MSC File - Security
Detection the creation of suspicious Windows Scheduled Tasks related to .msc files such as 'CompMgmt' or 'eventvwr'.
These are legitimate Windows files to launch used to launch management tools and configure system settings.
During their execution, they check the registry key `HKCU\Software\Classes\mscfile\shell\open\command`
to determine the location of `mmc.exe`, which is used to open these files such as the `eventvwr.msc` or `CompMgmt.msc`.
If the registry value is modified to point to a malicious binary, that binary will be executed instead of `mmc.exe` as a privileged process, bypassing the UAC prompt.
Adversaries could exploit this by modifying the `HKCU\Software\Classes\mscfile\shell\open\command` registry key to point to a malicious binary,
allowing it to run with elevated privileges without user consent bypassing UAC.
For persistence, they could create a scheduled task to ensure the malicious binary is executed.
Therefore, it is also recommended to verify whether the registry value has been tampered with or not to verify malicious activity.
07.03.2025
Suspicious Scheduled Task Creation of Legitimate MSC File - Process
Detects the creation of suspicious Windows Scheduled Tasks via `schtasks.exe`, related to .msc files such as 'CompMgmt' or 'eventvwr'.
These are legitimate Windows services, but during their execution, they check the registry key
`HKCU\Software\Classes\mscfile\shell\open\command` to determine the location of `mmc.exe`,
which is used to open the `eventvwr.msc` or `CompMgmt.msc`. If the registry value is modified to point to a malicious binary,
that binary will be executed instead of `mmc.exe` as a privileged process, bypassing the UAC prompt.
Adversaries could exploit this by modifying the `HKCU\Software\Classes\mscfile\shell\open\command` registry key to point to a malicious binary,
allowing it to run with elevated privileges without user consent bypassing UAC.
For persistence, they could create a scheduled task of these services to ensure the malicious binary is executed.
Therefore, it is also recommended to verify whether the registry value has been tampered with or not to verify malicious activity.
07.03.2025
UAC Bypass via Mscfile Registry Key Modification
Detects attempts to modify the registry key HKCU\Software\Classes\mscfile\shell\open\command
to point to a malicious binary (e.g., c:\Users\AppData\Local\Temp\Malware.exe) for potential exploitation.
This could be indicative of adversaries attempting to replace mmc.exe with a malicious binary
for privilege escalation without triggering a UAC prompt. Executing any kind of .msc file will
then execute the malicious binary with elevated privileges.
07.03.2025
Hiding Files or Folders in Uncommon Location Using Attrib.exe
Detects the suspicious usage of attrib.exe to hide files or folders in suspicious or uncommon location. Adversaries often drop their malicious files on suspicious locations like public folders, temporary directories, etc.
To avoid being visible to the user, they may use attrib.exe to hide the files.
04.03.2025
Disable UAC via EnableLUA Registry Modification
Detects attempts to disable User Account Control (UAC) by modifying the EnableLUA registry key.
Disabling UAC lowers system security by allowing processes to run with elevated privileges without user consent.
Adversaries may disable UAC to escalate privileges or execute malicious code without triggering security prompts, making detection and containment more difficult.
03.03.2025
Uncommon CDB Child Processes
Detects Uncommon child processes spawned by Microsoft Console Debugger
27.02.2025
Potential Data Exfiltration Via Powershell
Detects powershell commands that potentially performing data exfiltration.
27.02.2025
Potential AV Reconnaissance Via Powershell
Detects Powershell commands that query the SecurityCenter2 namespace using Get-WmiObject or Get-CimInstance, potentially for AV/AntiSpyware reconnaissance.
Threat actors often use these powershell commands to enumerate installed security products on a system to identify security solutions present on the system,
plan evasion tactics based on discovered security products, and determine potential weaknesses in the security posture.
This technique is commonly used in the initial reconnaissance phase of an attack.
27.02.2025
Renamed CDB.exe Execution
Detects the execution of a renamed Microsoft Console Debugger "CDB.exe" binary based on the PE metadata fields
27.02.2025
Suspicious File Creation Inside Masqueraded System32 Path
Detects suspicious file creation event in the System32 directory where an adversary attempts to masquerade the path using a space between "Windows" and "\System32".
This technique may be used for to bypass UAC through hijacking dll load flow abuse, logging mechanisms, or detection rules that rely on exact path matching.
Attackers may leverage this to deploy malware, persistence mechanisms, or execute payloads stealthily.
27.02.2025
Potentially Suspicious Execution of Printui
Detects suspicious execution of printui.exe, running from outside its legitimate path, which is highly unusual.
This may indicate attempt for DLL search order hijacking or side-loading.
27.02.2025
Suspicious Process Loading PowerShell Engine
Detects suspicious processes loading the PowerShell engine, which may indicate the execution of PowerShell commands outside of powershell.exe. Adversaries often abuse this technique for stealthy execution of malicious scripts, defense evasion. Common benign applications rarely load this DLL, making it a useful indicator of suspicious activity.
27.02.2025
Suspicious PowerShell Execution Using Curl And IEX
Detects suspicious execution of PowerShell processes that utilize curl and iex in the command line. This behavior is commonly associated with malicious script execution, remote code retrieval, and execution from external sources.
27.02.2025
Suspicious Standard Tool Injection And Lateral Movement
Detects suspicious activity where payloads are injected into legit windows executables. The injected module facilitate lateral movement, execute commands on remote endpoints, and exfiltrate data. This behavior is associated with the SquidDoor backdoor and could be used by diffrent actors/malwares.
27.02.2025
Potential FMAPP.DLL Sideloading
Detects potential DLL sideloading of "fmApp.dll", a technique where attackers place a malicious DLL alongside a legitimate vulnerable application to evade detection, gain persistence, and execute malicious code
26.02.2025
Potential Logexts.DLL Sideloading
Detects potential DLL sideloading of "logexts.dll", a technique where attackers place a malicious DLL alongside a legitimate vulnerable application to evade detection, gain persistence, and execute malicious code
26.02.2025
Potential McUtil.DLL Sideloading
Detects potential DLL sideloading of "mcutil.dll", a technique where attackers place a malicious DLL alongside a legitimate vulnerable application to evade detection, gain persistence, and execute malicious code
26.02.2025
Potential Sensapi.DLL Sideloading
Detects potential DLL sideloading of "sensapi.dll", a technique where attackers place a malicious DLL alongside a legitimate vulnerable application to evade detection, gain persistence, and execute malicious code
26.02.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
3212
18995
Sigma
3361
659
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1254
windows / registry_set
202
windows / file_event
194
windows / ps_script
165
windows / security
156
linux / process_creation
119
windows / image_load
107
webserver
78
windows / system
72
macos / process_creation
65
windows / network_connection
52
proxy
52
linux / auditd
48
aws / cloudtrail
46
azure / activitylogs
43
windows / registry_event
38
azure / auditlogs
38
windows / ps_module
33
windows / application
29
azure / signinlogs
24
okta / okta
22
windows / dns_query
22
windows / process_access
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / create_remote_thread
13
windows / file_delete
13
github / audit
13
cisco / aaa
12
windows / codeintegrity-operational
10
kubernetes / application / audit
10
windows / driver_load
10
linux / file_event
9
windows / ps_classic_start
9
windows / create_stream_hash
9
windows / registry_add
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
zeek / smb_files
7
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / bits-client
7
gcp / google_workspace.admin
7
windows / registry_delete
7
windows / dns-client
6
windows / file_access
6
linux / network_connection
5
jvm / application
5
kubernetes / audit
5
zeek / http
4
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
zeek / dns
4
m365 / audit
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
apache
2
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
qualys
2
firewall
2
windows / file_change
2
windows / security-mitigations
2
spring / application
2
linux / syslog
2
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
velocity / application
1
zeek / x509
1
windows / file_executable_detected
1
ruby_on_rails / application
1
m365 / exchange
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
sql / application
1
linux / sudo
1
zeek / rdp
1
m365 / threat_detection
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_status
1
database
1
zeek / kerberos
1
windows / sysmon_error
1
windows / driver-framework
1
windows
1
windows / dns-server-analytic
1
nginx
1
windows / printservice-operational
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
netflow
1
windows / lsa-server
1
fortios / sslvpnd
1
linux / auth
1
cisco / ldp
1
django / application
1
cisco / syslog
1
linux / cron
1
cisco / bgp
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / ldap
1
windows / smbclient-connectivity
1
linux / guacamole
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
windows / process_tampering
1
nodejs / application
1
paloalto / file_event / globalprotect
1
linux / clamav
1
windows / appxpackaging-om
1
python / application
1
paloalto / appliance / globalprotect
1
cisco / duo
1
windows / shell-core
1
windows / raw_access_thread
1
windows / capi2
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
301
windows / registry_set
67
windows / ps_script
66
windows / image_load
38
windows / wmi
29
windows / file_event
28
windows / security
17
proxy
12
linux / process_creation
11
windows / network_connection
7
windows / system
7
windows / registry_event
7
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / sense
4
windows / pipe_created
4
windows / create_remote_thread
4
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / taskscheduler
3
windows / hyper-v-worker
3
windows / registry_delete
3
windows / application-experience
3
windows / kernel-shimengine
2
windows / process_access
2
windows / bits-client
2
windows / driver_load
2
windows / codeintegrity-operational
1
windows / file_access
1
windows / file_delete
1
windows / dns_query
1
windows / firewall-as
1
windows / file_rename
1
windows / application
1
macos / process_creation
1
windows / amsi
1
windows / windefend
1
windows / audit-cve
1
windows / registry-setinformation
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR