currently serving 22602 YARA rules and 4176 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
PUA_LocalToNet_Tunnel_Tool_Jun25
Detects LocalToNet, a legitimate tunneling tool also abused by attackers
23.06.2025
HKTL_Chrome_App_Bound_Decryption_Jun25
Detects Chrome App-Bound Encryption Decryption, a hacktool to decrypt App-Bound Encrypted (ABE) cookies, passwords & payment methods from Chromium-based browsers (Chrome, Brave, Edge) - all in user mode, no admin rights required.
23.06.2025
MAL_LNX_DDOSAGENT_Jun25
Detects Linux DDoSAgent malware, used to perform flood attacks.
23.06.2025
PUA_PlayitGG_Tunnel_Tool_Jun25
Detects Playit.gg, a legitimate tunneling tool also abused by attackers
23.06.2025
MAL_Lumma_Stealer_Jun25
Detects Lumma stealer
23.06.2025
SUSP_Shellcode_Loader_Jun25
Detects shellcode loader
23.06.2025
MAL_MansoryBot_Jun25
Detects MansoryBot, a Golang botnet
20.06.2025
APT_MAL_AppleScript_Jun25
Detects an AppleScript that executes a remote payload, seen being used by DPRK APT
20.06.2025
APT_MAL_Backdoor_Bash_Script_Jun25
Detects a script that downloads and executes remote payloads, attempts to steal sudo passwords and wipes shell history to evade detection, seen being used by DPRK APT
20.06.2025
APT_MAL_Persistent_Implant_Jun25
Detects a persistent implant, seen being used by DPRK APT
20.06.2025
APT_MAL_Keylogger_Jun25
Detects a keylogger written in Objective-C that has the capability to monitor keystrokes, the clipboard and the screen, seen being used by DPRK APT
20.06.2025
APT_MAL_Loader_Jun25_1
Detects a loader that takes another binary and a password as arguments and will decrypt embedded payloads, seen being used by DPRK APT
20.06.2025
APT_MAL_CryptoBot_Jun25
Detects CryptoBot an infostealer written in Go that is designed to collect cryptocurrency related files from the host, seen being used by DPRK APT
20.06.2025
APT_MAL_VideoSRV_Jun25
Detects VideoSRV reverse shell, seen being used by an Iran-aligned APT group
20.06.2025
APT_MAL_Whisper_Backdoor_Jun25
Detects Whisper backdoor that uses a Microsoft Exchange server to communicate with the attackers by sending email attachments via a compromised webmail account, seen being used by an Iran-aligned APT group
20.06.2025
APT_MAL_Olala_Jun25
Detects P.S. Olala is a 32-bit .NET binary named for its intended function is to execute PowerShell scripts, seen being used by an Iran-aligned APT group
20.06.2025
APT_MAL_Sheep_Tunneler_Jun25
Detects Sheep Tunneler, a custom tunneling application, seen being used by an Iran-aligned APT group
20.06.2025
MAL_WIPER_Unknown_Jun25
Detects unknown disk wiper first spotted in June 2025 and uploaded from Israel
19.06.2025
SUSP_LNX_SH_Disk_Wiper_Script_Jun25
Detects unknown disk wiper script for Linux systems
19.06.2025
SUSP_PY_PYInstaller_Swiper_Jun25
Detects suspicious Python based executable with similarities to a known disk wiper
19.06.2025
MAL_Internet_Shortcut_CVE_2025_33053_Jun25
Detects Internet shortcut that exploits a zero-day vulnerability (CVE-2025-33053)
19.06.2025
SUSP_Internet_Shortcut_CVE_2025_33053_Jun25
Detects Internet shortcut that exploits a zero-day vulnerability (CVE-2025-33053)
19.06.2025
MAL_VBS_ZipDropper_Jun25
Detects a VBS script that unpacks a ZIP file and executes a file inside
19.06.2025
MAL_PY_GolangGhostRAT_C2_Module_Jun25
Detects a module of the Python version of GolangGhost RAT that contains the functionality for handling the commands received from the C2 server.
19.06.2025
MAL_PY_GolangGhostRAT_Compression_Module_Jun25
Detects a module of the Python version of GolangGhost RAT that handles the compression and decompression of files
19.06.2025
MAL_PY_GolangGhostRAT_Stealer_Module_Jun25
Detects a module of the Python version of GolangGhost RAT that contains the functionality for stealing the stored browser credentials and session cookies, as well as collecting data from various browser extensions
19.06.2025
MAL_PY_GolangGhostRAT_Config_Jun25
Detects config file of the Python version of GolangGhost RAT
19.06.2025
SUSP_PEB_Walking_Jun25
Detects PE files accessing PEB to dynamically resolve API functions
19.06.2025
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_OBF_NET_Reactor_JIT_Encryption_Feb25
1
e8373be645d637c2ca033a17a55f1585f8f4ca2d0b853869f1c83deef90c3df5
EXPL_Office_TemplateInjection_Aug19
6
b1a64942ed04d5861ebe45026e373e407ce0442316f6c5af34582c5405ae3e9a
SUSP_OBFUSC_JS_Encoded_Pattern_Sep23
14
9abe4f9588b8dd96c39b84064a4522fa947939264d2a8c339b3bdb5498de806b
SUSP_OBFUSC_XOR_CobaltStrike_Beacon_Oct23
14
9329295c40eeecb84d199040ad4f6dc412cb9fcb02876289194295ec7c7b7946
SUSP_CobaltStrike_HTTP_Header_Pattern_Dec23_1
14
9329295c40eeecb84d199040ad4f6dc412cb9fcb02876289194295ec7c7b7946
HKTL_CobaltStrike_Beacon_XOR_Strings
14
9329295c40eeecb84d199040ad4f6dc412cb9fcb02876289194295ec7c7b7946
CobaltStrike_C2_Encoded_XOR_Config_Indicator
14
9329295c40eeecb84d199040ad4f6dc412cb9fcb02876289194295ec7c7b7946
SUSP_Base64_UserAgent_Definition_Mar25
9
c819d635a51b75c8e3894d6a43b2e98850f51baaf99fccf5e2c9126bbc0e33b9
SUSP_MSIL_NET_OBF_ConfuserEx_Constants_Jul23
1
27703698aff8eee89063dda6cf2cc053cf354d576cd6bd744d580b7f9ff17c21
SUSP_Javascript_Obfuscation_NonAscii_Apr25
5
bfe03bc066d115e75619589c90799faecd09bcadb9f846d2c6cf97a05ca11554
SUSP_Encoded_PS1_IntPtr_Zero_Jul21_1
7
60ffb8463b3e6202a5206ed611efeaa7adb5dbd13311e00a6a15b33428c31100
SUSP_Encoded_PS1_Invoke_ProcessActions
7
60ffb8463b3e6202a5206ed611efeaa7adb5dbd13311e00a6a15b33428c31100
SUSP_Encoded_GetCurrentThreadId_Ext1_Aug20
7
60ffb8463b3e6202a5206ed611efeaa7adb5dbd13311e00a6a15b33428c31100
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
6930
Threat Hunting (not subscribable, only in THOR scanner)
5451
APT
4985
Hacktools
4707
Webshells
2378
Exploits
670
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Potential Exploitation of RCE Vulnerability CVE-2025-33053
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
which involves unauthorized code execution via WebDAV through external control of file names or paths.
The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating
their working directories to point to attacker-controlled WebDAV servers, causing them to execute
malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries
through Process.Start() search order manipulation.
13.06.2025
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe)
accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting
Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers
instead of legitimate system binaries. The vulnerability allows unauthorized code execution through
external control of file names or paths via WebDAV.
13.06.2025
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from
attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.
13.06.2025
System Information Discovery via Registry Queries
Detects attempts to query system information directly from the Windows Registry.
12.06.2025
Potential AMSI Bypass Attempt Using CDB Debugger
Detects potential AMSI bypass attempts using CDB debugger to manipulate AmsiScanBuffer function.
It's not a common behavior to use CDB debugger with "-cf" flag and "powershell" command line.
10.06.2025
HKTL - SharpSuccessor Privilege Escalation Tool Execution
Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments.
Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.
06.06.2025
MSSQL Destructive Query
Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
04.06.2025
Suspicious PowerShell IEX Invocation with String Concatenation
Detects suspicious PowerShell command patterns using Invoke-Expression (IEX) with string concatenation to potentially obfuscate malicious downloads.
Threat actors may use this technique to execute commands that download and run scripts from remote locations, often obfuscating the command to evade detection.
04.06.2025
RegAsm.EXE Execution Without CommandLine Flags or Files
Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity.
Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.
04.06.2025
DNS Query To Common Malware Hosting and Shortener Services
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners.
These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc.
Such DNS activity can indicate potential delivery or command-and-control communication attempts.
02.06.2025
Special File Creation via Mknod Syscall
Detects usage of the `mknod` syscall to create special files (e.g., character or block devices).
Attackers or malware might use `mknod` to create fake devices, interact with kernel interfaces,
or establish covert channels in Linux systems.
Monitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications,
and it can be abused to bypass file system restrictions or create backdoors.
31.05.2025
System Info Discovery via Sysinfo Syscall
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.
Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
30.05.2025
Suspicious Python Zlib and Base64 One-liner Execution
Detects Python command line execution using zlib decompression and base64 with decode functions, often used for executing obfuscated payloads.
Threat actors may use this technique to execute malicious encoded code in a single line, which can be indicative of attempts to bypass security measures or deliver payloads in a stealthy manner.
28.05.2025
Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR),
(4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel
ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation
or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
27.05.2025
Obfuscated PowerShell MSI Install via WindowsInstaller COM
Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`).
The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting
malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection
by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with
hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.
27.05.2025
Disable ASLR Via Personality Syscall - Linux
Detects the use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000),
which disables Address Space Layout Randomization (ASLR) in Linux. This is often used by attackers
exploit development, or to bypass memory protection mechanisms.
A successful use of this flag can reduce the effectiveness of ASLR and make memory corruption
attacks more reliable.
26.05.2025
Usage of Csvde for Active Directory Enumeration
Detects the use of CSVDE utitlity for Active Directory objects discovery purposes.
Csvde is a command-line tool that is built into Windows Server 2008 in the %windir%/system32 folder.
It is available if you have the AD DS or Active Directory Lightweight Directory Services (AD LDS) server role installed.
Threat actors may use CSVDE to extract information from Active Directory, such as user accounts, groups, and organizational units.
26.05.2025
Msiexec Execution with Caret Obfuscation
Detects the execution of msiexec with caret (^) obfuscation in process creation events.
Adversaries may use caret obfuscation to evade detection by security tools that do not parse command-line arguments correctly.
It has been observed being used in various attacks to potentially bypass security measures or to obfuscate the true nature of the command being executed.
26.05.2025
Potential Abuse of Linux Magic System Request Key
Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges
to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes,
or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be
misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
23.05.2025
Registry Export of Third-Party Credentials
Detects the use of reg.exe to export registry paths associated with third-party credentials.
Credential stealers have been known to use this technique to extract sensitive information from the registry.
22.05.2025
Suspicious File Access to Browser Credential Storage
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts.
Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies.
This behavior is often commonly observed in credential stealing malware.
22.05.2025
DNS Query To Katz Stealer Domains
Detects DNS queries to domains associated with Katz Stealer malware.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
22.05.2025
Katz Stealer DLL Loaded
Detects loading of DLLs associated with Katz Stealer malware 2025 variants.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
The process that loads these DLLs are very likely to be malicious.
22.05.2025
Katz Stealer Suspicious User-Agent
Detects network connections with a suspicious user-agent string containing "katz-ontop", which may indicate Katz Stealer activity.
22.05.2025
DNS Query To Katz Stealer Domains - Network
Detects DNS queries to domains associated with Katz Stealer malware.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
22.05.2025
ESXi Autostart Disabled via Vim-Cmd
Detects attempts to disable automatic startup of Virtual Machines on ESXi hosts using vim-cmd.
22.05.2025
ESXi VM Enumeration Using VIM-CMD
Detects the use of vim-cmd to list all VMs on an ESXi host, which could be part of reconnaissance or preparation for malicious activities.
The command provides information about the VMs, including their names, power states, and other details.
This could be used by adversaries to identify potential targets for further exploitation.
22.05.2025
ESXi Vim-Cmd Enable SSH Service
Detects execution of vim-cmd command to enable SSH service on an ESXi hosts.
SSH service enables adversaries to laterally move to ESXi hosts and use as an alternative command execution interface.
22.05.2025
ESXi Power Off VM via Vim-Cmd
Detects attempts to power off virtual machines using vim-cmd, which is commonly observed during ransomware attacks.
This command can be used to shut down or power off virtual machines on ESXi hosts.
Adversaries may use this technique to disrupt operations, cause data loss, or prepare the environment for further exploitation.
22.05.2025
ESXi Vim-Cmd Remove Snapshots
Detects the use of vim-cmd to remove VM snapshots on ESXi hosts.
Threat actors often remove VM snapshots before ransomware deployment to prevent recovery from recent backups,
ensure maximum damage by eliminating restoration points, and make recovery more time-consuming and costly for victims.
This activity is frequently automated as part of ransomware deployment chains.
22.05.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
3218
19384
Sigma
3393
783
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1265
windows / registry_set
202
windows / file_event
196
windows / ps_script
165
windows / security
157
linux / process_creation
119
windows / image_load
109
webserver
81
windows / system
73
macos / process_creation
65
linux / auditd
53
windows / network_connection
52
proxy
52
aws / cloudtrail
46
azure / activitylogs
43
windows / registry_event
38
azure / auditlogs
38
windows / ps_module
33
windows / application
30
azure / signinlogs
24
windows / dns_query
24
windows / process_access
23
okta / okta
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
github / audit
13
m365 / threat_management
13
windows / create_remote_thread
13
windows / file_delete
13
cisco / aaa
12
windows / codeintegrity-operational
10
kubernetes / application / audit
10
windows / driver_load
10
linux / file_event
9
windows / ps_classic_start
9
windows / create_stream_hash
9
dns
9
windows / registry_add
9
windows / firewall-as
8
windows / msexchange-management
8
windows / registry_delete
7
zeek / smb_files
7
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / file_access
7
gcp / google_workspace.admin
7
windows / bits-client
7
windows / dns-client
6
zeek / http
5
linux / network_connection
5
jvm / application
5
kubernetes / audit
5
zeek / dns
4
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
m365 / audit
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
spring / application
2
windows / security-mitigations
2
linux / syslog
2
apache
2
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
qualys
2
firewall
2
windows / file_change
2
linux / sudo
1
zeek / x509
1
windows / capi2
1
windows / microsoft-servicebus-client
1
velocity / application
1
windows / certificateservicesclient-lifecycle-system
1
ruby_on_rails / application
1
m365 / exchange
1
windows / file_executable_detected
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
sql / application
1
m365 / threat_detection
1
zeek / rdp
1
windows / sysmon_status
1
database
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
zeek / kerberos
1
windows / dns-server-analytic
1
windows / driver-framework
1
windows
1
windows / printservice-admin
1
nginx
1
windows / printservice-operational
1
netflow
1
cisco / bgp
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
fortios / sslvpnd
1
linux / auth
1
cisco / ldp
1
windows / ldap
1
django / application
1
cisco / syslog
1
linux / guacamole
1
nodejs / application
1
windows / smbclient-connectivity
1
linux / cron
1
huawei / bgp
1
windows / appmodel-runtime
1
paloalto / file_event / globalprotect
1
cisco / duo
1
linux / clamav
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
windows / process_tampering
1
python / application
1
paloalto / appliance / globalprotect
1
windows / appxpackaging-om
1
windows / shell-core
1
windows / raw_access_thread
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
364
windows / registry_set
74
windows / ps_script
72
windows / image_load
41
windows / file_event
38
linux / process_creation
33
windows / wmi
29
windows / security
20
proxy
12
windows / system
9
windows / network_connection
8
windows / registry_event
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / sense
4
windows / pipe_created
4
windows / taskscheduler
4
windows / create_remote_thread
4
windows / registry_delete
4
windows / hyper-v-worker
3
windows / driver_load
3
windows / ps_classic_script
3
webserver
3
windows / vhd
3
windows / application-experience
3
windows / codeintegrity-operational
2
windows / kernel-shimengine
2
windows / process_access
2
windows / windefend
2
windows / bits-client
2
windows / registry-setinformation
1
linux / file_event
1
windows / audit-cve
1
windows / file_delete
1
windows / firewall-as
1
windows / file_access
1
windows / file_rename
1
macos / process_creation
1
windows / amsi
1
windows / application
1
windows / dns_query
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR