currently serving 22501 YARA rules and 4132 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
APT_RESURGE_Activity_Forensic_Artifacts_Ivanti_Jun25
Detects Resurge malware activity associated with Ivanti Connect Secure vulnerabilities
04.06.2025
MAL_LNX_RESURGE_Jun25
Detects RESURGE backdoor dropper malware associated with Ivanti Connect Secure vulnerabilities
04.06.2025
APT_WEBSHELL_PL_RESURGE_Activity_Ivanti_Jun25
Detects webshell dropped by Resurge malware associated with Ivanti Connect Secure vulnerabilities
04.06.2025
HKTL_CloudFox_Jun25
Detects CloudFox hack tool, which is used for reconnaissance and exploitation in cloud environments.
02.06.2025
MAL_Minecraft_RAT_Jun25
Detects malware named Minecraft RAT that includes credential stealing, data exfiltration and remote control capabilities.
02.06.2025
SUSP_Manticore_Offensive_Lib_Jun25
Detects Go based binaries using the offensive libraries by the Manticore Project
02.06.2025
MAL_LNX_Xored_Wordlist_Jun25
Detects ELF files containing an XOR-obfuscated list of default passwords used in network devices. This is most commonly associated with worms.
02.06.2025
APT_MAL_Sideload_DLL_Jun25
Detects loader that sideload a DLL and open PDF as a decoy as seen being used by APT32
01.06.2025
APT_MAL_Loader_Jun25
Detects a loader that involves function hooking and patching of a DLL in memory, as well as a multi-stage sequence of shellcodes that leads to the execution of the final payload in memory. seen being used by APT32
01.06.2025
SUSP_LNK_Self_Modification_Indicators_May25
Detects LNK files containing a suspicious combination of commands related to self modifying files. These often appear in loaders used for initial infection. A match warrants further analysis.
30.05.2025
SUSP_CSharp_ReflectiveLoader_May25
Detects suspicious C# with reflective memory loading and delegate execution
29.05.2025
APT_MAL_TOUGHPROGRESS_May25
Detects TOUGHPROGRESS that decrypts embedded shellcode using hardcoded 16-byte XOR key stored in the sample's '.pdata' region. The shellcode then decompresses a DLL in memory using COMPRESSION_FORMAT_LZNT1, seen being used by APT41
29.05.2025
APT_MAL_PLUSINJECT_May25
Detects PLUSINJEC, launches and performs process hollowing on a legitimate 'svchost.exe' process, injecting the final payload, seen being used by APT41
29.05.2025
APT_MAL_PLUSDROP_May25
Detects PlusDrop a DLL to decrypt and execute the next stage in memory, seen being used by APT41
29.05.2025
HKTL_NET_SharpSuccessor_May25
Detects SharpSuccessor, a tool that helps exploit a vulnerability in Active Directory. It can be used to escalate privileges by abusing the DMSA (Delegated Managed Service Account) feature.
24.05.2025
SUSP_PS1_OBFUSC_Indicators_May25
Detects common indicators of obfuscation in PowerShell scripts.
22.05.2025
SUSP_LDAP_Extraction_May25
Detects heap dump extraction and LDAP config theft via mysqldump
22.05.2025
HKTL_EXPL_WIN_PS1_BadSuccessor_May25
Detects PowerShell tools related to BadSuccessor, which helps exploit a vulnerability in Active Directory
22.05.2025
MAL_SmokeLoader_May25
Detects SmokeLoader, a malware loader used to deploy additional payloads on infected systems.
21.05.2025
MAL_NET_Katz_Stealer_Loader_May25
Detects .NET based Katz stealer loader
21.05.2025
MAL_NET_UAC_Bypass_May25
Detects .NET based tool abusing legitimate Windows utility cmstp.exe to bypass UAC (User-Admin-Controls)
21.05.2025
SUSP_PS1_Encoded_Loader_Indicators_May25
Detects common indicators of PowerShell loaders in encoded form.
21.05.2025
SUSP_ZIP_Extension_Spoofing_May25
Detects ZIP files containing files with a manipulated filename to spoof their file extensions
21.05.2025
SUSP_Katz_Stealer_Log_May25
Detects log file that contains system reconnaissance data, seen being generated by Katz stealer
20.05.2025
MAL_Transferloader_Execution_Artefact_May25
Detects deletion of Transferloader, when the malware finished executing, it overwrites itself. If this rule matches it means that Transferloader was executed on the machine
20.05.2025
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
HKTL_Meterpreter_PY_Pattern_Dec21_1
9
7d7dfe40b9d156cdf3548e9d20df418964b2c936b18b728a8185976bc1f03f2b
SUSP_LNX_Rev_Shell_Indicator_Jan23_1
2
dbe907da7f6a0843780c4f99db111dcc7745da53a5e00f4a4666f8cc40b218f7
SUSP_LNX_Rev_Shell_Indicator_Jan23_1
2
a91e8333f1765685c01e60475a74804bb4df374a38fe3c91a10e312d40929c59
SUSP_LNX_Rev_Shell_Indicator_Jan23_1
2
a398f8e201ccace988cd0b55aaa9b376145798d1af10363489ae5b225e8ddacb
SUSP_LNX_Rev_Shell_Indicator_Jan23_1
2
a3e9613fe3b3b1c18ab8331447c4360647b195392ade46f24ef67c8320f760d9
SUSP_LNX_Rev_Shell_Indicator_Jan23_1
2
b8785a9c358b3c8ee2524a02e7cf705f2fc7ba186b1c3f142158ceafbc3a0b75
SUSP_LNX_Rev_Shell_Indicator_Jan23_1
2
f7456f1cb44ec9c86a76fae70c2505249d1f75f848fb2ab3d0ffaf09a2ca941b
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
6862
Threat Hunting (not subscribable, only in THOR scanner)
5431
APT
4963
Hacktools
4699
Webshells
2375
Exploits
668
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
PUA - Execution of TNIWinAgent for Network Discovery
Detects the execution of TNIWinAgent, a component of SoftInventive Lab's Total Network Inventory Software.
While this tool is legitimate and used for network inventory and asset management, threat actors may abuse
for network discovery or reconnaissance purposes. Monitoring its execution can help identify potential misuse in an environment.
21.05.2025
PUA - Execution of TSDService
Detects the execution of Total Software Deployment (TSD) service, a component of SoftInventive Lab's Total Network Inventory Software.
While this tool is legitimate and used for software deployment and management, threat actors have abused it for unauthorized software installation or system manipulation.
21.05.2025
Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
Detects potential exploitation of a chained vulnerability attack targeting Ivanti EPMM 12.5.0.0.
CVE-2025-4427 allows unauthenticated access to protected API endpoints via an authentication bypass,
which can then be leveraged to trigger CVE-2025-4428 — a remote code execution vulnerability through
template injection. This sequence enables unauthenticated remote code execution, significantly increasing
the impact of exploitation.
20.05.2025
VMware ESXi Process Termination via Pkill
Detects attempts to forcefully terminate VMware ESXi virtual machine processes using pkill command.
It is commonly exploited by adversaries to abruptly stop running Virtual Machine (VM) executable processes.
20.05.2025
ESXi Buffer Cache Modification via ESXCFG-ADVCFG
Detects attempts to modify ESXi buffer cache settings via esxcfg-advcfg.
The esxcfg-advcfg utility is a command-line tool in VMware ESXi that allows administrators to view and modify advanced system settings.
Adversaries may abuse this utility to manipulate buffer cache settings, potentially causing system performance degradation or preparing
for ransomware attacks. The tool can modify critical parameters like BufferCache/MaxCapacity and BufferCache/FlushInterval, which
could be exploited to impact data persistence or system performance.
20.05.2025
Deletion of Terminal History Cache
Detects the deletion of terminal history cache files, which are often targeted by adversaries attempting to erase evidence of their activities.
These cache files typically store information such as Remote Desktop Protocol (RDP) connection history, which can be valuable for forensic investigations.
By deleting these files, attackers aim to cover their tracks and hinder incident response efforts.
This behavior is commonly associated with defense evasion techniques and may indicate malicious activity, especially in environments where such deletions are uncommon.
20.05.2025
Deletion of Terminal Server Client History Registry Entries
Detects the deletion of Terminal Server Client history registry entries.
These histories contain information such as RDP connection history.
Adversaries may delete this history to cover their tracks after conducting malicious RDP activities.
20.05.2025
Windows Defender Disable Attempt Via SystemSettingsAdminFlows
Detects attempts to disable Windows Defender using SystemSettingsAdminFlows.exe, which is a legitimate utility that can be used to access and modify Windows Security settings.
Adversaries may disable Windows Defender to evade detection and bypass security protections. The use of SystemSettingsAdminFlows.exe
to disable Windows Defender features is not a common practice and if observed, it is most likely indicative of malicious activity.
19.05.2025
ESXi Firewall Disabled via ESXCLI
Detects potential malicious activity where attackers use ESXCLI command to disable ESXi host firewall.
Threat Actors may use this technique to remove network security restrictions and facilitate their malicious operations.
19.05.2025
ESXi VIB Force Installation
Detects attempts to install VIBs with force option or with no sig check option, which could indicate malicious VIBs (vSphere Installation Bundles) installation.
VIBs are collections of files used for software distribution and virtual system management in VMware environments.
The --force flag can be used to override the minimum acceptance level requirement for VIB installations, allowing even unsigned or low-level VIBs to be installed.
Threat Actors thus can abuse this flag to create VIB to contain malicious code, such as backdoors or ransomware components.
19.05.2025
ESXi Syslog Directory Change to TMP via ESXCLI
Detects the use of the ESXCLI command to change the syslog logs directory to /tmp in an ESXi environment.
It is likely an attempt to disable logging by redirecting syslog logs to a temporary directory.
19.05.2025
ESXi Coredump File Creation Disabled via ESXCLI
Detects attempts to disable coredump file creation in ESXi systems via ESXCLI, which could indicate defense evasion tactics by adversaries trying to prevent forensic analysis.
Coredump files are crucial for post-incident investigation and system diagnostics, and threat actors uses this technique very often.
19.05.2025
ESXi Firewall Default Action Set To Allow All Traffic via ESXCLI
Detects when the ESXi firewall default action is changed to allow all traffic.
Threat Actors may use this technique to all networks connection through firewall and facilitate their malicious operations.
19.05.2025
ESXi VIB Acceptance Level Changed to CommunitySupported
Detects when the VIB acceptance level is modified to CommunitySupported on ESXi hosts, which can enable installation of untested and unsigned VIB packages.
This could indicate an attempt to install malicious software as VIBs at this level bypass VMware's security controls and are not supported by VMware or its partners.
19.05.2025
Modification of ESXi Welcome Message via ESXCLI
Detects attempts to modify the ESXi welcome message using the ESXCLI command.
Unauthorized changes to the welcome message may indicate malicious activity, such as defacement
or the display of ransomware messages left by threat actors.
19.05.2025
ESXi Coredump File Removal via ESXCLI
Detects the removal of a coredump files in an ESXi system using the esxcli command.
In ESXi systems, coredump files are used for debugging and troubleshooting kernel crashes.
Threat actors may want to remove coredump files to eliminate forensic evidence that could reveal details about their activities or the methods used to compromise the system.
19.05.2025
Windows Defender Service Disabled via Sc.EXE
Detects the usage of sc.exe utility to disable or modify Windows Defender services to demand start.
This behavior is often associated with malicious activities, as attackers may attempt to disable security features to evade detection.
16.05.2025
Windows Defender Service Disabled (Extended) - Registry
Detects registry modifications that attempt to disable Windows Defender service at startup or disable it completely.
This could be indicative of an attacker trying to disable security features to evade detection.
16.05.2025
Windows Defender Service Disabled - System
Detects service configuration modifications of Windows Defender service to disable auto-start or disable it completely.
This could be indicative of an attacker trying to disable security features to evade detection.
16.05.2025
Windows Defender Disabled via MpCmdRun
Detects attempts to disable Windows Defender undocumented parameters of MpCmdRun.exe, which is a command-line utility for Microsoft Defender Antivirus.
The rule looks for the use of parameters that are used to disable the Windows Defender service and real-time protection, respectively.
This behavior is often associated with malicious activities, as attackers may attempt to disable security features to evade detection.
16.05.2025
Usage of Tzutil Utility for System Timezone Discovery
Detects the usage of tzutil.exe, a legitimate Windows utility for managing time zones for system timezone discovery.
Threat Actors may want to know about victim timezone to align attack activities with victim working hours or to
evade certain time-based security controls.
14.05.2025
Crash Dump Created By Operating System
Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.
12.05.2025
Linux Webserver Process Spawning Potential Reverse Shell
Detects when a webserver process spawns suspicious child processes that might indicate a reverse shell attempt.
Threat actors often exploit vulnerabilities in web applications or misconfigurations in web servers to execute malicious commands that create reverse shells.
This technique is commonly used for remote access and command execution on compromised systems.
08.05.2025
Web Server Executing Suspicious Commands
Detects web servers spawning processes with suspicious command patterns often associated with reverse shells or command injection.
Threat actors may exploit vulnerabilities in web applications or misconfigurations in web servers to execute malicious commands that create reverse shells.
08.05.2025
Execution of Remotely Hosted MSHTA File via UNC Path
Detects execution of mshta.exe with a remote UNC path in the command line (e.g., \\host\share\file.hta).
This behavior is commonly associated with threat actors delivering HTA-based payloads hosted on remote systems
to gain initial access or for persistence or to perform lateral movement.
07.05.2025
MSHTA Execution via Explorer
Detects MSHTA.exe execution spawned by explorer.exe, which could indicate malicious activity.
MSHTA.exe is a utility that executes Microsoft HTML Applications (HTA) files. While legitimate in the past,
its usage in modern environments is rare and often associated with malicious activities.
Attackers frequently abuse MSHTA.exe to execute malicious scripts and bypass application allowlisting.
It is commonly used to download and execute remote payloads. Nowadays, it has been commonly observed being executed through
LNK files or ClickFix campaigns, making it easier for attackers to deliver and run malicious payloads with minimal user interaction.
07.05.2025
Curl Creating Files in Tmp Directory
Detects curl activity downloading files into temporary directories (/tmp or /var/tmp).
This technique is commonly used by threat actors to download malicious payloads, exploiting the universal write permissions of temporary directories.
06.05.2025
Curl Download to Tmp Directory
Detects suspicious file downloads using curl into the temporary directory (/tmp).
The /tmp directory, being world-writable, is frequently exploited by threat actors for malware staging.
Downloads to this location may indicate initial access attempts or malware payload retrieval.
06.05.2025
IIS New Module Installation via Powershell
Detects the use of PowerShell cmdlet New-WebGlobalModule to install new IIS (Internet Information Services) global modules.
This technique could be used by attackers to install unauthorized modules in IIS, enabling traffic interception or persistence.
Monitoring this cmdlet is important as it represent less common ways to install new IIS module, than a normal way via appcmd.exe.
06.05.2025
IIS HTTP Logging Disabled via PowerShell
Detects attempts to disable HTTP logging in Microsoft Internet Information Services (IIS) using PowerShell commands,
which may indicate adversaries attempting to evade detection by disabling logging mechanisms.
This technique can impair security monitoring and incident response capabilities by eliminating valuable log data.
06.05.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
3218
19283
Sigma
3368
764
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1259
windows / registry_set
202
windows / file_event
194
windows / ps_script
165
windows / security
156
linux / process_creation
119
windows / image_load
107
webserver
79
windows / system
73
macos / process_creation
65
windows / network_connection
52
proxy
52
linux / auditd
48
aws / cloudtrail
46
azure / activitylogs
43
windows / registry_event
38
azure / auditlogs
38
windows / ps_module
33
windows / application
29
azure / signinlogs
24
okta / okta
22
windows / process_access
22
windows / dns_query
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / create_remote_thread
13
windows / file_delete
13
github / audit
13
cisco / aaa
12
windows / codeintegrity-operational
10
kubernetes / application / audit
10
windows / driver_load
10
linux / file_event
9
windows / ps_classic_start
9
windows / create_stream_hash
9
windows / registry_add
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
zeek / smb_files
7
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
gcp / google_workspace.admin
7
windows / bits-client
7
windows / registry_delete
7
windows / dns-client
6
windows / file_access
6
linux / network_connection
5
jvm / application
5
kubernetes / audit
5
zeek / http
4
zeek / dns
4
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
m365 / audit
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
firewall
2
windows / security-mitigations
2
windows / file_change
2
spring / application
2
linux / syslog
2
ruby_on_rails / application
1
windows / certificateservicesclient-lifecycle-system
1
windows / file_executable_detected
1
velocity / application
1
m365 / exchange
1
linux / sudo
1
windows / microsoft-servicebus-client
1
windows / sysmon_status
1
sql / application
1
m365 / threat_detection
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
zeek / rdp
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
database
1
zeek / kerberos
1
windows / driver-framework
1
windows
1
windows / dns-server-analytic
1
windows / printservice-admin
1
nginx
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
netflow
1
cisco / ldp
1
windows / lsa-server
1
windows / wmi
1
fortios / sslvpnd
1
linux / auth
1
cisco / bgp
1
django / application
1
cisco / syslog
1
linux / guacamole
1
windows / appmodel-runtime
1
windows / ldap
1
nodejs / application
1
windows / smbclient-connectivity
1
linux / cron
1
huawei / bgp
1
windows / process_tampering
1
paloalto / file_event / globalprotect
1
linux / clamav
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
python / application
1
paloalto / appliance / globalprotect
1
cisco / duo
1
windows / appxpackaging-om
1
windows / raw_access_thread
1
zeek / x509
1
windows / capi2
1
windows / shell-core
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
354
windows / registry_set
74
windows / ps_script
71
windows / image_load
41
windows / file_event
38
windows / wmi
29
linux / process_creation
25
windows / security
20
proxy
12
windows / system
9
windows / network_connection
8
windows / registry_event
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / pipe_created
4
windows / sense
4
windows / taskscheduler
4
windows / registry_delete
4
windows / create_remote_thread
4
windows / ps_classic_script
3
windows / vhd
3
windows / application-experience
3
webserver
3
windows / hyper-v-worker
3
windows / driver_load
3
windows / kernel-shimengine
2
windows / process_access
2
windows / windefend
2
windows / bits-client
2
windows / codeintegrity-operational
2
windows / file_delete
1
linux / file_event
1
windows / application
1
windows / firewall-as
1
windows / dns_query
1
windows / file_rename
1
windows / audit-cve
1
macos / process_creation
1
windows / amsi
1
windows / file_access
1
windows / registry-setinformation
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR