currently serving 23543 YARA rules and 4356 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
MAL_JS_DPRK_Backdoor_Jan26
Detects JavaScript backdoor functionality used by threat actor group DPRK
23.01.2026
MAL_JS_DPRK_Second_Stage_Jan26
Detects second-stage JavaScript payload used by threat actor group DPRK
23.01.2026
MAL_Loader_Jan26_1
Detects a loader seen being use to load Winos4.0 (WinosStager) which is a sophisticated remote access framework
22.01.2026
SUSP_Kernel_Module_Jan26
Detects suspicious Linux kernel modules that may exhibit rootkit-like behavior.
21.01.2026
MAL_FALSECUB_Implant_Jan26
Detects FALSECUB backdoor implant used in Operation Nomad Leopard via unique HTTP header and socket-related code patterns
21.01.2026
MAL_Clr_Loader_Jan26
Detects generic loader stub observed to drop various malware like Pulsar, Vidar etc.
20.01.2026
MAL_PYC_Moneta_Stealer_Jan26
Detects Moneta stealer written in Python that targets browser credentials, cryptocurrency wallets, SSH keys, and financial documents
20.01.2026
MAL_CurlBack_RAT_Jan26
Detects CurlBack RAT that utilizes DLL side-loading, registers victims via UUID, and supports file transfer using curl, seen being used by APT36 APT group
20.01.2026
HKTL_GoTokenTheft_Jan26
Detects GoTokenTheft, a token-stealing tool written in Go, used during post-exploitation to run programs and commands on a target machine under different user privileges.
19.01.2026
MAL_Shellcode_Loader_Jan26
Detects a shellcode loader used to execute shellcode in memory, often employed by malware for code injection and evasion
18.01.2026
SUSP_JS_NPM_PM2_PostInstallScript_Jan26
Detects package.json which launches a post install script via Process Manager 2
16.01.2026
SUSP_JS_PostInstallScript_Jan26
Detects post install script which installs NPM package via Process Manager 2
16.01.2026
MAL_NodeCordRAT_Jan26
Detects NodeCordRAT which exfiltrates files, screenshots and runs arbitrary commands
16.01.2026
HKTL_Author_TwoSevenOneT_Indicators_Jan26
Detects tools produced by TwoSevenOneT
16.01.2026
HKTL_EDRStartupHinder_Jan26
Detects the EDRStartupHinder hacktool designed to hinder EDR startup processes by redirecting core DLLs in the System32 folder to alternative locations during Windows startup.
16.01.2026
MAL_EDRStartupHinder_Fake_DLL_Jan26
Detects fake DLL files potentially created by EDRStartupHinder tool - a decoy DLL used to redirect core system DLLs during Windows startup for EDR bypass attempts.
16.01.2026
MAL_Salat_Stealer_Jan26
Detects Salat stealer, a golang based credential stealer targetting corporate credentials.
14.01.2026
PUA_NinjaOne_RMM_Jan26
Detects NinjaOne Remote Monitoring and Management (RMM) tool, which can be misused by threat actors for lateral movement and persistence, Requires additional context verification to distinguish between legitimate administrative use and malicious activity.
14.01.2026
PUA_SuperOps_RMM_Jan26
Detects SuperOps Remote Monitoring and Management (RMM) tool, which can be misused by threat actors for lateral movement and persistence, Requires additional context verification to distinguish between legitimate administrative use and malicious activity.
14.01.2026
PUA_Syncro_RMM_Jan26
Detects Syncro Remote Monitoring and Management (RMM) tool, which can be misused by threat actors for lateral movement and persistence, Requires additional context verification to distinguish between legitimate administrative use and malicious activity.
14.01.2026
MAL_Anubis_Stealer_Jan26
Detects Anubis stealer a credential stealer that targets communication apps and browser credentials.
13.01.2026
MAL_Anubis_Dropper_Jan26
Detects Anubis dropper, a part of the infection chain for Anubis stealer.
13.01.2026
MAL_Anubis_Stealer_Log_Jan26
Detects a log file that records command-and-control activity, including remote download and execution of malicious payloads seen being used by Anubis stealer
13.01.2026
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_EtwEventWrite_Import_Aug21_1
5
cf3f270f484447ba4b131ead035d0bc2d86b656fa150e3fa865962c2dc66de1b
SUSP_EnigmaProtected_PE_Files_Jun22
11
5969025fe81f892784c04c238c5b7045e5c0ed1f39573a796888687c6ec3b6a3
SUSP_PS1_PowerShell_Loader_May21_1
4
d3f6fd2baf5ac8304ec2d7cf99893fc1d68713f0d9376b6fba59fadf3bf758f0
SUSP_PS1_PowerShell_Loader_May21_1
4
6d1c8b94c7a4cbc2a209ca24bcd14fdfff208d004324d8809f1291f3557265ee
SUSP_PS1_PowerShell_Loader_May21_1
4
303dc045a5c2b9d492051b1628c952b4a15efed1b244727f287cb9a4a64c8147
SUSP_MSIL_NET_OBF_ConfuserEx_Constants_Jul23
12
fc62ff28e1b1c3d522cc59d4c9f924acecb70d552299e1afd2688deb71b421e7
SUSP_Wextract_Anomaly_Unsigned_May23
6
a5df885be5813db6d48a46b1e5cdff72ca60787c5be3431141187bb7f5d64a5d
SUSP_Monitoring_Procs_List_Sep22_1
2
491acbcd88f77259c454da35488aff55b2e143dd5cbb58516304d4d0ccef2f3c
SUSP_EtwEventWrite_Import_Aug21_1
2
6fa325ec6af3f995337134b4914ad0c275918dd534836ca7ad856d4ee09117e1
SUSP_PS1_Small_Base64Decode_Jun22_1
8
0a5edd2b8205fad6ee29b1c7a2d35f4e11d8ae54c181930d9241567718e95dea
SUSP_BAT_Loader_Indicators_FromBase64_Sep25
8
0a5edd2b8205fad6ee29b1c7a2d35f4e11d8ae54c181930d9241567718e95dea
SUSP_PS1_Loader_Indicators_Nov21_1
8
0a5edd2b8205fad6ee29b1c7a2d35f4e11d8ae54c181930d9241567718e95dea
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7404
Threat Hunting (not subscribable, only in THOR scanner)
5755
APT
5043
Hacktools
4802
Webshells
2397
Exploits
713
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
AD User ProfilePath Attribute Modification
Detects changes to the 'ProfilePath' attribute of an Active Directory user account.
Attackers can modify this attribute to point to a roaming profile to establish persistence or lateral movement within a network.
One of the example includes updating the profilepath to network share to sync malicious NTUSER.MAN files for registry persistence.
Since, this event can be generated during legitimate administrative activities, it is recommended to validate the legitimacy of such changes by cross-referencing with change management logs or known administrative actions.
21.01.2026
File Sync to NTUSER.MAN on Roaming Profile Shares
Detects file synchronization events involving 'NTUSER.MAN' files on roaming profile shares.
NTUSER.MAN is a mandatory user profile file that takes priority over NTUSER.DAT when present in a user's profile directory.
Adversaries may abuse this feature for registry persistence by placing a crafted NTUSER.MAN file containing malicious registry keys.
This technique also don't produce registry telemetry as the hive is loaded directly from disk without invoking registry APIs or triggering CmRegisterCallbackEx callbacks.
Mandatory profiles are rare in modern environments outside of kiosk or shared workstation configurations, making their presence suspicious.
Consider excluding specific admin tools or scripts if this is common in your environment.
21.01.2026
Creation of NTUSER.MAN File in User Profile
Detects the creation of an NTUSER.MAN file in a user's profile directory.
NTUSER.MAN is a mandatory user profile file that takes priority over NTUSER.DAT when present in a user's profile directory.
Adversaries may abuse this feature for registry persistence by placing a crafted NTUSER.MAN file containing malicious registry keys.
This technique also don't produce registry telemetry as the hive is loaded directly from disk without invoking registry APIs or triggering CmRegisterCallbackEx callbacks.
Mandatory profiles are rare in modern environments outside of kiosk or shared workstation configurations, making their presence suspicious.
21.01.2026
Usage of NTUSER.MAN in Command Line
Detects the string 'NTUSER.MAN' in a command line, which may indicate attempts to manipulate or utilize mandatory user profile files.
NTUSER.MAN is a mandatory user profile file that takes priority over NTUSER.DAT when present in a user's profile directory.
Adversaries may abuse this feature for registry persistence by placing a crafted NTUSER.MAN file containing malicious registry keys.
This technique also don't produce registry telemetry as the hive is loaded directly from disk without invoking registry APIs or triggering CmRegisterCallbackEx callbacks.
Mandatory profiles are rare in modern environments outside of kiosk or shared workstation configurations, making their presence suspicious.
21.01.2026
NTUSER.MAN Creation From Process In Suspicious Location
Detects the creation of an NTUSER.MAN file from process in suspicious location
20.01.2026
NTUSER.MAN Creation By Uncommon Processes
Detects the creation of an NTUSER.MAN file by Uncommon processes
20.01.2026
Suspicious NTUSER.MAN Creation by Uncommon Process
Detects creation of NTUSER.MAN (mandatory profile hive) by uncommon processes.
20.01.2026
Hacktool - Kernel Driver Utility Execution
Detects execution of the Kernel Driver Utility (KDU) tool.
KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel.
12.01.2026
Windows Firewall Global Outbound Block Via Netsh.EXE
Detects use of netsh advfirewall to add firewall rules that block all remote IP addresses (0.0.0.0-255.255.255.255), a technique commonly used for defense evasion to isolate a system or suppress network-based security controls.
12.01.2026
Data Exfiltration via Curl to Messaging Platforms
Detects curl commands with POST data targeting messaging platforms such as Discord, Signal, and others which may indicate data exfiltration.
Threat actors have been observed using curl to exfiltrate data to these messaging platforms after compromising systems.
23.12.2025
Suspicious CMD Findstr Command with For Loop and Token Parsing
Detects suspicious command patterns using findstr with for loops and token/delimiter parsing that may indicate data extraction and processing techniques.
Adversaries may use findstr combined with for loops to search, extract, and parse specific content from files or command output, often as part of reconnaissance or data exfiltration activities.
17.12.2025
Linux Suspicious Child Process from Node.js - React2Shell
Detects suspicious child processes spawned from Node.js server processes on Linux systems, potentially indicating remote code execution exploitation such as CVE-2025-55182 (React2Shell).
This rule particularly looks for exploitation of vulnerability on Node.js Servers where attackers abuse Node.js child_process module to execute arbitrary system commands.
When execSync() or exec() is used, the command line often includes a shell invocation followed by suspicious commands or scripts (e.g., /bin/sh -c <malicious-command>).
For other methods, the Image field will show the spawned process directly.
05.12.2025
Windows Suspicious Child Process from Node.js - React2Shell
Detects suspicious child processes started by Node.js server processes on Windows, which may indicate exploitation of vulnerabilities like CVE-2025-55182 (React2Shell).
Attackers can abuse the Node.js 'child_process' module to run system commands or scripts using methods such as spawn(), exec(), execFile(), fork(), or execSync().
If execSync() or exec() is used in the exploit, the command line often shows a shell (e.g., cmd.exe /d /s /c ...) running a suspicious command unless other shells are explicitly invoked.
For other methods, the spawned process appears directly in the Image field unless a shell is explicitly used.
05.12.2025
Github Self-Hosted Runner Execution
Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution.
Shai-Hulud is an npm supply chain worm targeting CI/CD environments.
It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
29.11.2025
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
27.11.2025
WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
Detects WerFaultSecure.exe loading dbgcore.dll or dbghelp.dll which contains the MiniDumpWriteDump function.
The MiniDumpWriteDump function creates a minidump of a process by suspending all threads in the target process to ensure a consistent memory snapshot.
The EDR-Freeze technique abuses WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to suspend EDR/AV processes.
By leveraging MiniDumpWriteDump's thread suspension behavior, edr-freeze allows malicious activity to execute undetected during the suspension period.
27.11.2025
AWS GuardDuty Detector Deleted Or Updated
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
Verify with the user identity that this activity is legitimate.
27.11.2025
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace.
These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll,
dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
27.11.2025
Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques.
This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.
27.11.2025
Renamed Schtasks Execution
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.
One of the very common persistence techniques is schedule malicious tasks using schtasks.exe.
Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
27.11.2025
Grixba Malware Reconnaissance Activity
Detects execution of the Grixba reconnaissance tool based on suspicious command-line parameter combinations.
This tool is used by the Play ransomware group for network enumeration, data gathering, and event log clearing.
26.11.2025
Suspicious FileFix Execution Pattern
Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation.
This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms,
which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content.
The clipboard content usually contains commands that download and execute malware, such as information stealing tools.
24.11.2025
HackTool - WSASS Execution
Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's
(Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
23.11.2025
Suspicious Filename with Embedded Base64 Commands
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
22.11.2025
Atomic MacOS Stealer - FileGrabber Activity
Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
22.11.2025
Atomic MacOS Stealer - Persistence Indicators
Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
22.11.2025
Unsigned .node File Loaded
Detects the loading of unsigned .node files.
Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack.
.node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code.
This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
22.11.2025
Windows Default Domain GPO Modification via GPME
Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.
22.11.2025
Windows Default Domain GPO Modification
Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
22.11.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2711
20832
Sigma
3517
839
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1321
windows / registry_set
214
windows / file_event
203
windows / ps_script
165
windows / security
160
linux / process_creation
129
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
68
aws / cloudtrail
55
proxy
54
windows / network_connection
53
linux / auditd
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
26
windows / process_access
25
azure / signinlogs
24
okta / okta
22
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
rpc_firewall / application
17
gcp / gcp.audit
16
windows / windefend
16
github / audit
16
linux
16
bitbucket / audit
14
linux / file_event
13
m365 / threat_management
13
windows / file_delete
13
cisco / aaa
12
windows / create_remote_thread
12
windows / codeintegrity-operational
10
windows / driver_load
10
kubernetes / application / audit
10
windows / ps_classic_start
9
dns
9
windows / create_stream_hash
9
windows / registry_delete
9
windows / firewall-as
8
windows / msexchange-management
8
gcp / google_workspace.admin
7
antivirus
7
fortigate / event
7
windows / appxdeployment-server
7
windows / file_access
7
windows / bits-client
7
azure / pim
7
zeek / smb_files
7
windows / dns-client
6
zeek / dns
5
zeek / http
5
linux / network_connection
5
jvm / application
5
kubernetes / audit
5
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
windows / registry_add
3
linux / sshd
3
m365 / audit
3
macos / file_event
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
windows / security-mitigations
2
windows / dns-server
2
apache
2
spring / application
2
onelogin / onelogin.events
2
firewall
2
windows / file_change
2
linux / syslog
2
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
nodejs / application
1
paloalto / appliance / globalprotect
1
windows / file_executable_detected
1
windows / diagnosis-scripted
1
python / application
1
zeek / rdp
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_error
1
m365 / exchange
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_status
1
ruby_on_rails / application
1
m365 / threat_detection
1
windows / driver-framework
1
windows
1
sql / application
1
cisco / bgp
1
nginx
1
linux / sudo
1
velocity / application
1
cisco / duo
1
windows / ldap
1
windows / dns-server-analytic
1
cisco / ldp
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
windows / printservice-operational
1
database
1
linux / clamav
1
windows / applocker
1
django / application
1
linux / auth
1
linux / guacamole
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
fortios / sslvpnd
1
linux / cron
1
juniper / bgp
1
windows / appxpackaging-om
1
cisco / syslog
1
windows / smbserver-connectivity
1
windows / process_tampering
1
windows / smbclient-connectivity
1
linux / vsftpd
1
windows / capi2
1
windows / shell-core
1
windows / raw_access_thread
1
paloalto / file_event / globalprotect
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
396
windows / registry_set
78
windows / ps_script
77
windows / image_load
43
windows / file_event
42
linux / process_creation
36
windows / wmi
29
windows / security
24
proxy
12
windows / system
9
windows / registry_event
8
windows / network_connection
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / create_remote_thread
4
windows / registry_delete
4
windows / pipe_created
4
windows / sense
4
windows / taskscheduler
4
windows / driver_load
3
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / application-experience
3
windows / bits-client
2
windows / codeintegrity-operational
2
windows / kernel-shimengine
2
windows / process_access
2
windows / windefend
2
windows / process-creation
2
windows / amsi
1
windows / dns_query
1
windows / registry-setinformation
1
windows / firewall-as
1
windows / file_delete
1
linux / file_event
1
windows / file_access
1
windows / file_rename
1
windows / audit-cve
1
macos / process_creation
1
windows / application
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR