currently serving 21595 YARA rules and 3875 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
HKTL_PY_ADCSync_Oct24
Detects ADCSync, a hacktool to use ADCS-ESC1 to perform a makeshift DCSync and dump hashes
28.10.2024
HKTL_Go_Nifo_Oct24
Detects nifo - a tool that removes AVs / EDRs with physical access - files nifo-arm64.exe, nifo-x64.exe
27.10.2024
MAL_VBS_PUFFPASTRY_Backdoor_Oct24
Detects characteristics found in PUFFPASTRY samples mentioned in A LNK Between Browsers report by Mandiant
27.10.2024
SUSP_VBS_Characteristics_Oct24_1
Detects samples with similarity to PUFFPASTRY samples mentioned in A LNK Between Browsers report by Mandiant
27.10.2024
SUSP_VBS_Loader_Oct24_1
Detects characteristics found in malicious VBS code (probably a common loader)
27.10.2024
SUSP_RDP_File_Indicators_Oct24_1
Detects characteristics found in malicious RDP files used as email attachments in spear phishing campaigns
25.10.2024
SUSP_RDP_File_Indicators_Email_Attachment_Oct24_1
Detects characteristics found in malicious RDP files used as email attachments in spear phishing campaigns (this rule detects the base64 encoded attachment)
25.10.2024
HKTL_Pwnlook_Oct24_1
Detects pwnlook - an offensive post exploitation tool that will give you complete control over the Outlook desktop application and therefore to the emails configured in it
22.10.2024
HKTL_RequestAADRefreshToken_Oct24
Detects RequestAADRefreshToken, a hacktool that obtains a refresh token for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account). An attacker can then use the token to authenticate to Azure AD as that user.
21.10.2024
HKTL_PS1_Misconfiguration_Manager_Oct24
Detects Misconfiguration-Manager, an enumeration tool for Microsoft Configuration Manager aka SCCM
21.10.2024
HKTL_PY_WindowsDowndate_Oct24
Detects WindowsDowndate, a Python tool that takes over Windows Updates to craft custom downgrades and expose past fixed vulnerabilities
21.10.2024
HKTL_GPOZaurr_Oct24
Detects GPOZaurr, a PowerShell module that aims to gather information about Group Policies but also allows fixing issues that you may find in them.
21.10.2024
SUSP_PY_Obfuscated_Anubis_Oct24
Detects Python script obfuscated using Anubis, a Python script to obfuscate and protect your code through anti debuggers, junk code and custom encryption.
21.10.2024
HKTL_ROADtoken_Oct24
Detects ROADtoken, a tool that uses the BrowserCore.exe binary to obtain a cookie that can be used with SSO and Azure AD.
21.10.2024
MAL_Backdoor_Oct24
Detects backdoor realted to Russian speaking group tracked as 'UAT-5647' by Cisco Talos
18.10.2024
SUSP_VBS_Execute_Oct24
Detects VBScript that execute base64 encoded command via PowerShell
15.10.2024
MAL_CobaltStrike_Beacon_Loader_Oct24
Detects Cobalt Strike beacon loader
15.10.2024
MAL_PasswordFilter_Oct24
Detects a DLL that can capture and harvest every password from compromised machines, even after they have been modified
15.10.2024
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_Defense_Evasion_Known_System_UUID_Jun23
7
bac01102fa25f7b14f710c82c0d253975653f0b6a0ce01c069da010f5428630c
SUSP_Credential_Stealer_Indicators_Jul23_2
7
bac01102fa25f7b14f710c82c0d253975653f0b6a0ce01c069da010f5428630c
SUSP_ELF_LNX_UPX_Compressed_File_Dec18
1
48a44cd4ca3e28fc4035049d9d84b924ff182792ab98be242e8750e4daf8eb28
SUSP_PS1_InvokeExpression_Casing_Anomaly
7
bac01102fa25f7b14f710c82c0d253975653f0b6a0ce01c069da010f5428630c
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
4
b7b2b265da83729408a226eec4786153285d640de99f3469d586b3918cd88a7f
SUSP_LNX_ReverseShell_Indicator_Jun22
14
3678d9930a5d80724af67d6084fa6d1cc67d5c888170e35ece5626decf3009cd
HKTL_CobaltStrike_BOF_Indicators_Feb21_1
12
282cf2afa89a841b20c9988501cdbbbcad3716ba3619737f78d00ec6aff90d56
SUSP_LNX_ReverseShell_Indicator_Jun22
13
524186c5beb855b7765bba5ff7b15c2b0767864d5e4d50636925e7fc9294469f
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
6417
Threat Hunting (not subscribable, only in THOR scanner)
5159
APT
4890
Hacktools
4572
Webshells
2338
Exploits
636
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Hacktool Nifo Usage
Detects Nifo - a tool that disables Windows AV/EDR software by corrupting their files offline via physical access
27.10.2024
Domain Obfuscation
Detecting domain obfuscation used by threat actor to hide the actual C2 used.
20.10.2024
MSC File Execution From Potential Suspicious Location
Detecting execution of Microsoft Management Console (MMC) files from potentially suspicious locations.
20.10.2024
Curl Variable Execution
Detecting curl execution with variable being passed as the domain to fetch data, could be used by threat actor to hide the actul malicious domain.
20.10.2024
Potential Conti Ransomware Activity
Detects a specific command line pattern based on flags used by the Conti ransomware
07.10.2024
Wazuh Agent Remote Execution
Detects enabling of remote commands in the Wazuh agent. By setting this value to 1, the agent is allowed to accept and execute remote commands from the Wazuh manager or other controlling systems. This could be used for legitimate remote administration, but it also opens up the potential for misuse if the Wazuh manager or server it's connecting to is malicious or compromised, as it grants significant control over the agent.
07.10.2024
ETW Logging/Processing Option Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
06.10.2024
HTTP Logging Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
06.10.2024
New Module Module Added To IIS Server
Detects the addition of a new module to an IIS server.
06.10.2024
Previously Installed IIS Module Was Removed
Detects the removal of a previously installed IIS module.
06.10.2024
Possible Windows Defender Exclusion Discovery
Detects a suspicious MpCmdRun.exe process command line that looks as if someone was trying to find Windows Defender exclusions
06.10.2024
Toneshell Registry Activity
Detects 'Demeter' registry key used to store a randomly generated victim identifier used by 'Toneshell' malware
05.10.2024
Renamed Python.exe Execution
Detects the execution of python.exe that has been renamed to a different name to avoid detection
01.10.2024
Detection of Renamed ADExplorer.exe
Detects instances of ADExplorer.exe that have been renamed, indicating potential malicious activity.
30.09.2024
Detection of Renamed PuTTY.exe
Detects instances of PuTTY.exe clients that have been renamed, indicating potential malicious activity utilizing legitimate remote access tools.
30.09.2024
Detection of Renamed WinRAR
Detects instances of WinRAR that have been renamed to fsutil.exe, indicating potential malicious packing of files.
30.09.2024
Registry Modifications to Disable Windows Security Center Features
Detects modifications to the Windows Registry intended to disable various Security Center features, these changes can indicate an attempt by malicious actors to evade security measures, suppress important security notifications, or establish persistence on the system by disabling critical security functionalities.
29.09.2024
Renamed RCLONE.EXE Execution
Detects the execution of a renamed "RCLONE.exe" binary based on the PE metadata fields
27.09.2024
Renamed SharpHound.EXE Execution
Detects the execution of a renamed "SharpHound.exe" binary based on the PE metadata fields
25.09.2024
Potential StarRailBase.dll Sideloading
Detects potential DLL sideloading of "StarRailBase.dll", which is part of the Honkai game.
23.09.2024
Remote Access Tool - MeshAgent Command Execution via MeshCentral
Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.
MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
22.09.2024
Potential Lumma Stealer PowerShell Pattern
Detects process command line pattern of the Lumma Stealer malware family.
21.09.2024
Splinter Traffic Activity
Detects splinter pentest tool GET requests used to retrive data from the C2
20.09.2024
Java JAR Execution From Potentially Suspicious Location
Detects execution of Java application that has been packaged into a JAR from suspicious locations.
20.09.2024
Java JAR Execution With Uncommon JAR Extension
Detects execution of Java application that has been packaged into a JAR that doesn't contain a common extension.
20.09.2024
Suspicious Granting of Full Control to Everyone via Security Descriptor
Detects the usage of commands that modify security descriptors to grant full control (KA) permissions to the Everyone (WD) group. The presence of "D:(A;;KA;;;WD)" in a command line is unusual and may indicate an attempt to weaken security by allowing all users unrestricted access to critical system objects, potentially leading to privilege escalation or unauthorized system modifications.
19.09.2024
Suspicious Modification of Service Control Manager Permissions Via Sc.EXE
Detects changes to the Service Control Manager (SCManager) security descriptor that grant excessive permissions (e.g., Everyone group) to control system services. This behavior can indicate an attempt at local privilege escalation by allowing unauthorized users to manipulate critical services.
19.09.2024
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
3196
18399
Sigma
3340
535
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1246
windows / registry_set
200
windows / file_event
189
windows / ps_script
166
windows / security
157
linux / process_creation
120
windows / image_load
105
webserver
78
windows / system
72
macos / process_creation
65
windows / network_connection
52
proxy
52
linux / auditd
48
azure / activitylogs
43
aws / cloudtrail
42
windows / registry_event
38
azure / auditlogs
38
windows / ps_module
33
windows / application
28
azure / signinlogs
24
okta / okta
22
windows / process_access
22
windows / dns_query
21
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / create_remote_thread
13
windows / file_delete
13
github / audit
13
cisco / aaa
12
windows / codeintegrity-operational
10
windows / ps_classic_start
10
kubernetes / application / audit
10
windows / driver_load
10
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
zeek / smb_files
7
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / registry_delete
7
gcp / google_workspace.admin
7
windows / bits-client
7
windows / dns-client
6
windows / file_access
6
linux / network_connection
5
jvm / application
5
kubernetes / audit
5
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
zeek / dns
4
zeek / http
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
m365 / audit
2
linux / syslog
2
windows / security-mitigations
2
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
firewall
2
windows / file_change
2
spring / application
2
velocity / application
1
windows / capi2
1
windows / file_executable_detected
1
ruby_on_rails / application
1
m365 / exchange
1
linux / sudo
1
zeek / x509
1
windows / microsoft-servicebus-client
1
windows / file_rename
1
sql / application
1
windows / smbclient-security
1
windows / sysmon_status
1
m365 / threat_detection
1
linux / vsftpd
1
zeek / rdp
1
windows / diagnosis-scripted
1
zeek / kerberos
1
windows / sysmon_error
1
database
1
windows / terminalservices-localsessionmanager
1
windows / dns-server-analytic
1
windows
1
windows / printservice-admin
1
nginx
1
windows / driver-framework
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
netflow
1
cisco / bgp
1
windows / lsa-server
1
windows / wmi
1
fortios / sslvpnd
1
linux / auth
1
cisco / ldp
1
django / application
1
cisco / syslog
1
linux / cron
1
windows / appmodel-runtime
1
windows / smbclient-connectivity
1
linux / guacamole
1
huawei / bgp
1
windows / ldap
1
windows / process_tampering
1
nodejs / application
1
paloalto / file_event / globalprotect
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
python / application
1
paloalto / appliance / globalprotect
1
cisco / duo
1
linux / clamav
1
windows / appxpackaging-om
1
windows / shell-core
1
windows / raw_access_thread
1
windows / certificateservicesclient-lifecycle-system
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
230
windows / registry_set
58
windows / ps_script
56
windows / wmi
29
windows / file_event
23
windows / image_load
18
proxy
12
windows / security
11
linux / process_creation
11
windows / network_connection
7
windows / system
7
windows / kernel-event-tracing
6
windows / registry_event
6
windows / ps_module
5
windows / ntfs
5
windows / sense
4
windows / pipe_created
4
windows / create_remote_thread
4
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / registry_delete
3
windows / application-experience
3
windows / hyper-v-worker
3
windows / kernel-shimengine
2
windows / taskscheduler
2
windows / driver_load
2
windows / bits-client
2
macos / process_creation
1
windows / windefend
1
windows / process_access
1
windows / amsi
1
windows / application
1
windows / audit-cve
1
windows / file_access
1
windows / registry-setinformation
1
windows / codeintegrity-operational
1
windows / dns_query
1
windows / firewall-as
1
windows / file_delete
1
windows / file_rename
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls