currently serving 20634 YARA rules and 3650 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
HKTL_DavRelayUp_Apr24
Detects DavRelayUp, a universal no-fix local privilege escalation in domain-joined Windows workstations where LDAP signing is not enforced (the default settings).
22.04.2024
PUA_ROADtools_Apr24
Detects ROADTools, a collection of Azure AD/Entra tools for offensive and defensive security purposes
22.04.2024
HKTL_PS1_Cmloot_Mar24
Detects CMLoot, a hacktool to find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares
22.04.2024
HKTL_SharpVeeamDecryptor_Apr24
Detects SharpVeeamDecryptor, a hacktool to decrypt Veeam database passwords
22.04.2024
SUSP_LNX_Base64_Download_Exec_Apr24
Detects suspicious base64 encoded shell commands used for downloading and executing further stages
18.04.2024
SUSP_LNX_Base64_Exec_Apr24
Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
18.04.2024
APT_UTA028_ForensicArtefacts_PaloAlto_CVE_2024_3400_Apr24_1
Detects forensic artefacts of APT UTA028 as found in a campaign exploiting the Palo Alto CVE-2024-3400 vulnerability
15.04.2024
SUSP_PY_Import_Statement_Apr24_1
Detects suspicious Python import statement and socket usage often found in Python reverse shells
15.04.2024
SUSP_LNX_Shell_Indicators_Apr24_1
Detects suspicious shell commands often found in malicious downloader / persistence scripts for Linux
15.04.2024
SUSP_LNX_Shell_Indicators_Apr24_2
Detects suspicious shell commands often found in malicious downloader / persistence scripts for Linux
15.04.2024
SUSP_LNX_NCat_Indicators_Apr24_2
Detects suspicious Netcat command flag combinations often found in malicious reverse shell / persistence scripts for Linux
15.04.2024
APT_SUSP_MacOS_APT28_XAgent_Apr24_1
Detects similarities with XAgent samples for macOS as used by APT28
15.04.2024
EXPL_PaloAlto_CVE_2024_3400_Apr24_1
Detects characteristics of the exploit code used in attacks against Palo Alto GlobalProtect CVE-2024-3400
15.04.2024
MAL_PY_Upstyle_Backdoor_Apr24_2
Detects UPSTYLE backdoor written in Python (and used in attacks against Palo Alto devices exploiting CVE-2024-3400)
15.04.2024
MAL_PY_Upstyle_Backdoor_Apr24_1
Detects UPSTYLE backdoor written in Python (and used in attacks against Palo Alto devices exploiting CVE-2024-3400)
15.04.2024
MAL_PY_Upstyle_Backdoor_Apr24_3
Detects UPSTYLE backdoor written in Python (and used in attacks against Palo Alto devices exploiting CVE-2024-3400)
15.04.2024
SUSP_Bash_Downloading_Payload_Apr24
Detects characteristics found in a bash script that downloads and executes a payload in /tmp
15.04.2024
SUSP_PY_Reverse_Shell_Apr24
Detects characteristics found in a one-liner reverse shell written in Python
15.04.2024
HKTL_NativeDump_Apr24_1
Detects NativeDump - a tool that dumps LSASS using only native APIs by hand-crafting Minidump files (without MinidumpWriteDump)
08.04.2024
SUSP_OBFUSC_SH_Indicators_Mar24_1
Detects characteristics found in obfuscated script (used in the backdoored XZ package, but could match on others, too)
06.04.2024
MAL_JS_Downloading_Executing_Payload_Apr24
Detects JavaScript code that downloads and executes the next stage payload
05.04.2024
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
4
0b544a84586092f381245495b19ba50475cdb34eda4d8a27a61f04d36d7f7fad
SUSP_MSIL_NET_ConfuserEx_Module_Encryption_Sep23
2
c2a56610c70edb5ed692d2333d6263805f275db8e5eb584791119127758c8fb9
SUSP_MSIL_NET_OBF_ConfuserEx_Constants_Jul23
1
84be0822da78fb96ac3d592601cba8ebb00b53f76f5c3fe22a12bf101cdee024
SUSP_MSIL_NET_ConfuserEx_Module_Encryption_Sep23
1
773b9b7a670df60964cbc74701b09ca1d2e1f38f3108660c3ab5f58dd2523747
SUSP_PE_Discord_Attachment_Oct21_1
1
1b614bfde2f47adb862781b61846a8ae211e9e2c6858d7bb51d086bca7b7790a
Typical_Malware_String_Transforms
12
623ec9cbc34467d7ab9e87a094ade919d60323a1c494aabef625806285c73ebb
ZxShell_Related_Malware_CN_Group_Jul17_1
12
623ec9cbc34467d7ab9e87a094ade919d60323a1c494aabef625806285c73ebb
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
4
add57703e067b52b266191a9f908719a37a860019e8593d51119ff3957184aed
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
6022
Threat Hunting (not subscribable, only in THOR scanner)
4940
APT
4817
Hacktools
4461
Webshells
2308
Exploits
617
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
01.04.2024
Certificate-Based Authentication Enabled
Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
26.03.2024
New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
26.03.2024
Kubernetes Events Deleted
Detects when events are deleted in Kubernetes.
An adversary may delete Kubernetes events in an attempt to evade detection.
26.03.2024
Privileged Container Deployed
Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks.
A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host.
Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
26.03.2024
Deployment Deleted From Kubernetes Cluster
Detects the removal of a deployment from a Kubernetes cluster.
This could indicate disruptive activity aiming to impact business operations.
26.03.2024
Container With A hostPath Mount Created
Detects creation of a container with a hostPath mount.
A hostPath volume mounts a directory or a file from the node to the container.
Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
26.03.2024
Potential Remote Command Execution In Pod Container
Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
26.03.2024
Creation Of Pod In System Namespace
Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.
System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.
Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.
Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
26.03.2024
RBAC Permission Enumeration Attempt
Detects identities attempting to enumerate their Kubernetes RBAC permissions.
In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment.
In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command.
This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
26.03.2024
New Kubernetes Service Account Created
Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
26.03.2024
Potential Sidecar Injection Into Running Deployment
Detects attempts to inject a sidecar container into a running deployment.
A sidecar container is an additional container within a pod, that resides alongside the main container.
One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation.
By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.
26.03.2024
Potential KamiKakaBot Activity - Lure Document Execution
Detects the execution of a Word document via the WinWord Start Menu shortcut.
This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
22.03.2024
Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command.
This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
22.03.2024
Potential KamiKakaBot Activity - Winlogon Shell Persistence
Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
22.03.2024
CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.
It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
20.03.2024
MaxMpxCt Registry Value Changed
Detects changes to the "MaxMpxCt" registry value.
MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.
Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
19.03.2024
Important ETW Provider Has Been Unregistered
Detects important or critical ETW providers that have been unregistered.
Attackers might unregister a certain provider in order to evade defenses or blind security monitoring tooling.
13.03.2024
Critical ETW Session Stopped
This detection triggers every time an important or critical ETW session is stopped.
Attackers can stop ETW sessions in order to blind security monitoring tooling.
13.03.2024
ETW Session Stopped
This detection triggers every time an ETW session is stopped.
Attackers can stop ETW sessions in order to blind security monitoring tooling.
13.03.2024
UAC Bypass Attempt Via Msdt.EXE
Detects UAC bypass attempt using the Msdt binary and the bluetooth "BluetoothDiagnostic.xml" diagnostic package.
The Msdt binary is capable of auto-elevation and the "BluetoothDiagnostic" diagnostic package doesn't requires admin privileges.
This allows a user to call Msdt (32bit version) with the bluetooth package, which will automatically start an elevated instance of Msdt and call the "sdiagnhost" binary.
This binary will try to load the "BluetoothDiagnosticUtil" DLL, which it will not be able to find. So it defer to loading from any directory in the PATH env variable.
An attacker can hijack one of these location to insert a malicious version of this DLL and get it loaded by "sdiagnhost".
13.03.2024
IExpress.EXE Binary Proxy Execution Through Diamond.EXE
Detects the execution of a binary named "diamond.exe" through "IExpress.EXE"
The IExpress binary in almost all cases will spawn the "makecab" utility in order to create the ".cab" file requested by the users via the ".SED" files. Internally it offers a different mode if the ".SED" file specifies a CompressionMode called "QUANTUM".
In this mode it will look for a binary named "diamond.exe". As this binary has been deprecated and is not available in newer version of Windows. Attackers can use this fact in order to execute any binary named "diamond.exe" located in the same directory of execution as IExpress.
12.03.2024
Makecab.EXE Execution With Directive File
Detects the execution of "makecab.exe" with a directive file.
Attackers can leverage makecab with a directive file in order to create ".cab" file while avoiding any mention of the files being compressed. As the ".DDF" file will contain all the information necessary for the compression.
12.03.2024
Makecab.EXE Execution With An Uncommon Directive File Extension
Detects the execution of "makecab.exe" with a directive file with an uncommon extension.
The typical extension for cab directive is the Diamond Directive File (.DDF).
Not using this extension might be a sign of something uncommon or even suspicious worth investigating.
12.03.2024
HH.EXE Initiated A Network Connection To An Uncommon Destination Port
Detects a network connection initiated by the "hh.exe" process to an uncommon destination port.
This could indicate potential process injection or uncommon communication method.
12.03.2024
Potentially Suspicious COM DLL Loaded By Outlook.EXE
Detects load of DLL located in the Outlook FORMS directory.
This could be an indication of a potential exploitation of CVE-2024-21378 or potential persistence via Outlook FORMS.
12.03.2024
Potential Remote Code Execution Via Outlook Form
Detects the creation of a new file with a ".DLL" extension in the Outlook Forms folder.
This might be an indicator of an attacker using Outlook form persistence or remote code execution as seen in CVE-2024-21378 exploitation.
12.03.2024
Suspicious COM CLSID Registry Value Set By Outlook.EXE
Detects the creation of a COM CLSID pointing to a DLL file residing in the Outlook Forms directory.
This is could potentially indicate the installation of a malicious Outlook Form.
Investigate further action executed during this time frame and look for a DLL being dropped to disk and then that same DLL being loaded by the Outlook process.
12.03.2024
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2968
17666
Sigma
3204
446
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1206
windows / registry_set
187
windows / file_event
182
windows / ps_script
163
windows / security
153
linux / process_creation
108
windows / image_load
97
webserver
78
windows / system
72
macos / process_creation
56
proxy
51
linux / auditd
49
windows / network_connection
45
azure / activitylogs
43
windows / registry_event
38
aws / cloudtrail
35
azure / auditlogs
35
windows / ps_module
32
windows / application
28
azure / signinlogs
24
windows / process_access
23
okta / okta
22
windows / dns_query
20
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
linux
17
rpc_firewall / application
17
gcp / gcp.audit
16
windows / windefend
16
bitbucket / audit
14
m365 / threat_management
13
windows / file_delete
12
windows / create_remote_thread
12
cisco / aaa
12
github / audit
10
windows / codeintegrity-operational
10
windows / ps_classic_start
10
kubernetes / application / audit
10
windows / driver_load
10
windows / registry_add
9
linux / file_event
9
windows / create_stream_hash
9
windows / msexchange-management
8
dns
8
windows / bits-client
7
gcp / google_workspace.admin
7
zeek / smb_files
7
antivirus
7
windows / firewall-as
7
windows / appxdeployment-server
7
azure / pim
7
windows / registry_delete
6
windows / file_access
6
windows / dns-client
5
jvm / application
5
zeek / dce_rpc
4
zeek / dns
4
windows / sysmon
4
windows / taskscheduler
4
linux / sshd
3
zeek / http
3
windows / wmi_event
3
linux / network_connection
3
windows / powershell-classic
3
windows / ntlm
3
windows / file_change
2
firewall
2
windows / security-mitigations
2
spring / application
2
m365 / audit
2
linux / syslog
2
windows / dns-server
2
macos / file_event
2
apache
2
onelogin / onelogin.events
2
qualys
2
juniper / bgp
1
windows / appmodel-runtime
1
windows / raw_access_thread
1
linux / clamav
1
windows / appxpackaging-om
1
windows / shell-core
1
nodejs / application
1
python / application
1
windows / capi2
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
linux / sudo
1
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
windows / smbclient-security
1
windows / file_rename
1
velocity / application
1
windows / diagnosis-scripted
1
windows / terminalservices-localsessionmanager
1
ruby_on_rails / application
1
m365 / exchange
1
linux / vsftpd
1
zeek / rdp
1
windows / sysmon_error
1
sql / application
1
m365 / threat_detection
1
zeek / kerberos
1
windows / sysmon_status
1
windows
1
windows / dns-server-analytic
1
database
1
nginx
1
windows / driver-framework
1
windows / printservice-admin
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
cisco / bgp
1
fortios / sslvpnd
1
netflow
1
cisco / ldp
1
windows / ldap
1
cisco / syslog
1
linux / auth
1
windows / smbclient-connectivity
1
linux / cron
1
huawei / bgp
1
windows / applocker
1
windows / openssh
1
windows / process_tampering
1
django / application
1
linux / guacamole
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
179
windows / ps_script
52
windows / registry_set
49
windows / wmi
29
windows / file_event
20
windows / image_load
14
proxy
11
windows / security
10
windows / system
10
windows / kernel-event-tracing
6
windows / network_connection
6
windows / ntfs
5
windows / ps_module
4
windows / registry_event
4
windows / create_remote_thread
4
windows / pipe_created
3
windows / ps_classic_script
3
linux / process_creation
3
windows / registry_delete
3
windows / vhd
3
windows / application-experience
3
windows / hyper-v-worker
3
webserver
3
windows / kernel-shimengine
2
windows / taskscheduler
2
windows / bits-client
2
windows / driver_load
2
windows / file_rename
1
windows / amsi
1
windows / process_access
1
windows / audit-cve
1
macos / process_creation
1
windows / registry-setinformation
1
windows / codeintegrity-operational
1
windows / file_access
1
windows / application
1
windows / file_delete
1
windows / dns_query
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR