Valhalla Logo
currently serving 24287 YARA rules and 4650 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
MAL_APT_Cavern_Agent_Jul26
Detects side-loaded uxtheme.dll seen being used within Cavern Manticore C2 framework
08.07.2026
MAL_APT_Cavern_Communication_Module_Jul26
Detects communication module seen being used within Cavern Manticore C2 framework build with .NET NativeAOT
08.07.2026
MAL_APT_Cavern_File_Manager_Module_Jul26
Detects file manager module seen being used within Cavern Manticore C2 framework
08.07.2026
MAL_APT_Cavern_Active_Directory_Module_Jul26
Detects LDAP active directory module seen being used within Cavern Manticore C2 framework
08.07.2026
MAL_APT_Cavern_Database_Browser_Module_Jul26
Detects SQL database browser module seen being used within Cavern Manticore C2 framework
08.07.2026
MAL_APT_Cavern_Network_Recon_Module_Jul26
Detects network reconnaissance module seen being used within Cavern Manticore C2 framework build with .NET NativeAOT
08.07.2026
MAL_APT_Cavern_Socket_Tunnel_Module_Jul26
Detects socket tunnel module seen being used within Cavern Manticore C2 framework build with .NET NativeAOT
08.07.2026
MAL_Cavern_Manticore_Jul26
Detects characteristics seen being used within Cavern Manticore C2 framework
08.07.2026
SUSP_OBFUSC_JS_Patterns_Jul26
Detects common obfuscation patterns in JavaScript seen being used by Lazarus Group (DPRK)
06.07.2026
SUSP_Manual_Kernel_Module_Base_Mapping_Jul26
Detects manual kernel module base enumeration via PE header byte scanning, observed in kernel exploitation malware that manually walks memory to locate ntoskrnl.exe without relying on standard enumeration API
02.07.2026
MAL_WIN32_CallBack_Detoured_Memory_Jul26
Detects Windows _fnCOPYDATA trampoline suggesting the process has been hooked by a Callback Detouring tool
02.07.2026
HKTL_Win32_CallBack_Detouring_Jul26
Detects Windows Callback Detouring, a tool that abuses Legitimate Kernel-to-User Callback Dispatch for Code Execution
02.07.2026
SUSP_JS_JSONKeeper_Loader_Jul26
Detects JavaScript which downloads and executes payload from JSON Keeper hosting platform
02.07.2026
SUSP_JS_Environment_Checks_Jul26
Detects suspicious environment checks in obfuscated JavaScript
02.07.2026
MAL_JS_NPM_Install_Dropper_Jun26
Detects a JavaScript dropper, disguised inside a npm package, that silently installs and executes a hidden second stage payload and linked to DPRK group
30.06.2026
SUSP_B64_Encoded_NPM_Command_Jun26
Detects base64-encoded npm commands with suspicious arguments
30.06.2026
MAL_Shellcode_Exploitdb_52297_Jun26
Detects a null-free reverse TCP shell shellcode for Linux x86 that connects back and spawns a /bin/sh shell
29.06.2026
MAL_Shellcode_Exploitdb_52298_Jun26
Detects a Windows 11 x64 Reverse TCP Shell
29.06.2026
MAL_Shellcode_Exploitdb_52296_Jun26
Detects a Linux/x86-64 execve(\"/bin/sh\") ShellCode (36 bytes)
29.06.2026
MAL_Shellcode_Exploitdb_52395_Jun26
Detects a Linux/x86-64 execve(\"/bin/sh\",[\"-c\",cmd],NULL) Arbitrary Command Execution ShellCode (63 bytes)
29.06.2026
MAL_MacOS_Gaslight_Rust_Backdoor_Jun26
Detects the Gaslight Rust backdoor for macOS
26.06.2026
SUSP_MacOS_Stealer_Jun26
Detects suspicious path that may indicate a macOS stealer. Further investigation is advised.
26.06.2026
SUSP_LNK_OpenSSH_LOLBIN_Data_Exfiltration_Jun26
Detects LNK files abusing OpenSSH scp.exe as a lolbin to exfiltrate user data.
26.06.2026
MAL_KuinaExtractor_Stealer_Jun26
Detects KuinaExtractor stealer written in Rust used to exfiltrate sensitive data from browsers, cryptocurrency wallets, and other applications
26.06.2026
MAL_SilabRAT_APPB_ChromeABE_Bypass_Jun26
Detects a component of SilabRAT that abuses COM elevation via GoogleChromeElevationService to invoke DecryptData against Chrome, bypassing App-Bound Encryption to recover the cookie decryption key.
25.06.2026
MAL_SilabRAT_Target_HVNC_ProfileHook_Jun26
Detects a component of SilabRAT that hooks low-level file APIs to redirect browser profile access to a cloned copy, enabling HVNC sessions using the victim's browser data without detection.
25.06.2026
MAL_LNK_Embedded_MSCF_File_Jun26
Detects LNK file that has an embedded MSCF file
25.06.2026
SUSP_JS_Embedded_MSCF_File_Jun26
Detects JavaScript file that has an embedded MSCF file
25.06.2026
MAL_CobaltStrike_Loader_Jun26
Detects CobaltStrike loader
25.06.2026
MAL_MacOS_Amos_Stealer_Jun26
Detects Amos stealer malware targeting macOS systems, known for stealing sensitive information and credentials.
24.06.2026

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_AMSI_ETW_Combo_Jun23
7
5f91c53f270e529442f96d85add3720d64e0710346c8e2fabfc35c4f4965e546
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
6
cc53926633920d5259bec0bace1ccbf56c580f2d28ab6126b21239d33219020a
PUA_ConnectWise_ScreenConnect_Mar23
9
9e15aff53aea59e1ab71968788a65312f22484e463fef0d9e0959f5bbe6a10c7
SUSP_B64_Atob_Aug23
6
cc53926633920d5259bec0bace1ccbf56c580f2d28ab6126b21239d33219020a
SUSP_Stealer_Indicators_Oct22_1
1
8a166189ce06895415636c5fc746305f35756b65b0e74ab352ec9b4a1a30a78a
SUSP_PE_NET_Credential_Stealer_Indicators_Sep22_1
1
8a166189ce06895415636c5fc746305f35756b65b0e74ab352ec9b4a1a30a78a
SUSP_B64_Atob_Aug23
5
0f293135faec7b59b3695e85f1d5246a896fd44bbbf4231fb62fc5108dfe2bd2
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
5
0f293135faec7b59b3695e85f1d5246a896fd44bbbf4231fb62fc5108dfe2bd2
SUSP_PS1_Kernel32_User32_Imports_May21_1
10
ab3961db4c929d6fc18c0ab15227013bfd3f7404d8e05c52f4c55d867e93d96b
SUSP_AMSI_Bypass_Indicators_Feb22_1
10
ab3961db4c929d6fc18c0ab15227013bfd3f7404d8e05c52f4c55d867e93d96b
SUSP_Small_ISO_File_Combo_Jul22
10
ab3961db4c929d6fc18c0ab15227013bfd3f7404d8e05c52f4c55d867e93d96b
SUSP_AMSI_Patcher_Keywords_Feb22_1
10
ab3961db4c929d6fc18c0ab15227013bfd3f7404d8e05c52f4c55d867e93d96b
SUSP_MSBuild_XML_Jun21_1
10
ab3961db4c929d6fc18c0ab15227013bfd3f7404d8e05c52f4c55d867e93d96b
SUSP_MSBuild_Base64_Loader_Feb26
10
ab3961db4c929d6fc18c0ab15227013bfd3f7404d8e05c52f4c55d867e93d96b
SUSP_Small_ISO_File_Combo_Jul22
12
a41f2eb4e71047a1bda2b2db5920bc624a80229b5a2040a331f0efa231b99aba
SUSP_Windows_Ref_Small_ISO_Image_Dec24
12
a41f2eb4e71047a1bda2b2db5920bc624a80229b5a2040a331f0efa231b99aba
SUSP_ISO_With_Cloaked_LNK_Jun22
12
a41f2eb4e71047a1bda2b2db5920bc624a80229b5a2040a331f0efa231b99aba
SUSP_ISO_Tiny_DocX_LNK
12
a41f2eb4e71047a1bda2b2db5920bc624a80229b5a2040a331f0efa231b99aba
SUSP_KALI_INDICATOR_Nov25
13
e988d78e86b059ada50116ce0b1b6b9cc753713bf7ca2db38e0a8b5bc42a560f
SUSP_Base64_Encoded_IPAPI_COM
8
a73b7a47fb7a3a0b2a86de9a1b3d8c8d86774e1a6f39b9feec4b69802c8bc808

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
7733
Threat Hunting (not subscribable, only in THOR scanner)
5953
APT
5077
Hacktools
4884
Webshells
2403
Exploits
742

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
VirtualBox Binary Masquerading
Detects execution of binaries using VirtualBox-related filenames which are not the legitimate VirtualBox binaries. This may indicate an attempt to masquerade malicious binaries as VirtualBox components to evade detection.
05.07.2026
VMware Binary Masquerading
Detects execution of binaries using VMware-related filenames but are not the legitimate VMware binaries. This may indicate an attempt to masquerade malicious binaries as VMware components to evade detection.
05.07.2026
SQL Server Query Output to File via OSQL.EXE
Detects SQL Server queries that output results to a file using the OSQL utility. This might indicate potential attempts to save sensitive data for exfiltration or for later analysis during post-exploitation activities. Even though this could be executed in legitimate contexts, this warrants immediate investigation.
05.07.2026
Startup Item Enumeration Via WMIC
Detects enumeration of startup items via WMIC using the Win32_StartupCommand class. Attackers query startup items to discover persistence mechanisms that automatically execute malicious binaries or scripts during system boot or user logon.
01.07.2026
Environment Variable Enumeration Via WMIC
Detects enumeration of environment variables via WMIC using the Win32_Environment class. Attackers query "environment get name,variablevalue" during host reconnaissance to discover paths, usernames, and configuration values useful for lateral movement or payload staging.
01.07.2026
Network Configuration Enumeration Via WMIC NicConfig
Detects enumeration of network interface configuration via WMIC using the "nicconfig" or "nic" aliases. Attackers commonly query NIC configuration during post-exploitation reconnaissance to discover IP addresses, MAC addresses, default gateways, and DNS servers — information used to map the network and pivot to additional targets.
01.07.2026
File or Directory Enumeration Via WMIC
Detects file or directory enumeration via WMIC using the Win32_Directory or CIM_DataFile classes. Attackers use these classes to list directories or files on specific drives (e.g., "C:") during post-exploitation reconnaissance - a technique that bypasses traditional dir /ls command monitoring.
01.07.2026
User Account Password Property Manipulation Via WMIC
Detects manipulation of password-related properties on user accounts via WMIC against the Win32_UserAccount class. This covers direct password changes as well as policy modifications such as disabling password expiry or preventing password changes, all common persistence techniques to maintain access to a backdoor account.
01.07.2026
Suspicious Print Processor Driver Registry Modification
Detects modifications to Windows Print Processor Driver registry values where the configured DLL is not the default winprint.dll. This may indicate abuse of Print Processors for persistence or privilege escalation, as used by malware such as SprySOCKS.
26.06.2026
SOCKS Proxy Tunneling Invocation
Detects processes that invoke SOCKS proxy tunneling via command-line arguments. Threat actors abuse SOCKS-capable tools such as chisel, revsocks, or custom SSH tunnelers to establish covert C2 channels or bypass network controls.
23.06.2026
PowerShell Enumeration of Claude Code Chat History
Detects PowerShell scripts enumerating or reading files within the Claude Code conversation history directory. Claude Code stores conversation history as JSONL files under: %USERPROFILE%\.claude\projects\<hash>\<session>.jsonl Threat actors extract these files and apply regex matching to locate high-value secrets (cloud tokens, private keys, database passwords) before pivoting to infrastructure such as ESXi hosts via harvested SSH credentials.
11.06.2026
PowerShell One-Liner Credential Pattern Search
Detects PowerShell or pwsh one-liners whose command line combines a regex or string-matching primitive with common credential-related keywords. It might indicate an attempt of credential harvesting across local files, including config files, source code, chat history, etc. looking for secrets such as API keys, tokens, passwords, or SSH keys.
11.06.2026
PowerShell One-Liner Targeting Claude Code Chat History
Detects PowerShell one-liners trying to enumerate or read files within the Claude Code conversation history directory. Claude Code stores conversation history as JSONL files under: %USERPROFILE%\.claude\projects\<hash>\<session>.jsonl Threat actors extract these files and apply regex matching to locate high-value secrets (cloud tokens, private keys, database passwords) before pivoting to infrastructure such as ESXi hosts via harvested SSH credentials.
11.06.2026
GitLab Token Access Via GLAB CLI
Detects the GitLab CLI (glab) being used to retrieve stored authentication tokens. Threat actors might access such tokens to gain unauthorized access to GitLab repositories, CI/CD pipelines, and other resources, potentially leading to data exfiltration, code tampering, or further lateral movement within the victim's environment.
08.06.2026
GitHub Token Access Via GH CLI - Linux
Detects the GitHub CLI (gh) being used to retrieve stored authentication tokens. Threat actors might access such tokens to gain unauthorized access to GitHub repositories, CI/CD pipelines, and other resources, potentially leading to data exfiltration, code tampering, or further lateral movement within the victim's environment.
08.06.2026
GitLab Token Access Via GLAB CLI - Linux
Detects the GitLab CLI (glab) being used to retrieve stored authentication tokens. Threat actors might access such tokens to gain unauthorized access to GitLab repositories, CI/CD pipelines, and other resources, potentially leading to data exfiltration, code tampering, or further lateral movement within the victim's environment.
08.06.2026
GitHub Token Access Via GH CLI
Detects the GitHub CLI (gh) being used to retrieve stored authentication tokens. Malicious packages and scripts have been observed using these commands to silently exfiltrate the victim's stored GitHub authentication token.
08.06.2026
Node or Bun Execution from Suspicious Locations - Linux
Detects the execution of build tools such as bun and node from potentially suspicious locations on Linux systems. In the recent trend of npm supply chain attacks, Threat Actors have been observed to execute build tools such as bun and node from locations that are not commonly used for legitimate purposes.
08.06.2026
NPM Package Install Executed From Suspicious Location - Linux
Detects the execution of "npm install" via node on Linux from potentially suspicious directories. It might indicate a malicious package being installed or executed from a non-standard location. Attackers might use npm packages to execute malicious code on the victim's machine, potentially leading to data exfiltration, persistence, or further compromise of the system.
08.06.2026
Node or Bun Execution from Suspicious Locations
Detects the execution of build tools such as bun and node from potentially suspicious locations on Windows systems. In the recent trend of npm supply chain attacks, Threat Actors have been observed to execute build tools such as bun and node from locations that are not commonly used for legitimate purposes.
08.06.2026
NPM Package Install Executed From Suspicious Location
Detects the execution of "npm install" via node.exe from potentially suspicious directories on Windows systems. It might indicate a malicious package being installed or executed from a non-standard location. Attacker might use npm packages to execute malicious code on the victim's machine, potentially leading to data exfiltration, persistence, or further compromise of the system.
08.06.2026
NTLM Hash Leak Via Curl NTLM Authentication
Detects the use of curl with NTLM authentication and empty credentials (-u :), which can be abused to leak the currently logged-in user's NTLMv2 challenge-response to an attacker-controlled server, enabling offline cracking or relay attacks. When no credentials are provided, the Microsoft-shipped curl passes a NULL identity to Windows SSPI, which automatically falls back to the current user's logon session credentials stored in LSASS — without requiring a plaintext password. This behavior is exclusive to the curl binary shipped by Microsoft (available since Windows 10 / Windows Server 2019), which is built with SSPI support.
04.06.2026
Uninstall SystemComponent Registry Value Modification via CommandLine
Detects modification of the "SystemComponent" registry value in the "Uninstall" key through command line. Attackers modify this value to hide installed applications from "Programs and Features", often as part of persistence or defense evasion techniques.
04.06.2026
Audit Policy Category Discovery via Auditpol.EXE
Detects the use of auditpol.exe to query audit policy to discover which audit categories are enabled on the system. Attackers may use this information to identify potential gaps in security monitoring and adjust their tactics accordingly. Since, this require elevated privileges, unless it is being used by the administrator for legitimate purposes, it can be considered suspicious and warrants immediate attention.
04.06.2026
Hiding of an Installed Application from Application Wizard
Detects the SystemComponent DWORD registry value being set to 1 under an application's Uninstall key, which removes the application from "Programs and Features" and "Add or Remove Programs" visibility. Threat actors use this technique to hide installed applications, from normal administrative review, as part of persistence or defense evasion strategies.
04.06.2026
LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089
Detects a crash of the LSASS process where netlogon.dll is the faulting module and the exception code is STATUS_STACK_BUFFER_OVERRUN (0xc0000409). This crash, especially on Domain Controllers, might indicate the exploitation of CVE-2026-41089, a denial of service (DoS) vulnerability, which exists in the Netlogon component of Windows and can be triggered by sending specially crafted requests to the Netlogon service, leading to a stack-based buffer overflow and subsequent crash of the LSASS process.
02.06.2026
System Time Synchronization With Domain Controller via Net.exe
Detects use of net.exe to query and set the local system time from a domain controller. Attackers may use this to reset system time after deliberate manipulation, to align clocks for Kerberos-based attacks, or to cover traces of time-based tampering.
02.06.2026
Network Sweep via CMD For Loop
Detects a subnet sweep executed via a CMD for loop iterating over an IP range using the (1,1,N) step pattern. Attackers use this tool-agnostic pattern for network reconnaissance to identify live hosts or enumerate SMB shares across private subnets.
02.06.2026
AMSI Memory Patching via .NET Reflection - PowerShell
Detects suspicious PowerShell script blocks that attempt to patch AMSI's ScanContent method in memory using the Marshal class. This technique is used by adversaries to bypass AMSI scanning by replacing the ScanContent function under "System.Management.Automation.AmsiUtils" with an empty or attacker-controlled method.
01.06.2026
AMSI Memory Patching via .NET Reflection
Detects runtime method handle patching via the Marshal class targeting AMSI's ScanContent method. Adversaries overwrite method pointers in memory to redirect execution away from monitored code paths, effectively bypassing AMSI scanning by replacing the ScanContent function under "System.Management.Automation.AmsiUtils" with an empty or attacker-controlled method.
01.06.2026

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
1703
22584
Sigma
3591
1059

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1351
windows / registry_set
219
windows / file_event
209
windows / ps_script
166
windows / security
160
linux / process_creation
139
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
69
aws / cloudtrail
55
proxy
54
linux / auditd
53
windows / network_connection
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
32
windows / dns_query
27
windows / process_access
25
azure / signinlogs
24
opencanary / application
24
okta / okta
22
azure / riskdetection
19
windows / pipe_created
19
windows / windefend
17
rpc_firewall / application
17
linux
16
gcp / gcp.audit
16
github / audit
15
linux / file_event
15
bitbucket / audit
14
windows / file_delete
13
m365 / threat_management
13
cisco / aaa
13
windows / create_remote_thread
12
dns
10
windows / driver_load
10
windows / registry_delete
10
kubernetes / application / audit
10
windows / codeintegrity-operational
10
windows / appxdeployment-server
9
windows / create_stream_hash
9
windows / ps_classic_start
9
windows / msexchange-management
8
windows / firewall-as
8
antivirus
7
fortigate / event
7
azure / pim
7
windows / file_access
7
windows / bits-client
7
zeek / smb_files
7
gcp / google_workspace.admin
7
kubernetes / audit
6
windows / dns-client
6
jvm / application
5
zeek / dns
5
linux / network_connection
5
zeek / http
5
windows / iis-configuration
4
zeek / dce_rpc
4
m365 / audit
4
windows / sysmon
4
macos / file_event
4
windows / taskscheduler
4
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
windows / registry_add
3
gcp / google_workspace.login
3
windows / wmi_event
3
onelogin / onelogin.events
2
firewall
2
windows / security-mitigations
2
linux / syslog
2
spring / application
2
windows / dns-server
2
apache
2
linux / sudo
1
cisco / duo
1
cisco / ldp
1
nginx
1
windows / dns-server-analytic
1
cisco / bgp
1
windows / ldap
1
windows / wmi
1
windows / printservice-operational
1
database
1
windows / lsa-server
1
windows / ps_classic_provider_start
1
django / application
1
windows / printservice-admin
1
linux / auth
1
linux / clamav
1
windows / appmodel-runtime
1
fortios / sslvpnd
1
linux / cron
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
cisco / syslog
1
linux / guacamole
1
huawei / bgp
1
windows / appxpackaging-om
1
windows / smbclient-connectivity
1
windows / process_tampering
1
nodejs / application
1
paloalto / file_event / globalprotect
1
windows / capi2
1
windows / smbserver-connectivity
1
windows / file_change
1
paloalto / appliance / globalprotect
1
linux / vsftpd
1
windows / certificateservicesclient-lifecycle-system
1
windows / shell-core
1
windows / raw_access_thread
1
python / application
1
zeek / x509
1
windows / microsoft-servicebus-client
1
windows / diagnosis-scripted
1
windows / file_executable_detected
1
ruby_on_rails / application
1
m365 / exchange
1
zeek / rdp
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_status
1
m365 / threat_detection
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
sql / application
1
windows / driver-framework
1
velocity / application
1
windows
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
525
windows / registry_set
93
windows / ps_script
89
linux / process_creation
59
windows / file_event
49
windows / image_load
47
windows / security
29
windows / wmi
29
proxy
13
windows / system
13
windows / network_connection
9
windows / registry_event
8
windows / kernel-event-tracing
6
windows / dns_query
5
windows / ntfs
5
windows / ps_module
5
windows / sense
4
windows / pipe_created
4
webserver
4
windows / taskscheduler
4
windows / create_remote_thread
4
windows / registry_delete
4
windows / driver_load
3
macos / process_creation
3
dns
3
windows / ps_classic_script
3
windows / vhd
3
windows / application-experience
3
windows / hyper-v-worker
3
windows / file_access
2
linux / file_event
2
windows / file_delete
2
windows / kernel-shimengine
2
linux / Linux kernel module / THOR
2
windows / smbclient-security
2
windows / bits-client
2
windows / windefend
2
windows / process_access
2
windows / codeintegrity-operational
2
windows / firewall-as
1
linux / file_delete
1
windows / registry-setinformation
1
windows / amsi
1
windows / environment variable / THOR
1
windows / file_rename
1
windows / application
1
linux / Unix user / THOR
1
windows / audit-cve
1
windows / posh_ps
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html