Valhalla Logo
currently serving 22678 YARA rules and 4197 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
MAL_Trojan_Loader_Jul25
Detects malicious DLL loading payload from resources and disguising as legitimate application (e.g. Sysinternal Autoruns)
09.07.2025
MAL_Exploitdb_Script_Jul25
Detects a script template used by ExploitDB to exploit vulnerabilities.
08.07.2025
SUSP_Macho_String_Obfuscation_Jul25
Detects Mach-O binaries with obfuscated strings. This may indicate malicious activity, manual analysis needed.
08.07.2025
SUSP_ConnectWise_Unsigned_Attributes_Jul25
Detects ConnectWise signed samples which contain suspicious unsigned attributes in the certificate
04.07.2025
MAL_Adaptix_Post_Exploitation_Jul25
Detects Adaptix, an extensible post-exploitation and adversarial emulation framework made for penetration testers.
04.07.2025
HKTL_SockTail_Jul25
Detects SockTail, a lightweight binary that joins a device to a Tailscale network and exposes a local SOCKS5 proxy. Designed for red team operations and ephemeral access into restricted environments using Tailscale's embedded client (tsnet)
04.07.2025
SUSP_OBFUSC_JS_Jul25_1
Detects obfuscated JavaScript code that decrypts embedded payloads
03.07.2025
SUSP_OBFUSC_JS_Jul25_2
Detects obfuscated JavaScript code that decrypts embedded payloads
03.07.2025
SUSP_OBFUSC_JS_Jul25_3
Detects obfuscated JavaScript code that employs arithmetic operations for obfuscation
03.07.2025
SUSP_PS1_Downloader_Jul25_1
Detects a one-line PowerShell downloader
03.07.2025
SUSP_PS1_Downloader_Jul25_2
Detects a one-line PowerShell downloader
03.07.2025
SUSP_JS_Downloader_Jul25
Detects a JavaScript file that downloads the next stage payload
03.07.2025
MAL_Injector_Jul25
Detects an injector seen used to inject Havoc C2 into target processes
03.07.2025
APT_MAL_ToneShell_Jul25_1
Detects the ToneShell backdoor as seen being used by MustangPanda APT
03.07.2025
MAL_PS1_PowerDPAPI_Jul25
Detects PowerDPAPI, a PowerShell module that decrypts SCCM and DPAPI secrets
02.07.2025
HKTL_BitLockMove_Jul25
Detects BitLockMove, a tool for lateral movement via DCOM interfaces and COM hijacking
02.07.2025
APT_MAL_ToneShell_Jul25_2
Detects the ToneShell backdoor as seen being used by MustangPanda APT
02.07.2025
APT_MAL_Keylogger_Jul25
Detects a keylogger seen being used by MustangPanda APT
02.07.2025
SUSP_OBFUSC_NET_Junk_Code_Jul25
Detects .NET based binaries that contain junk code. Junk code is often used by malware to artificially increase the filesize or obscure the actual logic.
01.07.2025
HKTL_MemLoader_Jul25
Detects MemLoader hacktool used to execute payloads in-memory and bypass ETW and AMSI for .NET payloads.
01.07.2025
MAL_NET_Generic_Dropper_Jul25
Detects generic .NET dropper used by various actors for payload delivery.
01.07.2025
APT_MAL_ELF_Downloader_Jul25
Detects a downloader which is used to execute basic system commands, establish reverse shells, and modify file permissions likely as part of an initial access or staging phase, seen being used by Higaisa APT group
01.07.2025
MAL_Supper_Backdoor_Jul25
Detects Supper backdoor which is used to remote shell execution, SOCKS5 proxying, session multiplexing, fallback C2 updates, and self-deletion via scheduled tasks
01.07.2025
MAL_DLL_Loader_Jun25
Detects a reflective loader DLL that ensures persistence and executes sRDI-based shellcode embedding a headerless DLL payload, seen being used by Sainbox RAT
30.06.2025
MAL_NET_Shellcode_Loader_Jun25
Detects .NET based shellcode loader used by various threat actors.
26.06.2025
MAL_RANSOM_EmzlyLock_Variants_Jun25
Detects EmzlyLock ransomware and its variants like MadiLocker
26.06.2025
APT_MAL_DLL_Downloader_Jun25
Detects a DLL used during installation to check antivirus status, create a scheduled task to download and execute the next-stage payload via PowerShell using the system BuildNumber and AV info, and spawn a decoy PowerShell to display an image, seen being used by the DarkHotel APT group
26.06.2025
APT_MAL_Shellcode_Runner_Jun25
Detects a shellcode runner, seen being used by APT28
25.06.2025
APT_MAL_Slimagnet_Jun25
Detects Slimagnet, whose main functional purpose is to take screenshots, seen being used by APT28
25.06.2025
APT_MAL_Beardshell_Jun25
Detects Beardshell that downloads, decrypts and executes PowerShell scripts, seen being used by APT28
25.06.2025

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_Encoded_PS_DownloadFile
3
c8f0ea690b467102076261135c7e7910c11ab3ce9e08067cb70dafa316073ce2
MAL_OBFUSC_Reverse_Encoded_PE_Apr25
2
b523fbed4d6a01b606f47e8ec585942b96ff94bb6d7e44bfdca85c31f60732dc
SUSP_Encoded_WscriptShell_Jun20
14
b0766a54d4bdde15ee9cd5a715d85c9c778a25f726696c472de0ca68f9844a5b
SUSP_Encoded_IEX_2
12
6e9fe878198d229e11e1db82897a2318c636d807aa9919321df4172b681e547d
SUSP_Encoded_FromBase64String
12
6e9fe878198d229e11e1db82897a2318c636d807aa9919321df4172b681e547d
SUSP_Encoded_PS_W_Hidden
12
6e9fe878198d229e11e1db82897a2318c636d807aa9919321df4172b681e547d
SUSP_Encoded_IO_Decompress
12
6e9fe878198d229e11e1db82897a2318c636d807aa9919321df4172b681e547d
SUSP_Encoded_IEX_Feb19_1
12
6e9fe878198d229e11e1db82897a2318c636d807aa9919321df4172b681e547d
SUSP_Script_Obfuscation_Char_Concat
14
b0766a54d4bdde15ee9cd5a715d85c9c778a25f726696c472de0ca68f9844a5b
SUSP_Encoded_WscriptShell_Jun20
6
0e013aa06f4c4b1454cfa77d255d1aea418d8e7076c650e540087dcf107ab2c6
HKTL_Empire_Stagers_Gen_Dec19_1
12
bd5ee78b9cae0646226a979a7f7e19facfe24d3a70c72d6a15a60d02a8e64956
HKTL_Empire_PS1_Stagers_Pattern_Jul21
12
bd5ee78b9cae0646226a979a7f7e19facfe24d3a70c72d6a15a60d02a8e64956
HKTL_Defeat_Defender_Apr21_1
2
0d46cb7fb685253b6b48ff5ef8a397a6d8bc2d8be96e1cc60773f8dddcbd9f5a
SUSP_Encoded_GetCurrentThreadId_Ext1_Aug20
14
a3b793b8882b95ee1b002e02fcd41ea33ec24c66d22142d6c81c0a996b7e0e9b
SUSP_Encoded_Kernel32_Functions
14
a3b793b8882b95ee1b002e02fcd41ea33ec24c66d22142d6c81c0a996b7e0e9b
SUSP_Encoded_GetCurrentThreadId
14
a3b793b8882b95ee1b002e02fcd41ea33ec24c66d22142d6c81c0a996b7e0e9b
Invoke_Mimikatz
14
a3b793b8882b95ee1b002e02fcd41ea33ec24c66d22142d6c81c0a996b7e0e9b
SUSP_Encoded_GetCurrentThreadId_FileOnly
14
a3b793b8882b95ee1b002e02fcd41ea33ec24c66d22142d6c81c0a996b7e0e9b
SUSP_Double_Base64Encoded_Kernel32_Functions
14
a3b793b8882b95ee1b002e02fcd41ea33ec24c66d22142d6c81c0a996b7e0e9b
MAL_OBFUSC_Reverse_Encoded_PE_Apr25
2
1b361e6634fb39e050e2b2dcd014d784ce83ba754b62b7c2b01433898f4353a8

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6963
Threat Hunting (not subscribable, only in THOR scanner)
5479
APT
4997
Hacktools
4718
Webshells
2378
Exploits
671

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse
Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
05.07.2025
HackTool - Doppelanger LSASS Dumper Execution
Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
01.07.2025
HackTool - HollowReaper Execution
Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.
01.07.2025
FileFix - Suspicious Child Process from Browser File Upload Abuse
Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the "FileFix" social engineering technique, where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar. The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities.
26.06.2025
Potential Notepad++ CVE-2025-49144 Exploitation
Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path. This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer. The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++.
26.06.2025
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
20.06.2025
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,. where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.
20.06.2025
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
20.06.2025
Attempts of Kerberos Coercion Via DNS SPN Spoofing
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, or checking for the presence of such records through the `nslookup` command.
20.06.2025
SystemRoot Environment Variable Hijacking
Detects potential environment variable hijacking of `SystemRoot` or `windir` variables. Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries.
17.06.2025
Potential Service Environment Variable Tampering
Detects modifications to service environment variables in the Windows registry that could indicate an attempt to tamper with system environment variables. This technique is often used for privilege escalation or persistence by modifying the `SystemRoot` or `windir` variables to point to malicious locations.
17.06.2025
Trusted Path Bypass via Windows Directory Spoofing
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
17.06.2025
Suspicious Download and Execute Pattern via Curl/Wget
Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution, indicating potential malicious activity. This pattern is commonly used by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
17.06.2025
Potential Exploitation of RCE Vulnerability CVE-2025-33053
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 which involves unauthorized code execution via WebDAV through external control of file names or paths. The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating their working directories to point to attacker-controlled WebDAV servers, causing them to execute malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries through Process.Start() search order manipulation.
13.06.2025
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe) accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers instead of legitimate system binaries. The vulnerability allows unauthorized code execution through external control of file names or paths via WebDAV.
13.06.2025
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.
13.06.2025
System Information Discovery via Registry Queries
Detects attempts to query system information directly from the Windows Registry.
12.06.2025
Inverted HTTP Protocol Handler In Command Line
Detects the use of inverted HTTP protocol handler which may be used by malware to evade detection when downloading payloads. Threat actors may use inverted protocol handlers to obfuscate their command, trying to bypass security controls that look for specific patterns in command lines.
11.06.2025
Usage of Inverted HTTP Protocol Handler - PowerShell
Detects the use of inverted HTTP protocol handler in PowerShell commands or scripts. Threat actors may use inverted protocol handlers in the malware loaders/dropper to obfuscate their command, while trying to download second stage payloads or other malicious content, trying to bypass security controls that look for specific patterns in command lines.
11.06.2025
Potential AMSI Bypass Attempt Using CDB Debugger
Detects potential AMSI bypass attempts using CDB debugger to manipulate AmsiScanBuffer function. It's not a common behavior to use CDB debugger with "-cf" flag and "powershell" command line.
10.06.2025
HKTL - SharpSuccessor Privilege Escalation Tool Execution
Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments. Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.
06.06.2025
PowerShell MSI Install via WindowsInstaller COM From Remote Location
Detects the execution of PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely. This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality. And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.
05.06.2025
MSSQL Destructive Query
Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
04.06.2025
Suspicious PowerShell IEX Invocation with String Concatenation
Detects suspicious PowerShell command patterns using Invoke-Expression (IEX) with string concatenation to potentially obfuscate malicious downloads. Threat actors may use this technique to execute commands that download and run scripts from remote locations, often obfuscating the command to evade detection.
04.06.2025
RegAsm.EXE Execution Without CommandLine Flags or Files
Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity. Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.
04.06.2025
DNS Query To Common Malware Hosting and Shortener Services
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.
02.06.2025
Special File Creation via Mknod Syscall
Detects usage of the `mknod` syscall to create special files (e.g., character or block devices). Attackers or malware might use `mknod` to create fake devices, interact with kernel interfaces, or establish covert channels in Linux systems. Monitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications, and it can be abused to bypass file system restrictions or create backdoors.
31.05.2025
System Info Discovery via Sysinfo Syscall
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes. Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
30.05.2025
Suspicious Python Zlib and Base64 One-liner Execution
Detects Python command line execution using zlib decompression and base64 with decode functions, often used for executing obfuscated payloads. Threat actors may use this technique to execute malicious encoded code in a single line, which can be indicative of attempts to bypass security measures or deliver payloads in a stealthy manner.
28.05.2025
Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR), (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
27.05.2025

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
3215
19463
Sigma
3409
788

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1274
windows / registry_set
203
windows / file_event
196
windows / ps_script
165
windows / security
158
linux / process_creation
120
windows / image_load
110
webserver
81
windows / system
73
macos / process_creation
67
linux / auditd
53
windows / network_connection
52
proxy
52
aws / cloudtrail
46
azure / activitylogs
43
windows / registry_event
38
azure / auditlogs
38
windows / ps_module
33
windows / application
30
windows / dns_query
25
azure / signinlogs
24
windows / process_access
23
okta / okta
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
rpc_firewall / application
17
linux
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
github / audit
13
m365 / threat_management
13
windows / file_delete
13
cisco / aaa
12
windows / create_remote_thread
12
windows / codeintegrity-operational
10
kubernetes / application / audit
10
windows / driver_load
10
windows / registry_add
9
linux / file_event
9
windows / ps_classic_start
9
windows / create_stream_hash
9
dns
9
windows / firewall-as
8
windows / msexchange-management
8
gcp / google_workspace.admin
7
windows / bits-client
7
windows / registry_delete
7
zeek / smb_files
7
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / file_access
7
windows / dns-client
6
zeek / dns
5
zeek / http
5
linux / network_connection
5
jvm / application
5
kubernetes / audit
5
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
linux / sshd
3
m365 / audit
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
windows / file_change
2
spring / application
2
linux / syslog
2
firewall
2
windows / security-mitigations
2
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
windows / shell-core
1
windows / capi2
1
ruby_on_rails / application
1
linux / sudo
1
windows / certificateservicesclient-lifecycle-system
1
windows / file_executable_detected
1
velocity / application
1
m365 / exchange
1
zeek / x509
1
windows / microsoft-servicebus-client
1
sql / application
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_error
1
m365 / threat_detection
1
zeek / rdp
1
windows / terminalservices-localsessionmanager
1
database
1
zeek / kerberos
1
windows / sysmon_status
1
windows / dns-server-analytic
1
windows / driver-framework
1
windows
1
windows / printservice-admin
1
nginx
1
windows / printservice-operational
1
netflow
1
cisco / ldp
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
fortios / sslvpnd
1
linux / auth
1
cisco / bgp
1
django / application
1
cisco / syslog
1
linux / cron
1
windows / ldap
1
windows / smbclient-connectivity
1
linux / guacamole
1
huawei / bgp
1
windows / appmodel-runtime
1
nodejs / application
1
paloalto / file_event / globalprotect
1
cisco / duo
1
linux / clamav
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
windows / process_tampering
1
windows / raw_access_thread
1
python / application
1
paloalto / appliance / globalprotect
1
windows / appxpackaging-om
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
367
windows / registry_set
75
windows / ps_script
73
windows / image_load
41
windows / file_event
38
linux / process_creation
33
windows / wmi
29
windows / security
20
proxy
12
windows / system
9
windows / network_connection
8
windows / registry_event
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / pipe_created
4
windows / sense
4
windows / taskscheduler
4
windows / registry_delete
4
windows / create_remote_thread
4
windows / hyper-v-worker
3
windows / driver_load
3
windows / ps_classic_script
3
webserver
3
windows / vhd
3
windows / application-experience
3
windows / codeintegrity-operational
2
windows / kernel-shimengine
2
windows / process_access
2
windows / windefend
2
windows / bits-client
2
windows / file_access
1
windows / registry-setinformation
1
windows / firewall-as
1
windows / file_delete
1
linux / file_event
1
windows / application
1
windows / dns_query
1
windows / audit-cve
1
windows / file_rename
1
windows / amsi
1
macos / process_creation
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html