currently serving 23883 YARA rules and 4539 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
HKTL_RedSun_Privilege_Escalation_Apr26
Detects RedSun hacktool used for privilege escalation through Microsoft Defender.
16.04.2026
HKTL_PoisonX_Terminator_Driver_Apr26
Detects a Windows driver named PoisonX that expose a dangerous IOCTL interface capable of terminating arbitrary processes, which can be exploited by attackers to disrupt system operations or evade detection by security software.
14.04.2026
WEBSHELL_PHP_Dropper_Cookie_Controller_Apr26
Detects bash droppers for cookie controlled PHP webshells
13.04.2026
SUSP_VBS_RunAs_Elevation_Apr26
Detects suspicious VBScript leveraging ActiveXObject and ShellExecute for privilege escalation, commonly observed in multi-stage malware loaders.
13.04.2026
SUSP_Praetorian_Inc_Apr26
Detects Go based binaries by Praetorian Inc which creates scanners and hack tools
13.04.2026
SUSP_Persistence_Shellcode_Apr26
Detects inline C# shellcode loaders that decrypt shellcode and execute via delegate invoke
11.04.2026
MAL_Dropper_DLL_Apr26
Detects a proxy DLL that sideloads via DLL search order hijacking, decodes colon-hex shellcode and reflective-loads an encrypted payload
10.04.2026
MAL_Sero_RAT_Apr26
Detects SeroRAT, a remote access trojan that has been observed in the wild. It is known for its ability to evade detection and maintain persistence on infected systems, seen being dropped by Amadey botnet.
09.04.2026
MAL_STX_Loader_Apr26
Detects STX RAT reflective loader stub that performs XXTEA decryption, API hashing hashing to unpack and execute the Alien beacon in-memory
09.04.2026
MAL_STX_RAT_Apr26
Detects STX RAT that is used for C2 encryption, HVNC, and credential theft capabilities
09.04.2026
SUSP_NET_Loader_Apr26
Detects obfuscated .NET in-memory loader leveraging reflection and byte array payload execution
08.04.2026
MAL_SilentConnect_Loader_Apr26
Detects SilentConnect loader written in C# that uses reflection, NTAPI, and in-memory execution to silently install a ScreenConnect remote access client
08.04.2026
MAL_PS1_AddMpPreference_Char_Obfuscation_Apr26
Detects obfuscated PowerShell used by malware to disable Microsoft Defender protections via exclusion rules.
08.04.2026
SUSP_PY_Dropper_Apr26
Detects suspicious usage of Python's base64 and subprocess libraries
07.04.2026
HKTL_Wiretap_RS_Apr26
Detects Wiretap RS - a transparent, VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.
07.04.2026
HKTL_BlueHammer_Apr26
Detects Nightmare-Eclipse/BlueHammer (FunnyApp), a Windows local privilege escalation PoC that abuses a Defender signature-update RPC and a junction/symlink race to leak the SAM hive and derive NTLM hashes - giving an unprivileged user full SYSTEM-level credential access.
07.04.2026
SUSP_BOF_Indicators_Proc_Eval_Apr26
Detects suspicious code found in a larger BOF file sample analysis set (whoami BOF)
07.04.2026
HKTL_BOF_NanoDump_Apr26
Detects strings found in NanoDump BOF samples. NanoDump is a BOF that can be used to dump the memory of a process and is often used in post-exploitation scenarios to dump LSASS and extract credentials from it.
07.04.2026
SUSP_BOF_Indicators_Process_Manip_Apr26
Detects suspicious code found in a larger BOF file sample analysis set that is related to process manipulation
07.04.2026
MAL_TangleCrypt_Apr26
Detects TangleCrypt packer seen being used by multiple malware families
06.04.2026
MAL_CrystalX_RAT_Apr26
Detects CrystalX RAT written in Go, featuring WebSocket C2 communication, remote access capabilities, credential stealing, keylogging, clipboard hijacking, and prankware-style system manipulation, including user disruption and remote screen control
06.04.2026
PUA_ThrottleStop_Driver_Apr26
Detects the ThrottleStop driver, a high-privilege hardware access driver used by legitimate software, but also observed in ransomware campaigns for EDR/AV tampering and termination via IOCTL abuse.
05.04.2026
HKTL_ScanPortPlus_Apr26
Detects ScanPortPlus, a custom, go-based network scanning tool used by the chinese threat actor group CL-UNK-1068
03.04.2026
SUSP_BOF_Indicators_Beacon_Apr26
Detects malicious beacon code found in a larger BOF file sample analysis set
03.04.2026
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
APT_MAL_TA505_OfficeDoc_Campaign_Jul19_1
2
4b5de483035b3c8af4856b8ff7ba4e8d25f14758f634e199059951027a772b44
APT_MAL_TA505_OfficeDoc_Campaign_Jul19_1
1
c22a80ddbd65558befbbdbe6aba40b750e3ed74c6bc914f9f26610bd22e7c4a4
PUA_ConnectWise_ScreenConnect_Mar23
12
b1f8526e45382aab0fed440ed3efc68bffee1168eb3fd5626b5ccdc33326a60e
PUA_ConnectWise_ScreenConnect_Mar23
9
80880bab75e233cc8ce9d4488b9b1318fc97d6b29c7811601cb2395a6ce195f5
PUA_ELF_MicroSocks_Socks5_Proxy_Nov24
7
b0d6b531d08f0e0d0ca5cc1426971517e3111b9ffae8ea154d941f06a9aad508
PUA_ConnectWise_ScreenConnect_Mar23
10
c0f80fc74d014583a6f0817b1da99811e3ef8566e698d90b87b0d95d2ad7e419
PUA_ConnectWise_ScreenConnect_Mar23
14
bad85c956583599fa35f6bda74dacef6068de45e605b8db883515a1ed696ccf0
SUSP_HKTL_Rust_ShellCode_Loader_Nov25
8
8aaf8d6f57a38280b4d3cda79171936f7e371148bc1a2d11fd362c060aa20ea8
PUA_ConnectWise_ScreenConnect_Mar23
14
b8aae0d1d9cd6102ffe34daad32916ffdde82d87773f470a5a49b19917536f73
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7558
Threat Hunting (not subscribable, only in THOR scanner)
5875
APT
5055
Hacktools
4853
Webshells
2402
Exploits
722
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Potential Rogue Virtual Machine Execution via VMX
Detects potential rogue virtual machine execution via direct vmx binary execution with -x argument, which bypasses vCenter visibility and registration workflows.
This technique may be used by adversaries to maintain persistence within a virtualized environment.
09.04.2026
Credential Dumping via Volatility Framework
Detects potential credential dumping activities using the Volatility memory forensics framework
09.04.2026
Registry Query for Installed Software via Reg.Exe
Detects usage of reg.exe to enumerate installed software via registry queries.
Adversaries may use reg.exe to query registry keys that list installed software as part of their reconnaissance activities to identify potential targets or gather information about the software environment.
03.04.2026
Potential IIS Reconnaissance via AppCmd.Exe Utility
Detects potential reconnaissance activity targeting Internet Information Services (IIS) web servers through the use of the AppCmd.exe utility.
AppCmd.exe is a command-line tool used for managing IIS configurations and can be leveraged by attackers to gather information about the server environment, including sites, application pools, and modules.
03.04.2026
Potential User Profile Reconnaissance via CommandLine
Detects potential user profile reconnaissance activity by identifying command-line executions of 'cmd.exe' and 'reg.exe' that query user directories and registry keys associated with user profiles.
03.04.2026
Suspicious CMD Echo of JavaScript Script Tag to File or Pipe
Detects usage of 'cmd /c echo <script...' with output redirected to a file or piped which may indicate suspicious JavaScript injection or script drop activity or one-liner script execution attempts.
Attackers may use this technique to create or execute JavaScript code on the target system, potentially for malicious purposes such as downloading and executing additional payloads, or for persistence.
Investigation of such events should consider the context of the command execution, including the content being echoed and the destination of the output.
03.04.2026
VSCode Tasks.json File Creation
Detects the creation of `.vscode/tasks.json` files which can be abused to auto-run malicious scripts when a VSCode workspace is opened and trusted by the user.
This technique was observed in the "Contagious Interview" campaign where threat actors exploited VS Code's workspace trust model to execute malicious tasks upon opening a new project.
Attackers may create or modify `tasks.json` to define tasks that run malicious commands or scripts automatically when the workspace is opened and trusted by the user.
Legitimate use cases include developers configuring build or deployment tasks, but unexpected creation of such files in unfamiliar projects may indicate malicious activity.
02.04.2026
Suspicious Download and Execution Pattern via VSCode/Cursor Tasks - Linux
Detects suspicious patterns where Visual Studio Code or Cursor spawns processes that both download and execute files, which may indicate abuse of the `tasks.json` configuration for malicious purposes.
This technique has been observed in campaigns such as "Contagious Interview," where adversaries leverage VSCode's workspace trust model to execute arbitrary code by embedding malicious commands in `tasks.json`.
Attackers may craft or alter `tasks.json` to automatically trigger downloads and execution of payloads when a user opens and trusts a workspace in VSCode or Cursor, enabling initial access or further compromise.
02.04.2026
DNS Exfiltration via DNSExfiltrator - Network
Detects DNS exfiltration activity using the DNSExfiltrator tool, which encodes data in DNS queries using certain encoding.
02.04.2026
Unusually Long DNS Query - Network
Detects unusually long DNS queries that may indicate DNS tunneling, data exfiltration attempts, or C2 communication.
Usage of DNS for C&C communication or data exfiltration often involves crafting long DNS queries to encode information.
02.04.2026
Suspicious Download and Execution Pattern via VSCode Tasks
Detects suspicious patterns where Visual Studio Code (VSCode) spawns processes that both download and execute files, which may indicate abuse of the `tasks.json` configuration for malicious purposes.
This technique has been observed in campaigns such as "Contagious Interview," where adversaries leverage VSCode's workspace trust model to execute arbitrary code by embedding malicious commands in `tasks.json`.
Attackers may craft or alter `tasks.json` to automatically trigger downloads and execution of payloads when a user opens and trusts a workspace in VSCode, enabling initial access or further compromise.
02.04.2026
DNS Exfiltration via DNSExfiltrator
Detects DNS exfiltration activity using the DNSExfiltrator tool, which encodes data in DNS queries using certain encoding.
02.04.2026
Unusually Long DNS Query
Detects unusually long DNS queries that may indicate DNS tunneling, data exfiltration attempts, or C2 communication.
Usage of DNS for C&C communication or data exfiltration often involves crafting long DNS queries to encode information.
02.04.2026
File Operation via .NET Class
Detects the use of dotnet method in command lines which could be used for unauthorized file operations such as copying files.
It could indicate suspicious activity because there are many normal ways to copy files in Windows, thus adversary may use this rarely used method to avoid detection.
02.04.2026
Suspicious Download and Piping to Interpreters Pattern
Detects the usage of download utilities like curl or wget followed by piping the downloaded content directly into an interpreter such as Node.js, Python, Bash, PowerShell, Perl, or Ruby.
This pattern is often used by attackers to download and execute malicious scripts or payloads directly in memory, bypassing traditional file-based detection mechanisms.
Review thee process lineage for context to determine if the activity is legitimate or malicious.
02.04.2026
Suspicious File Rename
Detects suspicious renaming of benign file types such as documents or images to executable file types.
Threat actors often drops files with innocent extensions and later rename them to executable formats during execution to evade detection.
02.04.2026
Axios NPM Compromise Indicators - macOS
Detects the macOS-specific execution chain of the plain-crypto-js malicious npm dependency in Axios NPM Package, including AppleScript execution via osascript, payload download, permission modification, execution, and cleanup.
01.04.2026
Axios NPM Compromise File Creation Indicators - Linux
Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.
01.04.2026
Axios NPM Compromise Indicators - Windows
Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.
The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
01.04.2026
Axios NPM Compromise File Creation Indicators - Windows
Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.
The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
01.04.2026
Axios NPM Compromise File Creation Indicators - MacOS
Detects file creation events linked to the Axios NPM supply chain compromise on macOS devices. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.
01.04.2026
Axios NPM Compromise Indicators - Linux
Detects the Linux-specific execution chain of the plain-crypto-js malicious npm dependency by Axios NPM package, including payload download via curl and detached execution using nohup and python3.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.
The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
01.04.2026
Axios NPM Compromise Malicious C2 Domain DNS Query
Detects DNS queries for the malicious C2 domain associated with the plain-crypto-js/Axios npm package supply chain compromise.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.
This detection detects endpoints attempting to resolve the attacker's C2 domain (sfrclak.com) used for command and control communication.
01.04.2026
LiteLLM / TeamPCP Supply Chain Attack Indicators
Detects process executions related to the backdoored versions of LiteLLM (v1.82.7 or v1.82.8).
In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP.
The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
30.03.2026
TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
Detects the creation of specific persistence files as observed in the LiteLLM PyPI supply chain attack.
In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP.
The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
30.03.2026
PUA - HoboCopy Execution
Detects the execution of HoboCopy, a command-line tool that can be used to copy locked files using Volume Shadow Copy Service (VSS). This tool can be abused by attackers to copy sensitive files like SAM, SYSTEM, or NTDS.dit.
Event though it can be used for legitimate backup purposes, its presence in modern Windows environments is very rare and potentially associated with malicious activity.
27.03.2026
Critical Log File Deletion on Linux System
Detects deletion of critical log files on Linux systems that may indicate log tampering or evidence destruction.
This technique can be used by attackers to cover their tracks after gaining unauthorized access to a system.
26.03.2026
Critical Log Manipulation via Sed Utility
Detects critical log manipulation attempts using the sed utility with in-place editing on sensitive log files.
This technique can be used by attackers to cover their tracks after gaining unauthorized access to a system.
26.03.2026
HackTool - Vmkatz Execution
Detects patterns indicative of Vmkatz extracting credentials natively from virtual machine snapshots, virtual disks, or NTDS databases directly on hypervisors like ESXi or Proxmox.
25.03.2026
Esxcli Allow Unverified Binaries Execution
Detects modification of the execInstalledOnly setting on ESXi hosts to allow execution of non-VIB (unverified) binaries.
This technique is often used by attackers to run custom tools or other implants directly on ESXi hypervisors without the need for VIB signing, which can facilitate further compromise or persistence on the host.
25.03.2026
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2721
21162
Sigma
3561
978
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1340
windows / registry_set
219
windows / file_event
208
windows / ps_script
166
windows / security
160
linux / process_creation
137
windows / image_load
113
webserver
82
windows / system
74
macos / process_creation
69
aws / cloudtrail
55
proxy
54
windows / network_connection
53
linux / auditd
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
27
windows / process_access
25
azure / signinlogs
24
okta / okta
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
rpc_firewall / application
17
windows / windefend
16
linux
16
gcp / gcp.audit
16
github / audit
15
linux / file_event
15
bitbucket / audit
14
m365 / threat_management
13
windows / file_delete
13
cisco / aaa
12
windows / create_remote_thread
12
dns
10
windows / driver_load
10
windows / registry_delete
10
kubernetes / application / audit
10
windows / codeintegrity-operational
10
windows / ps_classic_start
9
windows / create_stream_hash
9
windows / appxdeployment-server
9
windows / firewall-as
8
windows / msexchange-management
8
antivirus
7
fortigate / event
7
windows / file_access
7
azure / pim
7
windows / bits-client
7
zeek / smb_files
7
gcp / google_workspace.admin
7
windows / dns-client
6
jvm / application
5
kubernetes / audit
5
zeek / dns
5
linux / network_connection
5
zeek / http
5
windows / sysmon
4
macos / file_event
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
windows / registry_add
3
linux / sshd
3
m365 / audit
3
windows / dns-server
2
spring / application
2
apache
2
onelogin / onelogin.events
2
firewall
2
windows / security-mitigations
2
linux / syslog
2
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_status
1
m365 / exchange
1
zeek / rdp
1
windows / terminalservices-localsessionmanager
1
ruby_on_rails / application
1
zeek / kerberos
1
windows
1
windows / sysmon_error
1
m365 / threat_detection
1
windows / driver-framework
1
velocity / application
1
cisco / duo
1
linux / sudo
1
sql / application
1
cisco / bgp
1
nginx
1
windows / wmi
1
windows / dns-server-analytic
1
windows / ldap
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
cisco / ldp
1
windows / printservice-operational
1
database
1
linux / clamav
1
windows / lsa-server
1
linux / auth
1
linux / guacamole
1
windows / appmodel-runtime
1
windows / openssh
1
django / application
1
fortios / sslvpnd
1
huawei / bgp
1
windows / applocker
1
cisco / syslog
1
linux / cron
1
juniper / bgp
1
windows / appxpackaging-om
1
windows / smbserver-connectivity
1
windows / process_tampering
1
windows / smbclient-connectivity
1
windows / file_change
1
windows / raw_access_thread
1
paloalto / file_event / globalprotect
1
windows / capi2
1
windows / shell-core
1
nodejs / application
1
paloalto / appliance / globalprotect
1
linux / vsftpd
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
zeek / x509
1
python / application
1
windows / diagnosis-scripted
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
474
windows / registry_set
86
windows / ps_script
85
linux / process_creation
51
windows / file_event
47
windows / image_load
46
windows / wmi
29
windows / security
28
windows / system
13
proxy
12
windows / registry_event
8
windows / network_connection
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / create_remote_thread
4
windows / dns_query
4
windows / registry_delete
4
windows / sense
4
windows / taskscheduler
4
windows / pipe_created
4
windows / hyper-v-worker
3
windows / driver_load
3
windows / ps_classic_script
3
dns
3
webserver
3
windows / vhd
3
windows / application-experience
3
windows / process-creation
2
windows / bits-client
2
windows / codeintegrity-operational
2
windows / file_access
2
windows / file_delete
2
windows / kernel-shimengine
2
linux / file_event
2
macos / process_creation
2
windows / smbclient-security
2
windows / process_access
2
windows / windefend
2
windows / audit-cve
1
windows / registry_add
1
windows / firewall-as
1
windows / registry-setinformation
1
linux / file_delete
1
windows / file_rename
1
windows / amsi
1
windows / application
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR