Valhalla Logo
currently serving 23651 YARA rules and 4446 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
EXPL_CVE_2026_1731_Feb26
Detects exploitation indicators of unsanitized arithmetic evaluation in BeyondTrust RS/PRA pre-auth remote access interface (CVE-2026-1731)
12.02.2026
SUSP_EXPL_Thin_Scc_Wrapper_Feb26
Detects artifacts indicative of interaction with the BeyondTrust RS/PRA pre-auth remote access interface linked to CVE-2024-12356 and CVE-2026-1731. A match suggests the system either handled legitimate remote-support traffic or was probed by scanners/attackers; it does not by itself confirm successful exploitation and should be correlated with source context and any follow-on payload or post-compromise activity.
12.02.2026
LOG_EXPL_Thin_Scc_Wrapper_Feb26
Detects suspcious indicators in web server logs which may indicate exploitation of BeyondTrust RS/PRA pre-auth remote access interface linked to CVE-2024-12356 and CVE-2026-1731. A match suggests the system either handled legitimate remote-support traffic or was probed by scanners/attackers; it does not by itself confirm successful exploitation and should be correlated with source context and any follow-on payload or post-compromise activity.
12.02.2026
LOG_EXPL_CVE_2024_12356_Feb26
Detects log entries with potentially successful exploitation addressing CVE-2024-12356 (unauthenticated RCE). Error message could also be related to invalid queries executed by legitimate user
12.02.2026
PUA_HKTL_WebSocat_Feb26
Detects WebSocat tool - a command-line client for WebSockets, like netcat (or curl) for ws:// with advanced socat-like functions. It can be used for various purposes, including testing WebSocket servers, creating WebSocket tunnels, and performing security assessments.
12.02.2026
MAL_Loader_Feb26_2
Detects a loader, seen being used by Reynolds ransomware
11.02.2026
MAL_Voidlink_Implant_Loader_Feb26
Detects Voidlink implants loader, VoidLink is an advanced malware framework made up of custom loaders, implants, rootkits, and modular plugins designed to maintain long-term access to Linux systems
11.02.2026
MAL_Voidlink_Implants_Feb26
Detects Voidlink implants, VoidLink is an advanced malware framework made up of custom loaders, implants, rootkits, and modular plugins designed to maintain long-term access to Linux systems
11.02.2026
MAL_Voidlink_Kernel_Rootkit_Feb26
Detects Voidlink kernel rootkit that provides stealth, persistence, and remote control capabilities.
11.02.2026
MAL_Voidlink_EBPF_Loader_Feb26
Detects Voidlink eBPF loader
11.02.2026
MAL_RANSOM_Reynolds_Feb26
Detects Reynolds ransomware
10.02.2026
PUA_VULN_Driver_NSecKrnl_Feb26
Detects vulnerable NSecKrnl driver used by ransomware to terminate security products and evade detection
10.02.2026
SUSP_EXPL_Ivanti_EPMM_Pattern_Feb26
Detects URL pattern indicators found in Ivanti Endpoint Manager Mobile (EPMM) logs that could indicate exploitation of CVE-2026-1281 and CVE-2026-1340
10.02.2026
SUSP_EXPL_Ivanti_EPMM_UserAgent_Feb26
Detects suspicious indicators found in Ivanti Endpoint Manager Mobile (EPMM) logs that could indicate exploitation of CVE-2026-1281 and CVE-2026-1340
10.02.2026
SUSP_URL_Encoded_RevShell_Indicators_Feb26
Detects suspicious URL patterns that could indicate URL-encoded reverse shell attempts, which are often used in web-based attacks to obfuscate malicious commands and evade detection. It could also be a false positive caused by vulnerability scanners or failed exploitation attempts that log the attempted URL in a web server log file.
10.02.2026
SUSP_OBFUSC_Encoded_Base64_Decode_Indicators_Feb26
Detects suspicious base64 encoded base64 decode patterns that could indicate obfuscated commands or scripts attempting to decode and execute hidden payloads, which is a common technique used by attackers to evade detection and analysis.
10.02.2026
MAL_Macro_RedKitten_Feb26
Detects malicious VBA macro used in RedKitten campaign
09.02.2026
SUSP_B64_Encoded_AppDomainManager_Config_Feb26
Detects Base64 encoded .NET application configuration files used to instantiate the AppDomainManager class
09.02.2026
SUSP_B64_Encoded_AppDomainManager_CS_Feb26
Detects Base64 encoded C# code overwriting the AppDomainManager
09.02.2026
MAL_Reflective_PE_Loader_Feb26
Detects DarkOthello reflective PE loader DLL that decrypts an embedded payload using a subtraction cipher, decompresses via LZMS, and reflectively loads the PE in-process, as seen being used by MuddyWater APT group
09.02.2026
MAL_LNX_ExfilServer_Feb26
Detects Go-based C2 exfiltration server that receives AES-CTR encrypted stolen data via /signup and /feed HTTP endpoints, decrypts per-client streams using registered keys, and tracks clients via cid cookies, seen being used by MuddyWater APT group
09.02.2026
HKTL_PY_Citrix_NetScaler_Memory_Leak_POC_Feb26
Detetcs Citrix NetScaler Memory Leak POC
09.02.2026
HKTL_PY_OWA_BruteForcer_Feb26
Detects a Python script that attackes OWA by bruteforcing passwords
09.02.2026
HKTL_PY_FortiOS_Authentication_Bypass_POC_Feb26
Detetcs FortiOS Authentication Bypass POC
09.02.2026
MAL_NET_DesckVB_RAT_RunPE_Feb26
Detects RunPE loader component of DesckVB rat. The loader uses process hollowing to inject abitrary code into a legitimate process.
09.02.2026
SUSP_NPM_SupplyChain_Attack_C2_Feb26
Detects pre- and postinstall scripts in combination with cloud services frequently abused as C2s
09.02.2026
SUSP_NPM_Device_Fingerprinting_Feb26
Detects suspicious device fingerprinting functionality
09.02.2026
SUSP_NPM_Terminal_Output_Persistence_Feb26
Detects suspicious terminal output persistence to bypass NPM buffering
09.02.2026
MAL_NPM_GitHub_Identity_Stealer_Feb26
Detects malicious GitHub identity stealer
09.02.2026
SUSP_WIN_SchTask_QEMU_Port_Fwd_Indicators_Feb26
Detects suspicious scheduled task XML files with QEMU port forwarding indicators, which could be used for malicious purposes such as setting up reverse tunnels or C2 communication channels
09.02.2026

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_Encoded_WscriptShell_Jun20
3
2e1168d808fa0638e976e5622fb4fceec1261fcc2a682af3380afd347bab6d5c
MAL_Browser_Stealer_Dec25_2
13
eedf288ed5b4055a6185d0be7fd940facb5372583e4c94991edb79b7c6200342
EXPL_RAR_Archive_With_Path_Traversal_Aug25
11
0fec0b2a67e858dfcbc01761d1891869f946e6f12a72b96a3fbf20a311b5ca5b
PUA_ConnectWise_ScreenConnect_Mar23
8
b40886cde0951b0b2ae860db7a84d932d38a5d015baf3e3f69ed7533fac9019c
SUSP_RAR_NTFS_ADS
11
0fec0b2a67e858dfcbc01761d1891869f946e6f12a72b96a3fbf20a311b5ca5b
SUSP_Commands_Disabling_Windows_Defender_Service_Jul23
14
1ee16f17a0b9e2d44dfb566496e66c736e17b3529e098040d1921f6e9e35020e
SUSP_MSF_MSFVenom_Indicator_Jan23_1
14
1ee16f17a0b9e2d44dfb566496e66c736e17b3529e098040d1921f6e9e35020e
SUSP_PS1_UDP_Socket_Tool_Jul23_1
14
1ee16f17a0b9e2d44dfb566496e66c736e17b3529e098040d1921f6e9e35020e
HKTL_Mimikatz_SampleSet_Nov14_1
14
1ee16f17a0b9e2d44dfb566496e66c736e17b3529e098040d1921f6e9e35020e
SUSP_COMSVCS_MiniDump_Indicators_Jun24_2
14
1ee16f17a0b9e2d44dfb566496e66c736e17b3529e098040d1921f6e9e35020e
SUSP_Script_Eval_LSASS_Jun24
14
1ee16f17a0b9e2d44dfb566496e66c736e17b3529e098040d1921f6e9e35020e
HKTL_VBA_Shellcode_Runner_Dec22_1
14
1ee16f17a0b9e2d44dfb566496e66c736e17b3529e098040d1921f6e9e35020e
SUSP_Commands_Disabling_Windows_Firewall_Jul23
14
1ee16f17a0b9e2d44dfb566496e66c736e17b3529e098040d1921f6e9e35020e
PUA_ConnectWise_ScreenConnect_Mar23
14
b72d77515310006460d6cde3379c401c0612340f1fc458450b0bc26afca4ea28
SUSP_MSIL_NET_OBF_ConfuserEx_Constants_Jul23
1
8e66a64b714c95342b21276be8b0a4181b38c5981ed24e5de51538fbc78e08c6
SUSP_GObfuscate_May21
10
d00ade4c702c4047c47f03b6ae74e0ec12e7682e98eaee31a80217abb9e09d55
SUSP_HKTL_Rust_ShellCode_Loader_Nov25
4
a898840a99676f2cb907f585a5c6c6346140b1a86a6bbdbe8d37d11f48b30b06
SUSP_HKTL_Indicators_Mar23_1
6
35d8b79c8e236d5bd55d50efcf0b453a7cce5cfb4747ec90f8558769ca6ef0f2
Generic_Strings_Hacktools
6
35d8b79c8e236d5bd55d50efcf0b453a7cce5cfb4747ec90f8558769ca6ef0f2
SUSP_OBFUSC_WEBSHELL_Indicator_Aug25
2
a29439728bb25f472b19d6522eb1f0877daee492f8e6df72809c9879c5db3903

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
7456
Threat Hunting (not subscribable, only in THOR scanner)
5787
APT
5050
Hacktools
4814
Webshells
2397
Exploits
719

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Suspicious Child Processes Spawned by AeroAdmin
Detects suspicious child processes spawned by AeroAdmin process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by AnyDesk
Detects suspicious child processes spawned by AnyDesk process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by AMMYYAdmin
Detects suspicious child processes spawned by AMMYYAdmin process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by LogMeIn
Detects suspicious child processes spawned by LogMeIn process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by Chrome Remote Desktop
Detects suspicious child processes spawned by Chrome Remote Desktop process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by Remote Utilities
Detects suspicious child processes spawned by Remote Utilities process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by RemotePC
Detects suspicious child processes spawned by RemotePC process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by ScreenConnect
Detects suspicious child processes spawned by ScreenConnect process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by TightVNC
Detects suspicious child processes spawned by TightVNC process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by VNCConnect
Detects suspicious child processes spawned by VNCConnect process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by UltraVNC
Detects suspicious child processes spawned by UltraVNC process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by ZohoAssist
Detects suspicious child processes spawned by ZohoAssist process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by TeamViewer
Detects suspicious child processes spawned by TeamViewer process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by Splashtop
Detects suspicious child processes spawned by Splashtop process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by SlashTop
Detects suspicious child processes spawned by SlashTop process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
File Operation via .NET Class
Detects the use of dotnet method in command lines which could be used for unauthorized file operations such as copying files. It could indicate suspicious activity because there are many normal ways to copy files in Windows, thus adversary may use this rarely used method to avoid detection.
06.02.2026
Suspicious Double Extension Files in Linux
Detects files with double extensions in Linux systems, which could be an attempt to disguise executable content as harmless documents.
05.02.2026
Suspicious Download and Execution Combo in Linux
Detect suspicious command line patterns where a download command line utility is executed in combination with other suspicious command line utilities. This could indicate potential malicious activity such as downloading and various other actions like decoding, changing permissions, or executing the downloaded file or creating persistence.
05.02.2026
Suspicious Linux Command Patterns
Detects suspicious command line patterns that may indicate malicious activity such as decoding base64 content to files in some folder and executing it.
05.02.2026
Suspicious Double Extension File Execution on Linux
Detects suspicious use of executable extensions like .sh, .py or .pl after a non-executable file extension to disguise malicious files in Linux environments
05.02.2026
Suspicious Base64 Encoded IP in PowerShell Execution
Detects PowerShell script blocks that contain base64-encoded IP addresses, a technique commonly used for obfuscation and defense evasion. Threat actors may leverage this method to download and execute secondary payloads from IP addresses - often their command and control (C2) servers or other malicious infrastructure. By encoding these URLs in base64 within PowerShell commands, adversaries attempt to bypass detection mechanisms and evade user scrutiny. This rule helps identify suspicious activity where PowerShell is used to retrieve content from IPs via base64-encoded strings, which is rarely seen in legitimate software.
04.02.2026
Suspicious Base64 Encoded IP in Command Line
Detects processes with command lines containing base64-encoded IP addresses, which may indicate obfuscation or evasion attempts. Threat actors often host their secondary malicious payloads on IP addresses, potentially their C&C servers or other hosting infrastructure. To download these malicious payloads, the malware dropper technique involves downloading and executing a secondary payload from an IP address. And to obscure the command line from normal user scrutiny, threat actors may their script or command line arguments in base64 encoding to download and execute the secondary payload.
04.02.2026
Renamed TinyCC (TCC) Compiler Execution
Detects the execution of a renamed TinyCC (TCC) Compiler (tcc.exe) Attackers have been observed renaming tcc.exe to masquerade as legitimate Windows binaries (e.g., svchost.exe) to compile and execute malicious C code in memory, such as shellcode loaders. This technique was observed in Chrysalis backdoor attacks.
03.02.2026
Suspicious Child Process of Notepad++ Updater - GUP.Exe
Detects suspicious child process creation by the Notepad++ updater process (gup.exe). This could indicate potential exploitation of the updater component to deliver unwanted malware.
03.02.2026
Tiny C Compiler Runtime Execution
Detects execution of Tiny C Compiler (TCC) which compiles and executes C code directly in memory. This technique was observed in Chrysalis backdoor campaigns where attackers renamed tcc.exe to svchost.exe and used it to load shellcode from .c files directly into memory, bypassing traditional detection methods.
03.02.2026
Uncommon File Created by Notepad++ Updater Gup.EXE
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations. This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
03.02.2026
Notepad++ Updater DNS Query to Uncommon Domains
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure. This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
02.02.2026
CLSID DefaultIcon Value Tampering
Detects potential COM object hijacking. Adversaries have used CLSID DefaultIcon to reference malicious payload, encrypted payloads, or conceal payload execution paths as part of defense-evasion and persistence chains.
31.01.2026
Win32_ScheduledJob Class or At.exe Enabled - Registry
Detects the enabling of the Win32_ScheduledJob WMI class or At.exe via registry modification. The Win32_ScheduledJob class is used to create and manage scheduled jobs in Windows. This class is disabled by default for security reasons, and enabling it may indicate an attempt to create or manage scheduled jobs in a potentially malicious manner.
29.01.2026
Suspicious PowerShell Execution with Public IPv4 - PowerShell
Detects PowerShell commands or scripts making web requests directly to public IPv4 addresses using `Invoke-WebRequest` or `Invoke-RestMethod`, which may indicate suspicious activity. Threat actors may use this technique to download and execute secondary payloads from direct IP addresses, potentially their command and control (C2) servers or other malicious infrastructure.
29.01.2026

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2720
20931
Sigma
3540
906

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1331
windows / registry_set
219
windows / file_event
206
windows / ps_script
165
windows / security
160
linux / process_creation
131
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
68
aws / cloudtrail
55
proxy
54
linux / auditd
53
windows / network_connection
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
27
windows / process_access
25
azure / signinlogs
24
okta / okta
22
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
rpc_firewall / application
17
windows / windefend
16
linux
16
github / audit
16
gcp / gcp.audit
16
bitbucket / audit
14
windows / file_delete
13
linux / file_event
13
m365 / threat_management
13
cisco / aaa
12
windows / create_remote_thread
12
windows / driver_load
10
windows / registry_delete
10
kubernetes / application / audit
10
windows / codeintegrity-operational
10
windows / ps_classic_start
9
dns
9
windows / appxdeployment-server
9
windows / create_stream_hash
9
windows / firewall-as
8
windows / msexchange-management
8
antivirus
7
fortigate / event
7
windows / file_access
7
azure / pim
7
windows / bits-client
7
zeek / smb_files
7
gcp / google_workspace.admin
7
windows / dns-client
6
jvm / application
5
kubernetes / audit
5
zeek / dns
5
linux / network_connection
5
zeek / http
5
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
windows / sysmon
4
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
windows / registry_add
3
linux / sshd
3
m365 / audit
3
macos / file_event
3
onelogin / onelogin.events
2
firewall
2
windows / security-mitigations
2
linux / syslog
2
windows / dns-server
2
spring / application
2
apache
2
sql / application
1
linux / sudo
1
velocity / application
1
cisco / duo
1
cisco / bgp
1
nginx
1
windows / dns-server-analytic
1
cisco / ldp
1
windows / ldap
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
windows / wmi
1
windows / printservice-operational
1
database
1
linux / clamav
1
windows / lsa-server
1
django / application
1
linux / auth
1
windows / applocker
1
fortios / sslvpnd
1
linux / guacamole
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
cisco / syslog
1
linux / cron
1
juniper / bgp
1
windows / appxpackaging-om
1
windows / process_tampering
1
windows / smbclient-connectivity
1
windows / smbserver-connectivity
1
windows / file_change
1
windows / raw_access_thread
1
paloalto / file_event / globalprotect
1
linux / vsftpd
1
zeek / x509
1
windows / capi2
1
nodejs / application
1
paloalto / appliance / globalprotect
1
windows / certificateservicesclient-lifecycle-system
1
windows / shell-core
1
windows / file_executable_detected
1
windows / microsoft-servicebus-client
1
python / application
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_status
1
m365 / exchange
1
zeek / rdp
1
windows / sysmon_error
1
ruby_on_rails / application
1
m365 / threat_detection
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / driver-framework
1
windows
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
434
windows / ps_script
82
windows / registry_set
82
windows / file_event
46
windows / image_load
45
linux / process_creation
41
windows / wmi
29
windows / security
25
proxy
12
windows / system
10
windows / network_connection
8
windows / registry_event
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / pipe_created
4
windows / sense
4
windows / taskscheduler
4
windows / create_remote_thread
4
windows / registry_delete
4
windows / hyper-v-worker
3
windows / ps_classic_script
3
webserver
3
windows / vhd
3
windows / application-experience
3
windows / driver_load
3
windows / file_delete
2
windows / kernel-shimengine
2
linux / file_event
2
macos / process_creation
2
windows / windefend
2
windows / process_access
2
windows / process-creation
2
windows / dns_query
2
windows / bits-client
2
windows / codeintegrity-operational
2
windows / file_access
2
windows / firewall-as
1
windows / registry-setinformation
1
windows / file_rename
1
dns
1
windows / amsi
1
windows / application
1
windows / registry_add
1
windows / audit-cve
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022