
currently serving 19860 YARA rules and 3345 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
WEBSHELL_OBFUSC_PHP_Indicators_Sep23
Detects base64 obfuscated indicators of obfuscation in a web shell
27.09.2023
MAL_NetSpawn_Implant_Sep23
Detects NetSpawn malware implants
27.09.2023
SUSP_Implant_Indicators_Sep23_1
Detects unknown implants noticed in September 2023
27.09.2023
SUSP_HTML_JS_Encoded_Pattern_Sep23
Detects pattern found in malicious HTML files that contain embedded JavaScript code
27.09.2023
SUSP_OBFUSC_JS_Encoded_Pattern_Sep23
Detects pattern found in files that contain embedded and obfuscated JavaScript code
27.09.2023
MAL_CVE_2023_36884_Characteristics_Sep23_1
Detects characteristics seen in CVE-2023-36884
25.09.2023
MAL_CVE_2023_36884_Characteristics_Sep23_2
Detects characteristics seen in CVE-2023-36884
25.09.2023
MAL_PS1_Bbtok_Banker_Sep23_2
Detects PowerShell script that controls the payload distribution of Bbtok banker malware
24.09.2023
MAL_PS1_Bbtok_Sep23_1
Detects PowerShell script executing the next stage payload of Bbtok banker
24.09.2023
HKTL_Browser_Data_Dumper_Sep23
Detects browser data dumper/hack tool seen used by the OilRig APT group
24.09.2023
APT_MAL_Malstaticnoise_Downloader_Sep23
Detects Malstaticnoise downloader related to APT29
22.09.2023
SUSP_RDP_Suspicious_Indicators_Sep23
Detects suspicious .rdp file content, which could indicate a phishing attempt
19.09.2023
EXPL_SUSP_Juniper_FW_CVE_2023_36845_Sep23
Detects URI pattern found in log files of exploited Juniper appliances
19.09.2023
SUSP_ClassID_Pattern_Sep23_1
Detects suspicious CLSID as used in malicious scripts
18.09.2023
SUSP_ClassID_Pattern_Sep23_2
Detects suspicious CLSID as used in malicious scripts
18.09.2023
SUSP_Keylogger_Decoder_Sep23
Detects potential decoder that decrypts the content recorded by a keylogger, seen used by APT-C-60
17.09.2023
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_Destructive_Indicators_May21_1
13
f94736223bd2288083686c392d4ae22b709b2a25eba58eb9cb8ba3bdcb6851b3
SUSP_PE_Discord_Attachment_Oct21_1
13
f94736223bd2288083686c392d4ae22b709b2a25eba58eb9cb8ba3bdcb6851b3
SUSP_Ngrok_Tunnel_Endpoint_Nov22_1
1
85044b7c47405bf3e74364fefb5f95cde97235766bbd5cef9db65e3e6eef804e
SUSP_Go_Process_Injection_Indicators_Jan23
7
aa3f0f3c0439690011c076e27e9d648605ba6d3a927ca8c19747e9d4952180a7
SUSP_Go_Loader_Indicators_Mar23_1
7
aa3f0f3c0439690011c076e27e9d648605ba6d3a927ca8c19747e9d4952180a7
SUSP_Go_Process_Injection_Indicators_Jan23
9
cd3c3efc856ad895baf915ba4f38438d0231c6eeba36c5f4a1fe283250c66631
SUSP_PE_Discord_Attachment_Oct21_1
12
6f6da76bed1eb6da4ec56619b0527b59a11b9f9b6130d11fc8e74e65e6a98297
SUSP_Go_Loader_Indicators_Mar23_1
9
cd3c3efc856ad895baf915ba4f38438d0231c6eeba36c5f4a1fe283250c66631
SUSP_Go_Process_Injection_Indicators_Jan23
6
ad5bc511b2e734e80acd8b7690d0029a82886135b23dbf90efedd017d67329d5
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
5640
APT
4743
Threat Hunting (not subscribable, only in THOR scanner)
4723
Hacktools
4328
Webshells
2258
Exploits
587
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Access To .Reg/.Hive Files By Uncommon Application
Detects file access requests to files ending with either the ".hive"/".reg" extension, usally associated with Windows Registry backups.
15.09.2023
Diskshadow Script Mode - Execution From Potential Suspicious Location
Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.
15.09.2023
Diskshadow Script Mode - Uncommon Script Extension Execution
Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension.
Initial baselining of the allowed extension list is required.
15.09.2023
Potentially Suspicious Child Process Of DiskShadow.EXE
Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
15.09.2023
Invalid PIM License
Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
14.09.2023
Roles Assigned Outside PIM
Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
14.09.2023
Roles Activated Too Frequently
Identifies when the same privilege role has multiple activations by the same user.
14.09.2023
Roles Activation Doesn't Require MFA
Identifies when a privilege role can be activated without performing mfa.
14.09.2023
Roles Are Not Being Used
Identifies when a user has been assigned a privilege role and are not using that role.
14.09.2023
Too Many Global Admins
Identifies an event where there are there are too many accounts assigned the Global Administrator role.
14.09.2023
Stale Accounts In A Privileged Role
Identifies when an account hasn't signed in during the past n number of days.
14.09.2023
Malicious IP Address Sign-In Suspicious
Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
07.09.2023
Okta New Admin Console Behaviours
Detects when Okta identifies new activity in the Admin Console.
07.09.2023
Okta Suspicious Activity Reported by End-user
Detects when an Okta end-user reports activity by their account as being potentially suspicious.
07.09.2023
Okta User Session Start Via An Anonymising Proxy Service
Detects when an Okta user session starts where the user is behind an anonymising proxy service.
07.09.2023
Primary Refresh Token Access Attempt
Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft
07.09.2023
Azure AD Threat Intelligence
Indicates user activity that is unusual for the user or consistent with known attack patterns.
07.09.2023
Malicious IP Address Sign-In Failure Rate
Indicates sign-in from a malicious IP address based on high failure rates.
07.09.2023
Potentially Suspicious Electron Application CommandLine
Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
05.09.2023
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
05.09.2023
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
05.09.2023
VMMap Signed Dbghelp.DLL Potential Sideloading
Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.
05.09.2023
Old TLS1.0/TLS1.1 Protocol Version Enabled
Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
05.09.2023
ADS Zone.Identifier Deleted By Uncommon Application
Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
04.09.2023
ESXi Admin Permission Assigned To Account Via ESXCLI
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
04.09.2023
ESXi Network Configuration Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
04.09.2023
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2935
16925
Sigma
3022
323
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1146
windows / registry_set
176
windows / file_event
168
windows / ps_script
165
windows / security
145
linux / process_creation
104
windows / image_load
94
windows / system
70
webserver
68
macos / process_creation
49
proxy
49
linux / auditd
49
windows / network_connection
44
azure / activitylogs
38
windows / registry_event
37
azure / auditlogs
33
windows / ps_module
32
aws / cloudtrail
32
windows / process_access
27
windows / application
24
azure / signinlogs
24
okta / okta
19
azure / riskdetection
19
windows / pipe_created
18
linux
17
rpc_firewall / application
17
windows / driver_load
16
windows / dns_query
14
gcp / gcp.audit
14
windows / create_remote_thread
13
m365 / threat_management
13
windows / windefend
12
cisco / aaa
12
windows / file_delete
12
windows / ps_classic_start
11
windows / codeintegrity-operational
10
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
antivirus
7
windows / appxdeployment-server
7
azure / pim
7
windows / bits-client
7
github / audit
7
zeek / smb_files
7
windows / registry_delete
6
google_workspace / google_workspace.admin
6
azure / azureactivity
5
jvm / application
5
windows / file_access
5
windows / dns-client
5
zeek / dce_rpc
4
zeek / dns
4
windows / taskscheduler
3
windows / wmi_event
3
linux / network_connection
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
windows / sysmon
3
zeek / http
3
windows / dns-server
2
apache
2
onelogin / onelogin.events
2
macos / file_event
2
qualys
2
windows / file_change
2
firewall
2
windows / security-mitigations
2
linux / syslog
2
spring / application
2
m365 / audit
2
windows / file_rename
2
zeek / rdp
1
windows / diagnosis-scripted
1
sql / application
1
m365 / threat_detection
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / process_tampering
1
database
1
windows / driver-framework
1
windows
1
windows / sysmon_error
1
nginx
1
windows / printservice-operational
1
windows / dns-server-analytic
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
windows / lsa-server
1
windows / wmi
1
windows / smbclient-connectivity
1
netflow
1
cisco / ldp
1
linux / auth
1
cisco / bgp
1
windows / ldap_debug
1
linux / cron
1
windows / appmodel-runtime
1
windows / openssh
1
windows / raw_access_thread
1
linux / guacamole
1
huawei / bgp
1
windows / applocker
1
nodejs / application
1
juniper / bgp
1
windows / appxpackaging-om
1
python / application
1
linux / clamav
1
django / application
1
windows / capi2
1
windows / shell-core
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
zeek / x509
1
windows / file_block
1
velocity / application
1
linux / sudo
1
windows / smbclient-security
1
windows / sysmon_status
1
ruby_on_rails / application
1
m365 / exchange
1
linux / vsftpd
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
141
windows / ps_script
42
windows / wmi
29
windows / registry_set
20
windows / file_event
12
proxy
11
windows / system
9
windows / image_load
7
windows / security
6
windows / network_connection
5
windows / create_remote_thread
4
linux / process_creation
3
webserver
3
windows / pipe_created
3
windows / ps_classic_script
3
windows / ps_module
3
windows / vhd
3
windows / registry_event
3
windows / driver_load
2
windows / bits-client
2
windows / taskscheduler
2
windows / dns_query
1
windows / registry-setinformation
1
macos / process_creation
1
windows / file_access
1
windows / file_delete
1
windows / amsi
1
windows / application
1
windows / audit-cve
1
windows / process_access
1
windows / registry_delete
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls