Valhalla Logo
currently serving 24178 YARA rules and 4607 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
EXPL_CVE_2026_33829_Jun26
Detects CVE-2026-33829 exploit that allows remote attackers to disclose NTLM responses from users using ms-screensketch protocol handlers
09.06.2026
EXPL_B64_CVE_2026_33829_Jun26
Detects CVE-2026-33829 exploit base64 encoded, that allows remote attackers to disclose NTLM responses from users using ms-screensketch protocol handlers
09.06.2026
SUSP_Binding_GYP_Jun26
Detects suspicious build configuration files containing shell command execution constructs that may be abused during npm package installation, as these files are automatically processed by node gyp in trusted build environments.
04.06.2026
APT_DPRK_RAT_HuggingFace_Exfil_Jun26
Detects JavaScript RAT, seen being used by DPRK Contagious Interview exfiltrating screenshots and files via HuggingFace API
03.06.2026
EXPL_WER_CVE_2026_41089_Netlogon_Jun26
Detects characteristics in WER files (crash reports) that could indicate exploitation of CVE-2026-41089, a critical vulnerability in Microsoft Windows Netlogon that allows for remote code execution through a stack-based buffer overflow in the BuildSamLogonResponse function. The presence of specific strings related to lsass.exe, netlogon.DLL, and certain error codes could be indicative of an attempted or successful exploitation of this vulnerability.
02.06.2026
MAL_MWSRAT_Jun26
Detects MWSRAT that searches the host for cryptocurrency wallets, performs local network scanning, queries the registry, and hijacks the clipboard to swap copied cryptocurrency addresses
01.06.2026
MAL_Laxury_Stealer_Jun26
Detects Laxury stealer
01.06.2026
SUSP_LNX_CRONTAB_INSTALL_Jun26
Detects suspicious installation of crontab entries for persistence
01.06.2026
MAL_RUSTCLOAK_Loader_Jun26
Detects RUSTCLOAK loader that evades sandbox analysis, decrypts an encoded shellcode payload, and executes it via fiber hijacking.
01.06.2026
SUSP_JS_OBFUSC_Caesar_Cipher_Jun26
Detects obfuscated JavaScript that decodes a Caesar-ciphered, char-code-encoded payload at runtime and executes it
01.06.2026
SUSP_LNX_ETC_SHADOW_IO_URING_Jun26
Detects suspicious access to /etc/shadow using io_uring syscalls
01.06.2026
MAL_PY_Crypto_Market_Beaconing_May26
Detects a script written in Python that collects cryptocurrency prices from multiple exchanges while communicating with an external untrusted domain, potentially indicating a disguised data collection agent.
29.05.2026
MAL_MacOS_Stealer_May26
Detects stealer written in Rust that targets chromium browser data, Telegram sessions, cryptocurrency wallets, apple notes, and the macOS keychain, uses AppleScript for password prompting, stages stolen data into a ZIP archive, and exfiltrates it externally.
29.05.2026
MAL_Bash_Loader_May26
Detects a macOS Bash loader that downloads and launches decoy applications, removes macOS security attributes, executes secondary payloads
28.05.2026
MAL_RANSOM_LQTOREQ_May26
Detects LQTOREQ ransomware
28.05.2026
MAL_AMSI_Bypass_May26
Detects .NET binaries attempting AMSI evasion via hardware breakpoints (DRx registers)
28.05.2026
MAL_GO_DNS_Backdoor_May26
Detects a backdoor in Golang code which executes arbitrary commands via DNS TXT lookups
27.05.2026
SUSP_KERNEL_MODULE_KEYLOGGER_May26
Detects a kernel module that logs keyboard input. The module is likely to be used for keylogging purposes.
26.05.2026
SUSP_PY_Import_May26
Detects suspicious Python import statement
26.05.2026
MAL_PY_Download_Execute_May26
Detects obfuscated execute and download Python oneliner
26.05.2026
MAL_NPM_TrapDoor_Crypto_Stealer_May26
Detects TrapDoor crypto stealer in NPM packages
26.05.2026
MAL_PY_TrapDoor_Crypto_Stealer_May26
Detects TrapDoor crypto stealer in Python packages
26.05.2026
MAL_RUST_TrapDoor_Crypto_Stealer_May26
Detects TrapDoor crypto stealer in Rust packages
26.05.2026
SUSP_Crypto_Stealer_May26
Detects crypto stealer targeting secrets such as AWS, GitHub and OpenAI. It may detect legitimate secret scanner tools.
26.05.2026
MAL_Worm_Hole_May26
Detects Worm Hole, a custom proxy tool used by Webworm APT group
25.05.2026
MAL_GraphWorm_Backdoor_May26
Detects GraphWorm, a custom backdoor used by Webworm APT group that uses Microsoft Graph API for C2 communication
25.05.2026
MAL_SmuxProxy_May26
Detects SmuxProxy, a custom proxy tool used by Webworm APT group
25.05.2026
MAL_APT_WebWorm_Implants_May26
Detects WebWorm APT implants, including custom proxy tools and backdoors used by the group.
25.05.2026
MAL_Custom_Uploader_May26
Detects a custom uploader used for data exfiltration
25.05.2026
HKTL_Python_Server_Exfiltration_May26
Detects a server-side Python script which serves as the receiver of exfiltrated data
25.05.2026

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
7
d336d55d30c13f5d006253d40637cf69b45b04c46a7e63c033acb6936630f49d
SUSP_B64_Atob_Aug23
7
d336d55d30c13f5d006253d40637cf69b45b04c46a7e63c033acb6936630f49d
SUSP_Go_Binary_Function_Name_Oct24
8
0d0b93be250426cd52870b380cd3567307dc17dff8904535a4a42109c110f84a
SUSP_MSIL_NET_OBF_ConfuserEx_Constants_Jul23
3
cd3910e49eee68b66998d55dac4188fc374ebb1b6c7a4c1ae22c5b8f94830aea
SUSP_NET_Shellcode_Loader_Indicators_Jan24
4
fc19612792f8338a71f83aa4e5eef7496daa942744b254086c81e6f7483e1c0f
SUSP_WEvtUtil_ClearLogs_Sep22_1
1
eb6fd838bb7a3cd01c18d1c5033ee25596e718bb1560839cb7244360fe50d0e2
SUSP_NET_Shellcode_Loader_Indicators_Jan24
4
c2159bda5ab2d5902d31622ee6d2a223b566ca8b0a50b7719ec3692a8a6b9dba
SUSP_JS_OBFUSC_Feb23_2
1
5de0e18daad6e372eb16612c21a099793226029cdb70b0331af758371728ebb6
SUSP_Driver_Characteristics_Jun21_1
1
7e986f22d5360b22f68ecc7d39467a5a1d2049b40341fb9d8ec1246daa452c99
SUSP_Regsvr_Pattern_HTTP_IP_Jan22_1
3
be3b6305e7d9cf006a8a710364f7c908210567e6194e2c75b07e458c0c6e70e9
SUSP_Encoded_PS_DownloadFile
3
be3b6305e7d9cf006a8a710364f7c908210567e6194e2c75b07e458c0c6e70e9
SUSP_Encoded_PS_DownloadString
3
be3b6305e7d9cf006a8a710364f7c908210567e6194e2c75b07e458c0c6e70e9
SUSP_PS1_Command_Rare_CmdLine_Arguments_Jan20
3
be3b6305e7d9cf006a8a710364f7c908210567e6194e2c75b07e458c0c6e70e9
SUSP_PS1_JAB_Pattern_Jun22_1
3
be3b6305e7d9cf006a8a710364f7c908210567e6194e2c75b07e458c0c6e70e9
SUSP_Download_Cradles_Feb22_1
3
be3b6305e7d9cf006a8a710364f7c908210567e6194e2c75b07e458c0c6e70e9
SUSP_PS1_Base64_Encoded_SingleLiner_Jun22_1
3
be3b6305e7d9cf006a8a710364f7c908210567e6194e2c75b07e458c0c6e70e9
SUSP_PS1_IEX_From_Download_Dec22_1
3
be3b6305e7d9cf006a8a710364f7c908210567e6194e2c75b07e458c0c6e70e9
MAL_Encrypted_IDAT_Payload_Mar24
1
ed19191542b9ded2f7aa39324da646302f402bb9831243e1fa9e97fd4ae71b4b
SUSP_WEBSHELL_Eval_ChinaChopper_Oct20
6
e72eb7c9ddf61d87c49651e70171b40515c01361137d18209544a300267357f4
SUSP_Add_User_Local_Administrators
6
e72eb7c9ddf61d87c49651e70171b40515c01361137d18209544a300267357f4

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
7682
Threat Hunting (not subscribable, only in THOR scanner)
5919
APT
5067
Hacktools
4870
Webshells
2402
Exploits
738

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Bun JavaScript Runtime Executed Via Shell Spawned By Node.js On macOS
Detects a macOS shell process (e.g. zsh, bash, sh) spawned by Node.js with a command line referencing the Bun runtime, indicating a Node.js -> Shell -> Bun execution chain. This pattern is commonly observed in supply chain attacks where a malicious npm package abuses Node.js to launch a shell that invokes Bun as a second-stage JavaScript or TypeScript payload runner. Bun is attractive to attackers due to its native TypeScript support, fast startup, and broad system APIs, while being less scrutinized by EDR/AV solutions compared to Node.js itself.
26.05.2026
Bun JavaScript Runtime Executed Via Shell Spawned By Node.js On Linux
Detects a Linux shell process (e.g. bash, sh, dash) spawned by Node.js with a command line referencing the Bun runtime, indicating a Node.js -> Shell -> Bun execution chain. This pattern is commonly observed in supply chain attacks where a malicious npm package abuses Node.js to launch a shell that invokes Bun as a second-stage JavaScript or TypeScript payload runner. Bun is attractive to attackers due to its native TypeScript support, fast startup, and broad system APIs, while being less scrutinized by EDR/AV solutions compared to Node.js itself.
21.05.2026
Bun Runtime Execution Via Node.js Spawned Shell On Windows
Detects a Windows shell process (e.g. cmd.exe, powershell.exe) spawned by Node.js with a command line referencing the Bun runtime, indicating a Node.js -> Shell -> Bun execution chain. This pattern is commonly observed in supply chain attacks where a malicious npm package abuses Node.js child_process APIs to launch a shell that invokes Bun as a second-stage JavaScript or TypeScript payload runner. Bun is attractive to attackers due to its native TypeScript support, fast startup, and broad system APIs, while being less scrutinized by EDR/AV solutions compared to Node.js itself.
21.05.2026
Self-Referential Payload Extraction via PowerShell
Detects PowerShell scripts that read file content, extract an embedded payload via regex matching, and write the result to disk for further execution. This self-referential technique allows an attacker to embed a full implant within a single carrier file and extract it at runtime, avoiding external network-based downloads entirely. The payload is typically delimited by sentinel markers (e.g. #PYTHON_START / #PYTHON_END) and dropped to a persistent location.
12.05.2026
Self-Referential Payload Extraction via PowerShell Command Line
Detects PowerShell one-liners that read a file content, extract an embedded payload via regex matching, and write the result to disk for further execution. This self-referential technique allows an attacker to embed a full implant within a single carrier file and extract it at runtime, avoiding external network-based downloads entirely. The payload is typically delimited by sentinel markers (e.g. #PYTHON_START / #PYTHON_END) and dropped to a persistent location.
12.05.2026
PowerShell Dynamic Module Command Invocation via Index Access
Detects PowerShell scripts that dynamically invoke commands from the Microsoft.PowerShell.Utility module using index access on the ExportedCommands collection. Threat actors may use this technique to bypass detection mechanisms that look for specific command names, as the actual commands being invoked are determined at runtime and may not be explicitly mentioned in the script.
11.05.2026
PowerShell Dynamic Module Command Invocation via Index Access - PsScript
Detects PowerShell scripts that dynamically invoke commands from the Microsoft.PowerShell.Utility module using index access on the ExportedCommands collection. Threat actors may use this technique to bypass detection mechanisms that look for specific command names, as the actual commands being invoked are determined at runtime and may not be explicitly mentioned in the script.
11.05.2026
HH.EXE CHM File Decompilation
Detects execution of hh.exe with the -decompile (-d) flag to extract contents of a CHM file. Threat actors abuse this technique to drop and execute malicious payloads embedded in CHM files.
08.05.2026
HH.EXE CHM Decompilation With Non-CHM File Extension
Detects execution of hh.exe with the -decompile (-d) flag where no .chm extension is present in the command line. Threat actors disguise CHM files with alternative extensions (e.g. .doc, .pdf) to evade detection, then pass them to hh.exe for decompilation and payload extraction.
08.05.2026
Net User Logon Time Restriction and Account Lockout
Detects usage of net user command to set logon time restrictions and disable accounts, a technique used by wipers to prevent user logins and lock out accounts, hindering recovery efforts.
04.05.2026
Network Interface Disabled Via Netsh
Detects netsh being used to disable a network interface. Threat actors abuse this to cut off network connectivity and prevent remote recovery or intervention during destructive attacks.
04.05.2026
Winlogon CachedLogonsCount Registry Manipulation Via CLI
Detects command-line manipulation of the CachedLogonsCount registry value under the Winlogon key through commandline. This value controls how many domain credential sets Windows caches locally. Setting it to zero disables caching entirely, forcing direct domain controller authentication. Threat actors may abuse this to prevent offline authentication or to hinder forensic credential recovery post-compromise.
04.05.2026
Robocopy Mirror Directory Wipe
Detects robocopy invoked with /MIR and /B flags, a technique commonly abused by wipers to overwrite entire directory trees by mirroring an empty source folder in backup mode, permanently destroying all file contents.
04.05.2026
Diskpart Volume Clean All Execution
Detects the execution of diskpart's "clean all" command, which permanently destroys all data on a disk volume by overwriting every sector with zeros. Threat actors abuse this for data destruction and wiper attacks.
04.05.2026
Winlogon CachedLogonsCount Registry Value Set To Zero
Detects registry set events where the CachedLogonsCount value under the Winlogon key is set to zero. This disables Windows cached domain credentials, forcing direct domain controller authentication. Threat actors may abuse this to prevent offline authentication or to hinder forensic credential recovery post-compromise.
04.05.2026
Large File Creation Via Fsutil
Detects fsutil being used to create a new file with a suspiciously large size. Threat actors abuse this technique to fill all available disk space, exhausting the filesystem and preventing the OS from writing logs, recovery artifacts, or any new data.
04.05.2026
Free Disk Space Enumeration Via Fsutil
Detects the use of fsutil to enumerate free disk space on a volume. Threat actors may abuse this to determine available space before carrying out further actions such as data destruction or exfiltration.
04.05.2026
Kubernetes Potential Enumeration Activity
Detects potential Kubernetes enumeration or attack activity via the audit log. This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests. Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
28.04.2026
Google Workspace Out Of Domain Email Forwarding
Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse.
28.04.2026
Google Workspace Government Attack Warning
Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor
28.04.2026
Suspicious Login Activity Classified By Google
Detects Google Workspace login activity that's classified as suspicious by Google.
28.04.2026
Cisco Dot1x Disabled
Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface. Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network. This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.
28.04.2026
Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
Detects attempts of an attacker to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2. Enabling this feature allows memory dumps (core dumps) of SUID processes, which usually run with elevated privileges. These dumps may contain sensitive information such as passwords, cryptographic keys or other secrets. CVE-2025-5054: Information leak via core dumps from SUID binaries using apport. CVE-2025-4598: Information disclosure in systemd-coredump due to insecure handling of SUID process memory dumps.
28.04.2026
Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:). An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource. When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash. HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access. The URI can be delivered via a malicious hyperlink, phishing email, or web page.
28.04.2026
Sensitive File Dump Via Print.EXE
Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.
28.04.2026
PUA - Memory Dump Mount Via MemProcFS
Detects execution of MemProcFS a memory forensics tool with the '-device' parameter. MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures. Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials. MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.
27.04.2026
Service Startup Type Change Via Wmic.EXE
Detects changes to service startup type to 'disabled' or 'manual' using the WMIC command-line utility.
27.04.2026
Suspicious Task Scheduler XML Pattern Related with AtExec
Detects creation of scheduled tasks with XML patterns commonly associated with Atexec, a component of the NetExec tool that allows execution of commands via scheduled tasks for persistence and privilege escalation.
27.04.2026
Suspicious Certificate Request Pattern via CertReq
Detects suspicious certificate request patterns that may indicate abuse of certreq.exe for privilege escalation or lateral movement.
27.04.2026
Indirect Command Execution via SFTP ProxyCommand
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter. Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
27.04.2026

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2822
21356
Sigma
3589
1018

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1350
windows / registry_set
219
windows / file_event
209
windows / ps_script
166
windows / security
160
linux / process_creation
139
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
69
aws / cloudtrail
55
proxy
54
windows / network_connection
53
linux / auditd
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
27
windows / process_access
25
azure / signinlogs
24
opencanary / application
24
okta / okta
22
windows / pipe_created
19
azure / riskdetection
19
rpc_firewall / application
17
windows / windefend
17
linux
16
gcp / gcp.audit
16
github / audit
15
linux / file_event
15
bitbucket / audit
14
m365 / threat_management
13
cisco / aaa
13
windows / file_delete
13
windows / create_remote_thread
12
windows / codeintegrity-operational
10
dns
10
windows / driver_load
10
windows / registry_delete
10
kubernetes / application / audit
10
windows / ps_classic_start
9
windows / create_stream_hash
9
windows / appxdeployment-server
9
windows / firewall-as
8
windows / msexchange-management
8
antivirus
7
fortigate / event
7
windows / file_access
7
azure / pim
7
windows / bits-client
7
zeek / smb_files
7
gcp / google_workspace.admin
7
windows / dns-client
6
kubernetes / audit
6
zeek / dns
5
linux / network_connection
5
zeek / http
5
jvm / application
5
m365 / audit
4
windows / sysmon
4
macos / file_event
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
gcp / google_workspace.login
3
linux / sshd
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
windows / registry_add
3
windows / security-mitigations
2
spring / application
2
windows / dns-server
2
apache
2
onelogin / onelogin.events
2
firewall
2
linux / syslog
2
windows / file_executable_detected
1
python / application
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_status
1
ruby_on_rails / application
1
m365 / exchange
1
zeek / rdp
1
windows / diagnosis-scripted
1
m365 / threat_detection
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
sql / application
1
windows / driver-framework
1
velocity / application
1
linux / sudo
1
cisco / duo
1
cisco / ldp
1
nginx
1
windows
1
windows / dns-server-analytic
1
cisco / bgp
1
windows / ldap
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
database
1
django / application
1
windows / printservice-operational
1
linux / clamav
1
windows / lsa-server
1
linux / auth
1
linux / guacamole
1
windows / applocker
1
fortios / sslvpnd
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
windows / process_tampering
1
cisco / syslog
1
linux / cron
1
juniper / bgp
1
windows / appxpackaging-om
1
windows / smbclient-connectivity
1
windows / smbserver-connectivity
1
windows / file_change
1
nodejs / application
1
paloalto / file_event / globalprotect
1
linux / vsftpd
1
windows / capi2
1
windows / shell-core
1
windows / raw_access_thread
1
paloalto / appliance / globalprotect
1
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
503
windows / registry_set
90
windows / ps_script
87
linux / process_creation
53
windows / file_event
47
windows / image_load
46
windows / wmi
29
windows / security
29
proxy
13
windows / system
13
windows / network_connection
9
windows / registry_event
8
windows / kernel-event-tracing
6
windows / dns_query
5
windows / ntfs
5
windows / ps_module
5
windows / registry_delete
4
windows / create_remote_thread
4
windows / sense
4
windows / pipe_created
4
webserver
4
windows / taskscheduler
4
windows / application-experience
3
windows / driver_load
3
windows / hyper-v-worker
3
macos / process_creation
3
windows / ps_classic_script
3
dns
3
windows / vhd
3
windows / windefend
2
windows / bits-client
2
windows / file_access
2
windows / file_delete
2
windows / codeintegrity-operational
2
windows / kernel-shimengine
2
linux / file_event
2
windows / smbclient-security
2
windows / process_access
2
windows / amsi
1
windows / audit-cve
1
windows / firewall-as
1
windows / registry-setinformation
1
linux / file_delete
1
windows / file_rename
1
windows / application
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022