currently serving 23565 YARA rules and 4387 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
MAL_DKnife_Gateway_Monitoring_Framework_Feb26
Detects the DKnife gateway monitoring framework.
05.02.2026
MAL_Dknife_VPN_Client_HA_PROXY_Feb26
Detects customized N2N (a P2P) VPN client component used by DKnife to contact to C2 (remote.bin), reverse proxy server module modified from HAProxy (sslmm.bin), labelling and relay component (postapi.bin), bridged TAP interface (yitiji.bin) and dkupdate (dkupdate)
05.02.2026
MAL_POC_Microsoft_Warbird_Loader_Feb26
Detects a POC to turn Microsoft Warbird into a shellcode loader
03.02.2026
MAL_Chrysalis_DllLoader_Feb26
Detects DLL used to load Chrysalis backdoor, seen being used in the compromise of the infrastructure hosting Notepad++ by Chinese APT group Lotus Blossom
02.02.2026
MAL_Chrysalis_Shellcode_Loader_Feb26
Detects shellcode used to load Chrysalis backdoor, seen being used in the compromise of the infrastructure hosting Notepad++ by Chinese APT group Lotus Blossom
02.02.2026
MAL_Chrysalis_Backdoor_Feb26
Detects Chrysalis backdoor, seen being used in the compromise of the infrastructure hosting Notepad++ by Chinese APT group Lotus Blossom
02.02.2026
SUSP_Claude_Refusal_Magic_String_Jan26
Detects refusal magic string that cause Claude sessions to be terminated. This might indicate that a file tries to prevent being analyzed by LLM agents.
29.01.2026
MAL_Claude_Refusal_Magic_String_Jan26
Detects Base64 variations of refusal magic string that cause Claude sessions to be terminated. This might indicate that a file tries to prevent being analyzed by LLM agents.
29.01.2026
SUSP_Claude_Redacted_Thinking_Magic_String_Jan26_1
Detects redacted thinking magic string that cause Claude sessions to be terminated. This might indicate that a file tries to prevent being analyzed by LLM agents.
29.01.2026
SUSP_Claude_Redacted_Thinking_Magic_String_Jan26_2
Detects Base64 variations of redacted thinking magic string that cause Claude sessions to be terminated. This might indicate that a file tries to prevent being analyzed by LLM agents.
29.01.2026
HKTL_SAMDump_Jan26
Detects SAMDump tool that extracts Windows SAM/SYSTEM files via Volume Shadow Copy Service (VSS) using NT API calls with XOR obfuscation and local/network exfiltration capabilities
28.01.2026
MAL_KazakRAT_Jan26
Detects KazakRAT that used to execute as a DLL via rundll32, maintain persistence through Run keys, and poll an HTTP C2 for commands
26.01.2026
MAL_Loader_Jan26_3
Detects a loader that establishes persistence and executes a hidden DLL
26.01.2026
MAL_JS_DPRK_Backdoor_Jan26
Detects JavaScript backdoor functionality used by threat actor group DPRK
23.01.2026
MAL_JS_DPRK_Second_Stage_Jan26
Detects second-stage JavaScript payload used by threat actor group DPRK
23.01.2026
MAL_Loader_Jan26_1
Detects a loader seen being use to load Winos4.0 (WinosStager) which is a sophisticated remote access framework
22.01.2026
PUA_VULN_Driver_Tobaz_Jan26
Detects vulnerable Tobaz driver abused by malwares to terminate security products and evade detection
21.01.2026
SUSP_Kernel_Module_Jan26
Detects suspicious Linux kernel modules that may exhibit rootkit-like behavior.
21.01.2026
MAL_Covert_RAT_Jan26
Detects Covert RAT that enables unauthorized remote control of infected systems. Operates covertly to evade detection while providing attackers with capabilities for surveillance, data exfiltration, command execution, and persistent backdoor access.
21.01.2026
SUSP_BATCH_Downloader_Jan26
Detects suspicious batch files with PowerShell download capabilities
21.01.2026
MAL_FALSECUB_Implant_Jan26
Detects FALSECUB backdoor implant used in Operation Nomad Leopard via unique HTTP header and socket-related code patterns
21.01.2026
MAL_Clr_Loader_Jan26
Detects generic loader stub observed to drop various malware like Pulsar, Vidar etc.
20.01.2026
MAL_PYC_Moneta_Stealer_Jan26
Detects Moneta stealer written in Python that targets browser credentials, cryptocurrency wallets, SSH keys, and financial documents
20.01.2026
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_MSIL_NET_ConfuserEx_Module_Encryption_Sep23
1
587e0f95810934d92dc24394b78e8077332400e23ecd81394b1333eb1e9cf6ac
Suspicious_Javascript_Running_Interpreter
3
5a3bfe33a13a2f3d54fda3aaae5f18f7898ca7f332fb8ecd158d156583c0fa91
SUSP_OBFUSC_HTML_VBS_Dropper_Indicator_Dec22
3
5a3bfe33a13a2f3d54fda3aaae5f18f7898ca7f332fb8ecd158d156583c0fa91
SUSP_VBA_Kernel32_Imports_Jun22_1
2
df3aa5258975bf53e36ecbb15b67d6220a1a0ed6fd9420991da04027bfa3005c
SUSP_PS1_PowerShell_Loader_May21_1
8
594633976ceb25febe3fa417e3b9210a20c115fcbc774f1aac8cc2dc2d26d739
SUSP_Wide_Base64_Convert_FromBase64String
8
594633976ceb25febe3fa417e3b9210a20c115fcbc774f1aac8cc2dc2d26d739
SUSP_B64encoded_Bxor_Base64_Sep23
8
594633976ceb25febe3fa417e3b9210a20c115fcbc774f1aac8cc2dc2d26d739
SUSP_PS1_Command_Rare_CmdLine_Arguments_Jan20
6
244ce94ff6fad51afb552e56655ecbdfe50db7dc0d4baf33f3b017e82f8edb12
Suspicious_Javascript_Running_Interpreter
6
244ce94ff6fad51afb552e56655ecbdfe50db7dc0d4baf33f3b017e82f8edb12
SUSP_Wide_Base64_Convert_FromBase64String
6
244ce94ff6fad51afb552e56655ecbdfe50db7dc0d4baf33f3b017e82f8edb12
SUSP_PS1_Base64_CommandLine_Indicator_Jan20
6
244ce94ff6fad51afb552e56655ecbdfe50db7dc0d4baf33f3b017e82f8edb12
SUSP_OBFUSC_HTML_VBS_Dropper_Indicator_Dec22
6
244ce94ff6fad51afb552e56655ecbdfe50db7dc0d4baf33f3b017e82f8edb12
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7418
Threat Hunting (not subscribable, only in THOR scanner)
5761
APT
5042
Hacktools
4803
Webshells
2397
Exploits
713
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Renamed TinyCC (TCC) Compiler Execution
Detects the execution of a renamed TinyCC (TCC) Compiler (tcc.exe)
Attackers have been observed renaming tcc.exe to masquerade as legitimate Windows binaries (e.g., svchost.exe) to compile and execute malicious C code in memory, such as shellcode loaders.
This technique was observed in Chrysalis backdoor attacks.
03.02.2026
Suspicious Child Process of Notepad++ Updater - GUP.Exe
Detects suspicious child process creation by the Notepad++ updater process (gup.exe).
This could indicate potential exploitation of the updater component to deliver unwanted malware.
03.02.2026
Uncommon File Created by Notepad++ Updater Gup.EXE
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
03.02.2026
Tiny C Compiler Runtime Execution
Detects execution of Tiny C Compiler (TCC) which compiles and executes C code directly in memory.
This technique was observed in Chrysalis backdoor campaigns where attackers renamed tcc.exe to svchost.exe and used it
to load shellcode from .c files directly into memory, bypassing traditional detection methods.
03.02.2026
Notepad++ Updater DNS Query to Uncommon Domains
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
02.02.2026
Suspicious Modification of Service ImagePath for ClipUp Defender Evasion
Detects registry modifications that set the ImagePath of a service to execute ClipUp.exe with Protected Process Light (PPL) parameters targeting Windows Defender locations.
This technique is used by attackers to replace the Windows Defender service executable before it initializes, effectively bypassing security protections.
The approach leverages CreateProcessAsPPL.exe to obtain PPL privileges, which normally protect security software from tampering.
29.01.2026
Suspicious File Creation by Clipup in Windows Defender Directory
Detects file creation by Clipup.exe in the Windows Defender program files directory.
ClipUp.exe may be used to overwrite the service executable of Windows Defender, potentially allowing an attacker to disable or manipulate Windows Defender.
29.01.2026
Windows Defender Critical Binary Deletion
Detects the deletion of critical Windows Defender binaries which could indicate an attempt to disable or manipulate Windows Defender.
29.01.2026
Suspicious ClipUp Execution with Windows Defender Path
Detects suspicious execution of ClipUp.exe with parameters that may indicate an attempt to write to Windows Defender protected locations.
ClipUp.exe may be used to overwrite the service executable of Windows Defender, potentially allowing an attacker to disable or manipulate Windows Defender.
29.01.2026
Windows Defender Folder Invocation Through Short Name
Detects suspicious command line patterns where a process is invoking a path within the Windows Defender folder using its short name (8.3 notation).
This technique may be used to execute or manipulate Windows Defender binaries while evading detection mechanisms that do not account for short path names.
29.01.2026
Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe.
HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode.
Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
26.01.2026
Vulnerable Driver Blocklist Registry Tampering Via CommandLine
Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE.
The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers.
Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors
to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response
26.01.2026
Windows Vulnerable Driver Blocklist Disabled
Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers,
and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers,
particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques.
This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later.
Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.
26.01.2026
Linux Setgid Capability Set on a Binary via Setcap Utility
Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
24.01.2026
Linux Setuid Capability Set on a Binary via Setcap Utility
Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
24.01.2026
Registry Modification for OCI DLL Redirection
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.
Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
24.01.2026
Cmd Launched with Hidden Start Flags to Suspicious Targets
Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags.
To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories.
This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
24.01.2026
Suspicious Shell Open Command Registry Modification
Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.
Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files,
and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
24.01.2026
AD User ProfilePath Attribute Modification
Detects changes to the 'ProfilePath' attribute of an Active Directory user account.
Attackers can modify this attribute to point to a roaming profile to establish persistence or lateral movement within a network.
One of the example includes updating the profilepath to network share to sync malicious NTUSER.MAN files for registry persistence.
Since, this event can be generated during legitimate administrative activities, it is recommended to validate the legitimacy of such changes by cross-referencing with change management logs or known administrative actions.
21.01.2026
File Sync to NTUSER.MAN on Roaming Profile Shares
Detects file synchronization events involving 'NTUSER.MAN' files on roaming profile shares.
NTUSER.MAN is a mandatory user profile file that takes priority over NTUSER.DAT when present in a user's profile directory.
Adversaries may abuse this feature for registry persistence by placing a crafted NTUSER.MAN file containing malicious registry keys.
This technique also don't produce registry telemetry as the hive is loaded directly from disk without invoking registry APIs or triggering CmRegisterCallbackEx callbacks.
Mandatory profiles are rare in modern environments outside of kiosk or shared workstation configurations, making their presence suspicious.
Consider excluding specific admin tools or scripts if this is common in your environment.
21.01.2026
Creation of NTUSER.MAN File in User Profile
Detects the creation of an NTUSER.MAN file in a user's profile directory.
NTUSER.MAN is a mandatory user profile file that takes priority over NTUSER.DAT when present in a user's profile directory.
Adversaries may abuse this feature for registry persistence by placing a crafted NTUSER.MAN file containing malicious registry keys.
This technique also don't produce registry telemetry as the hive is loaded directly from disk without invoking registry APIs or triggering CmRegisterCallbackEx callbacks.
Mandatory profiles are rare in modern environments outside of kiosk or shared workstation configurations, making their presence suspicious.
21.01.2026
Usage of NTUSER.MAN in Command Line
Detects the string 'NTUSER.MAN' in a command line, which may indicate attempts to manipulate or utilize mandatory user profile files.
NTUSER.MAN is a mandatory user profile file that takes priority over NTUSER.DAT when present in a user's profile directory.
Adversaries may abuse this feature for registry persistence by placing a crafted NTUSER.MAN file containing malicious registry keys.
This technique also don't produce registry telemetry as the hive is loaded directly from disk without invoking registry APIs or triggering CmRegisterCallbackEx callbacks.
Mandatory profiles are rare in modern environments outside of kiosk or shared workstation configurations, making their presence suspicious.
21.01.2026
NTUSER.MAN Creation From Process In Suspicious Location
Detects the creation of an NTUSER.MAN file from process in suspicious location
20.01.2026
NTUSER.MAN Creation By Uncommon Processes
Detects the creation of an NTUSER.MAN file by Uncommon processes
20.01.2026
Suspicious NTUSER.MAN Creation by Uncommon Process
Detects creation of NTUSER.MAN (mandatory profile hive) by uncommon processes.
20.01.2026
Hacktool - Kernel Driver Utility Execution
Detects execution of the Kernel Driver Utility (KDU) tool.
KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel.
12.01.2026
Windows Firewall Global Outbound Block Via Netsh.EXE
Detects use of netsh advfirewall to add firewall rules that block all remote IP addresses (0.0.0.0-255.255.255.255), a technique commonly used for defense evasion to isolate a system or suppress network-based security controls.
12.01.2026
User Shell Folders Registry Modification via CommandLine
Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts.
Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup.
This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
05.01.2026
PUA - Kernel Driver Utility (KDU) Execution
Detects execution of the Kernel Driver Utility (KDU) tool.
KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel.
Potentially allowing for privilege escalation, persistence, or evasion of security controls.
02.01.2026
Devcon Execution Disabling VMware VMCI Device
Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device.
This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device.
This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.
02.01.2026
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2722
20843
Sigma
3540
847
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1331
windows / registry_set
219
windows / file_event
206
windows / ps_script
165
windows / security
160
linux / process_creation
131
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
68
aws / cloudtrail
55
proxy
54
linux / auditd
53
windows / network_connection
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
27
windows / process_access
25
azure / signinlogs
24
okta / okta
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
rpc_firewall / application
17
windows / windefend
16
github / audit
16
linux
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / file_delete
13
linux / file_event
13
cisco / aaa
12
windows / create_remote_thread
12
windows / driver_load
10
windows / registry_delete
10
kubernetes / application / audit
10
windows / codeintegrity-operational
10
windows / ps_classic_start
9
dns
9
windows / create_stream_hash
9
windows / appxdeployment-server
9
windows / firewall-as
8
windows / msexchange-management
8
antivirus
7
fortigate / event
7
windows / file_access
7
azure / pim
7
windows / bits-client
7
zeek / smb_files
7
gcp / google_workspace.admin
7
windows / dns-client
6
jvm / application
5
kubernetes / audit
5
zeek / dns
5
linux / network_connection
5
zeek / http
5
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
windows / registry_add
3
linux / sshd
3
m365 / audit
3
macos / file_event
3
spring / application
2
apache
2
onelogin / onelogin.events
2
firewall
2
windows / security-mitigations
2
linux / syslog
2
windows / dns-server
2
windows
1
windows / driver-framework
1
sql / application
1
cisco / duo
1
linux / sudo
1
velocity / application
1
cisco / bgp
1
nginx
1
windows / wmi
1
windows / dns-server-analytic
1
cisco / ldp
1
windows / ldap
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
windows / lsa-server
1
windows / printservice-operational
1
database
1
linux / clamav
1
django / application
1
linux / auth
1
linux / guacamole
1
windows / applocker
1
fortios / sslvpnd
1
juniper / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
cisco / syslog
1
linux / cron
1
huawei / bgp
1
windows / appxpackaging-om
1
windows / process_tampering
1
windows / smbclient-connectivity
1
windows / smbserver-connectivity
1
windows / file_change
1
windows / raw_access_thread
1
paloalto / file_event / globalprotect
1
linux / vsftpd
1
zeek / x509
1
windows / capi2
1
nodejs / application
1
paloalto / appliance / globalprotect
1
windows / certificateservicesclient-lifecycle-system
1
windows / shell-core
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
python / application
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_status
1
m365 / exchange
1
zeek / rdp
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
ruby_on_rails / application
1
m365 / threat_detection
1
zeek / kerberos
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
399
windows / registry_set
78
windows / ps_script
77
windows / image_load
44
windows / file_event
43
linux / process_creation
37
windows / wmi
29
windows / security
24
proxy
12
windows / system
9
windows / network_connection
8
windows / registry_event
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / sense
4
windows / pipe_created
4
windows / taskscheduler
4
windows / create_remote_thread
4
windows / registry_delete
4
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / application-experience
3
windows / driver_load
3
macos / process_creation
2
windows / codeintegrity-operational
2
windows / process_access
2
windows / windefend
2
windows / process-creation
2
windows / bits-client
2
windows / kernel-shimengine
2
windows / file_delete
2
windows / file_rename
1
windows / dns_query
1
windows / firewall-as
1
windows / amsi
1
windows / audit-cve
1
windows / application
1
windows / file_access
1
windows / registry-setinformation
1
linux / file_event
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR