currently serving 23223 YARA rules and 4312 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
SUSP_NPM_IndonesianFoods_Nov25
Detects IndonesianFoods worm which publishes packages to NPM
11.11.2025
SUSP_Bash_Downloader_Nov25
Detects bash downloader scripts distributing RPX client malware seen being sed by PolarEdge to fetch and execute the ORB proxy component via wget/curl after exploiting CVE-2023-20118 and other IoT device vulnerabilities
10.11.2025
MAL_Leaky_Injector_Nov25
Detects Leaky injector which is used to inject Leaky stealer into legitimate processes
10.11.2025
MAL_APT_MysticElephant_C2_Encryption_Nov25
Detects .NET based binaries using a specific C2 encryption function used in StormExfiltrator malware by APT MysteriousElephant (APT-K-47)
07.11.2025
MAL_APT_MysticElephant_WhatsApp_Exfiltrator_Nov25
Detects WhatsApp exfiltration tool used by MysyicElephant (APT-K-47).
07.11.2025
SUSP_LNK_PowerShell_Indicators_Nov25
Detects LNK file that runs a suspicious PowerShell code
06.11.2025
SUSP_OBFUSC_LNK_PS1_Indicators_Nov25
Detects LNK file that runs a suspicious PowerShell code with obfuscated code patterns
06.11.2025
MAL_CommuSpy_Nov25
Detects CommuSpy backdoor used by APT37 (Reaper) North Korean APT group
05.11.2025
MAL_PYC_CosmicDoor_Backdoor_Nov25
Detects CosmicDoor Python bytecode related to Bluenoroff APT
04.11.2025
MAL_RPX_Backdoor_Client_Nov25
Detects the RPX backdoor client component which registers compromised IoT and edge devices to the Operational Relay Box network, enabling proxy services and remote command execution
04.11.2025
MAL_RPX_Backdoor_Server_Nov25
Detects an RPX backdoor relay on management components hosted on VPS nodes that acts as a reverse-proxy gateway, schedules compromised devices to establish reverse connections for traffic bridging, and uses Mbed TLS test certificates for C2 communication and proxy service provisioning
04.11.2025
SUSP_LNX_Bash_DNS_Server_Update_Nov25
Detects a bash script that updates the DNS server configuration on Linux systems
04.11.2025
SUSP_LNX_Indicators_Nov25
Detects a bash script that contains suspicious indicators often used in Linux malware
04.11.2025
SUSP_LNX_OBFUSC_Loader_Indicators_Nov25
Detects a bash script that contains suspicious indicators often used in Linux malware
04.11.2025
SUSP_JSP_WebShell_Nov25
Detects JSP bash webshell
04.11.2025
SUSP_PS1_Indicators_Nov25
Detects characteristics found in PowerShell hack tools
03.11.2025
MAL_MacOS_DownTroy_Infection_Chain_Nov25
Detects loader part of the DownTroy infection chain. DownTroy was observed to drop a credential stealer, with additional payload downloading and persistence features.
03.11.2025
MAL_GillyInjector_Nov25
Detects GillyInjector designed to run a benign Mach-O app and inject a malicious payload into it at runtime.
03.11.2025
MAL_SneakMain_Nov25
Detects SneakMain written in Rust. SneakMain is part of an infection chain attributed to the APT Bluenoroff.
03.11.2025
MAL_SysPhon_Infection_Chain_Nov25
Detects a launcher that tried to run a payload from SysPhon infection chain
03.11.2025
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_PyInstaller_Gen_Pattern_Feb25
5
e8803e595cef9c08f28d5c264662efc8e5d8a2280aa4d302b24f4fccb2b92e3c
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
3
824ebd2b03d7a56e090aba764b9b8802742426c8a592ae6b9bb2ec504d95f44c
SUSP_PS1_Loader_Indicators_Nov21_1
3
021cd6058482f883ab0b5ec5e6086df60e823d0ab2f4bab6bf46dcec6a098003
SUSP_HKTL_Hacktool_Strings_Oct21_1
10
dbee69eb4a3ddc985b07b52311ebb23d52c1bb35b32fdbbe7a75513c2dbdcc50
HKTL_DarkLoadLibrary_Indicators_Nov22_1
10
dbee69eb4a3ddc985b07b52311ebb23d52c1bb35b32fdbbe7a75513c2dbdcc50
SUSP_Process_Soft_Injection_Indicator_Sep22_1
10
dbee69eb4a3ddc985b07b52311ebb23d52c1bb35b32fdbbe7a75513c2dbdcc50
SUSP_PS1_Small_Base64Decode_Jun22_1
1
d5a9b117dce574515bbdb663789603ae8ea51ea8d5cbb4b6828e134dafa49daa
SUSP_Script_PS1_PE_Injection_Indicators_Jun20_1
1
d5a9b117dce574515bbdb663789603ae8ea51ea8d5cbb4b6828e134dafa49daa
SUSP_PS1_Loader_Indicator_Nov21_1
1
d5a9b117dce574515bbdb663789603ae8ea51ea8d5cbb4b6828e134dafa49daa
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
2
eb36a688ca75827ecf33b2179b0a1baa7d437eaa0a55181221ed1b9f803090fe
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7225
Threat Hunting (not subscribable, only in THOR scanner)
5659
APT
5034
Hacktools
4759
Webshells
2395
Exploits
700
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Suspicious Space Characters in RunMRU Registry Path - ClickFix
Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
04.11.2025
Suspicious Space Characters in TypedPaths Registry Path - FileFix
Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
04.11.2025
Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection.
ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar.
The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
04.11.2025
FortiGate - New Local User Created
Detects the creation of a new local user on a Fortinet FortiGate Firewall.
The new local user could be used for VPN connections.
01.11.2025
FortiGate - New Administrator Account Created
Detects the creation of an administrator account on a Fortinet FortiGate Firewall.
01.11.2025
FortiGate - New VPN SSL Web Portal Added
Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall.
This behavior was observed in pair with modification of VPN SSL settings.
01.11.2025
FortiGate - New Firewall Policy Added
Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall.
01.11.2025
FortiGate - Firewall Address Object Added
Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.
01.11.2025
FortiGate - User Group Modified
Detects the modification of a user group on a Fortinet FortiGate Firewall.
The group could be used to grant VPN access to a network.
01.11.2025
FortiGate - VPN SSL Settings Modified
Detects the modification of VPN SSL Settings (for example, the modification of authentication rules).
This behavior was observed in pair with the addition of a VPN SSL Web Portal.
01.11.2025
Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe.
This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.
31.10.2025
Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
Detects cast exceptions in Windows Server Update Services (WSUS) application logs that highly indicate exploitation attempts of CVE-2025-59287, a deserialization vulnerability in WSUS.
31.10.2025
WFP Filter Added via Registry
Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
23.10.2025
Suspicious Speech Runtime Binary Child Process
Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.
Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
23.10.2025
Winrs Local Command Execution
Detects the execution of Winrs.exe where it is used to execute commands locally.
Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.
22.10.2025
Potential Lateral Movement via Windows Remote Shell
Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
22.10.2025
Scheduled Task Creation via PowerShell Schedule.Service COM Object
Detects PowerShell execution using the Schedule.Service COM object to create scheduled tasks.
There are straightforward methods to create scheduled tasks using built-in Windows tools such as schtasks.exe or PowerShell cmdlets like New-ScheduledTask.
However, threat actors may leverage alternatice method such as the Schedule.Service COM object to create scheduled tasks to bypass detection.
21.10.2025
PUA - AWS TruffleHog Execution
Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment.
It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.
21.10.2025
Suspicious File Write to Webapps Root Directory
Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.
This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
20.10.2025
Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop.
This is a post-authentication step corresponding to CVE-2025-57790.
20.10.2025
Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password.
This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.
20.10.2025
Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791.
An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.
20.10.2025
ISATAP Router Address Was Set
Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6.
In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic.
This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
19.10.2025
AWS Bucket Deleted
Detects the deletion of S3 buckets in AWS CloudTrail logs.
Monitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.
19.10.2025
AWS ConsoleLogin Failed Authentication
Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.
19.10.2025
AWS EnableRegion Command Monitoring
Detects the use of the EnableRegion command in AWS CloudTrail logs.
While AWS has 30+ regions, some of them are enabled by default, others must be explicitly enabled in each account separately.
There may be situations where security monitoring does not cover some new AWS regions.
Monitoring the EnableRegion command is important for identifying potential persistence mechanisms employed by adversaries, as enabling additional regions can facilitate continued access and operations within an AWS environment.
19.10.2025
AWS VPC Flow Logs Deleted
Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call.
Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.
19.10.2025
File Access Of Signal Desktop Sensitive Data
Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.
The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data.
Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials.
Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
19.10.2025
Unsigned or Unencrypted SMB Connection to Share Established
Detects SMB server connections to shares without signing or encryption enabled.
This could indicate potential lateral movement activity using unsecured SMB shares.
19.10.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2705
20518
Sigma
3491
821
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1309
windows / registry_set
208
windows / file_event
203
windows / ps_script
164
windows / security
159
linux / process_creation
128
windows / image_load
111
webserver
82
windows / system
74
macos / process_creation
68
aws / cloudtrail
54
proxy
53
linux / auditd
53
windows / network_connection
52
azure / activitylogs
42
windows / registry_event
39
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
25
azure / signinlogs
24
windows / process_access
23
okta / okta
22
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
rpc_firewall / application
17
linux
17
gcp / gcp.audit
16
windows / windefend
16
github / audit
16
bitbucket / audit
14
windows / file_delete
13
m365 / threat_management
13
linux / file_event
12
cisco / aaa
12
windows / create_remote_thread
12
kubernetes / application / audit
10
windows / codeintegrity-operational
10
windows / driver_load
10
windows / registry_add
9
windows / registry_delete
9
windows / ps_classic_start
9
dns
9
windows / create_stream_hash
9
windows / firewall-as
8
windows / msexchange-management
8
windows / file_access
7
azure / pim
7
windows / bits-client
7
zeek / smb_files
7
gcp / google_workspace.admin
7
antivirus
7
fortigate / event
7
windows / appxdeployment-server
7
windows / dns-client
6
jvm / application
5
kubernetes / audit
5
zeek / http
5
linux / network_connection
5
zeek / dns
5
zeek / dce_rpc
4
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
linux / sshd
3
m365 / audit
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / syslog
2
windows / file_change
2
windows / security-mitigations
2
macos / file_event
2
windows / dns-server
2
spring / application
2
apache
2
onelogin / onelogin.events
2
firewall
2
cisco / syslog
1
linux / cron
1
huawei / bgp
1
windows / appxpackaging-om
1
windows / process_tampering
1
windows / smbclient-connectivity
1
juniper / bgp
1
windows / smbserver-connectivity
1
paloalto / file_event / globalprotect
1
zeek / x509
1
windows / capi2
1
windows / shell-core
1
windows / raw_access_thread
1
nodejs / application
1
paloalto / appliance / globalprotect
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
linux / vsftpd
1
windows / file_executable_detected
1
python / application
1
windows / diagnosis-scripted
1
m365 / exchange
1
zeek / rdp
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_status
1
velocity / application
1
m365 / threat_detection
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
ruby_on_rails / application
1
cisco / duo
1
windows / driver-framework
1
linux / sudo
1
sql / application
1
cisco / bgp
1
nginx
1
windows
1
windows / dns-server-analytic
1
windows / lsa-server
1
windows / printservice-admin
1
cisco / ldp
1
windows / ldap
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
database
1
linux / clamav
1
linux / auth
1
windows / appmodel-runtime
1
django / application
1
fortios / sslvpnd
1
linux / guacamole
1
windows / applocker
1
windows / openssh
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
389
windows / registry_set
78
windows / ps_script
75
windows / image_load
43
windows / file_event
38
linux / process_creation
34
windows / wmi
29
windows / security
22
proxy
12
windows / system
9
windows / registry_event
8
windows / network_connection
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / create_remote_thread
4
windows / registry_delete
4
windows / pipe_created
4
windows / sense
4
windows / taskscheduler
4
windows / vhd
3
webserver
3
windows / application-experience
3
windows / driver_load
3
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / process_access
2
windows / windefend
2
windows / bits-client
2
windows / codeintegrity-operational
2
windows / kernel-shimengine
2
windows / amsi
1
windows / process-creation
1
windows / audit-cve
1
windows / firewall-as
1
windows / file_access
1
windows / registry-setinformation
1
windows / file_delete
1
linux / file_event
1
windows / application
1
windows / file_rename
1
windows / dns_query
1
macos / process_creation
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR