Valhalla Logo
currently serving 20623 YARA rules and 3650 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
HKTL_Go_ReverseSSH_Apr24
Detects Golang based SSH server reverse shell
15.04.2024
APT_UTA028_ForensicArtefacts_PaloAlto_CVE_2024_3400_Apr24_1
Detects forensic artefacts of APT UTA028 as found in a campaign exploiting the Palo Alto CVE-2024-3400 vulnerability
15.04.2024
SUSP_PY_Import_Statement_Apr24_1
Detects suspicious Python import statement and socket usage often found in Python reverse shells
15.04.2024
SUSP_LNX_Shell_Indicators_Apr24_1
Detects suspicious shell commands often found in malicious downloader / persistence scripts for Linux
15.04.2024
SUSP_LNX_Shell_Indicators_Apr24_2
Detects suspicious shell commands often found in malicious downloader / persistence scripts for Linux
15.04.2024
SUSP_LNX_NCat_Indicators_Apr24_2
Detects suspicious Netcat command flag combinations often found in malicious reverse shell / persistence scripts for Linux
15.04.2024
APT_SUSP_MacOS_APT28_XAgent_Apr24_1
Detects similarities with XAgent samples for macOS as used by APT28
15.04.2024
EXPL_PaloAlto_CVE_2024_3400_Apr24_1
Detects characteristics of the exploit code used in attacks against Palo Alto GlobalProtect CVE-2024-3400
15.04.2024
HKTL_NativeDump_Apr24_1
Detects NativeDump - a tool that dumps LSASS using only native APIs by hand-crafting Minidump files (without MinidumpWriteDump)
08.04.2024
SUSP_OBFUSC_SH_Indicators_Mar24_1
Detects characteristics found in obfuscated script (used in the backdoored XZ package, but could match on others, too)
06.04.2024
MAL_Latrodectus_Apr24
Detects Latrodectus - a new variant of IcedID loader
05.04.2024
MAL_JS_Downloading_Executing_Payload_Apr24
Detects JavaScript code that downloads and executes the next stage payload
05.04.2024
MAL_XClient_Stealer_Apr24
Detects XClient stealer that targets social media accounts
05.04.2024
MAL_ChaiLdr_Apr24
Detects ChaiLdr - a payload loader that evades AV
04.04.2024
MAL_RANSOM_Babuk_Apr24
Detects babuk ransomware
04.04.2024
MAL_LeprechaunHvnc_Apr24
Detects LeprechaunHvnc loader
03.04.2024
MAL_MacOS_Atomic_Stealer_Apr24_1
Detects Atomic stealer
03.04.2024
MAL_MacOS_Atomic_Stealer_Apr24_2
Detects Atomic stealer
03.04.2024
HKTL_GO_GoClr_Apr24
Detects potential usage of go-clr - a PoC package for hosting the CLR and executing .NET from Go
03.04.2024
HKTL_GO_GoDonut_Apr24
Detects potential usage of go-donut - Donut injector ported to pure Go
03.04.2024
MAL_GO_XiebroC2_Apr24
Detects Golang based XiebroC2 - RAT/backdoor
03.04.2024
MAL_Stealer_Apr24
Detects a dedicated document stealer that targets Word documents, Excel Spreadsheets, PowerPoint presentations, PDFs and ZIP compress files
01.04.2024
MAL_Sidewinder_Mar24
Detects a DLL related to Sidewinder APT
31.03.2024
HKTL_HookChain_Loader_Apr24_1
Detects HookChain shellcode injector
30.03.2024
SUSP_ELF_PY_Compiled_ReverseShell_Mar24_1
Detects suspicious indicator found in compiled Python code for the Linux platform
30.03.2024
BCKDR_XZUtil_Script_CVE_2024_3094_Mar24_1
Detects make file and script contents used by the backdoored XZ library (xzutil) CVE-2024-3094.
30.03.2024
BCKDR_XZUtil_Binary_CVE_2024_3094_Mar24_1
Detects injected code used by the backdoored XZ library (xzutil) CVE-2024-3094.
30.03.2024
BCKDR_XZUtil_KillSwitch_CVE_2024_3094_Mar24_1
Detects kill switch used by the backdoored XZ library (xzutil) CVE-2024-3094.
30.03.2024
MAL_IDAT_Injector_Loader_Mar24
Detects IDAT Injector loader
29.03.2024
MAL_IDAT_Injector_Mar24
Detects IDAT injector
29.03.2024

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_Defense_Evasion_Known_IP_Addresses_Jun23
3
3492ba6a94f34bb15868081fbffbf87e7593e478c4e1696b1e7b51e36aafc2bf
SUSP_Defense_Evasion_Known_Usernames_Jun23
3
3492ba6a94f34bb15868081fbffbf87e7593e478c4e1696b1e7b51e36aafc2bf
SUSP_Defense_Evasion_Known_MAC_Addresses_Jun23
3
3492ba6a94f34bb15868081fbffbf87e7593e478c4e1696b1e7b51e36aafc2bf
SUSP_Defense_Evasion_Known_System_UUID_Jun23
3
3492ba6a94f34bb15868081fbffbf87e7593e478c4e1696b1e7b51e36aafc2bf
SUSP_Defense_Evasion_Known_Hostnames_Jun23
3
3492ba6a94f34bb15868081fbffbf87e7593e478c4e1696b1e7b51e36aafc2bf
SUSP_OBF_VMProtect_Jan24
5
637154310784c4af9c74660179520832ca4c4961a52c3eaf1e1e8b185a7281d2
SUSP_Credential_Stealer_Indicators_Jul23_1
9
6dfcee4cfd04b7fcb7555d782ee5f2b998002c828474a92fd45caf2a37b5f51a
SUSP_Double_Base64Encoded_Kernel32_Functions
9
83ed8f4501aa2ef157eec08213ed8a3c35e733dfc3bd8d9b88b56015ae8d4dee
SUSP_OBFUSC_Reversed_Encoded_Executable_Mar22
9
83ed8f4501aa2ef157eec08213ed8a3c35e733dfc3bd8d9b88b56015ae8d4dee
SUSP_Encoded_Kernel32_Functions
9
83ed8f4501aa2ef157eec08213ed8a3c35e733dfc3bd8d9b88b56015ae8d4dee
SUSP_Encoded_GetCurrentThreadId
9
83ed8f4501aa2ef157eec08213ed8a3c35e733dfc3bd8d9b88b56015ae8d4dee
SUSP_Encoded_GetCurrentThreadId_FileOnly
9
83ed8f4501aa2ef157eec08213ed8a3c35e733dfc3bd8d9b88b56015ae8d4dee
SUSP_Encoded_GetCurrentThreadId_Ext1_Aug20
9
83ed8f4501aa2ef157eec08213ed8a3c35e733dfc3bd8d9b88b56015ae8d4dee
SUSP_OBFUSC_UPX_Oct20
7
25ae837f22104e61d6671fd6d22758bb26f9f16264e7fce61d5b17d374ef5c7b
SUSP_OBFUSC_UPX_Oct20
6
c48d7eb5e2d5216c43af29ee4464623472f734ed6606bd91f988f649d841c667
SUSP_OBFUSC_UPX_Oct20
6
851b2f9eb7b054b08815ede0ca4f31f577ad5aa7f7627b8f4df786cc783690a8
SUSP_OBFUSC_UPX_Oct20
4
2c7461e4653af381128559a7089094c01fd00da81677f0dbb02e99d7af98919c
SUSP_Defense_Evasion_Known_System_UUID_Jun23
4
0153663f0343aa8c667d5445be18e592468ee44d72f890f92811bd2d7a725de9
SUSP_Defense_Evasion_Known_Hostnames_Jun23
4
0153663f0343aa8c667d5445be18e592468ee44d72f890f92811bd2d7a725de9
SUSP_Defense_Evasion_Known_Usernames_Jun23
4
0153663f0343aa8c667d5445be18e592468ee44d72f890f92811bd2d7a725de9

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6019
Threat Hunting (not subscribable, only in THOR scanner)
4936
APT
4817
Hacktools
4458
Webshells
2308
Exploits
617

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
01.04.2024
Certificate-Based Authentication Enabled
Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
26.03.2024
New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
26.03.2024
Privileged Container Deployed
Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
26.03.2024
Kubernetes Events Deleted
Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.
26.03.2024
Creation Of Pod In System Namespace
Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
26.03.2024
Deployment Deleted From Kubernetes Cluster
Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations.
26.03.2024
Container With A hostPath Mount Created
Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
26.03.2024
Potential Remote Command Execution In Pod Container
Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
26.03.2024
RBAC Permission Enumeration Attempt
Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command. This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
26.03.2024
New Kubernetes Service Account Created
Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
26.03.2024
Kubernetes Secrets Enumeration
Detects enumeration of Kubernetes secrets.
26.03.2024
Potential Sidecar Injection Into Running Deployment
Detects attempts to inject a sidecar container into a running deployment. A sidecar container is an additional container within a pod, that resides alongside the main container. One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation. By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.
26.03.2024
Potential KamiKakaBot Activity - Lure Document Execution
Detects the execution of a Word document via the WinWord Start Menu shortcut. This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
22.03.2024
Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
22.03.2024
Potential KamiKakaBot Activity - Winlogon Shell Persistence
Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
22.03.2024
CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
20.03.2024
MaxMpxCt Registry Value Changed
Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
19.03.2024
ETW Session Stopped
This detection triggers every time an ETW session is stopped. Attackers can stop ETW sessions in order to blind security monitoring tooling.
13.03.2024
Critical ETW Session Stopped
This detection triggers every time an important or critical ETW session is stopped. Attackers can stop ETW sessions in order to blind security monitoring tooling.
13.03.2024
Important ETW Provider Has Been Unregistered
Detects important or critical ETW providers that have been unregistered. Attackers might unregister a certain provider in order to evade defenses or blind security monitoring tooling.
13.03.2024
New ETW Session Started
This detection triggers every time a new ETW session is started.
13.03.2024
UAC Bypass Attempt Via Msdt.EXE
Detects UAC bypass attempt using the Msdt binary and the bluetooth "BluetoothDiagnostic.xml" diagnostic package. The Msdt binary is capable of auto-elevation and the "BluetoothDiagnostic" diagnostic package doesn't requires admin privileges. This allows a user to call Msdt (32bit version) with the bluetooth package, which will automatically start an elevated instance of Msdt and call the "sdiagnhost" binary. This binary will try to load the "BluetoothDiagnosticUtil" DLL, which it will not be able to find. So it defer to loading from any directory in the PATH env variable. An attacker can hijack one of these location to insert a malicious version of this DLL and get it loaded by "sdiagnhost".
13.03.2024
IExpress.EXE Binary Proxy Execution Through Diamond.EXE
Detects the execution of a binary named "diamond.exe" through "IExpress.EXE" The IExpress binary in almost all cases will spawn the "makecab" utility in order to create the ".cab" file requested by the users via the ".SED" files. Internally it offers a different mode if the ".SED" file specifies a CompressionMode called "QUANTUM". In this mode it will look for a binary named "diamond.exe". As this binary has been deprecated and is not available in newer version of Windows. Attackers can use this fact in order to execute any binary named "diamond.exe" located in the same directory of execution as IExpress.
12.03.2024
Makecab.EXE Execution With An Uncommon Directive File Extension
Detects the execution of "makecab.exe" with a directive file with an uncommon extension. The typical extension for cab directive is the Diamond Directive File (.DDF). Not using this extension might be a sign of something uncommon or even suspicious worth investigating.
12.03.2024
Makecab.EXE Execution With Directive File
Detects the execution of "makecab.exe" with a directive file. Attackers can leverage makecab with a directive file in order to create ".cab" file while avoiding any mention of the files being compressed. As the ".DDF" file will contain all the information necessary for the compression.
12.03.2024
Potential Remote Code Execution Via Outlook Form
Detects the creation of a new file with a ".DLL" extension in the Outlook Forms folder. This might be an indicator of an attacker using Outlook form persistence or remote code execution as seen in CVE-2024-21378 exploitation.
12.03.2024
Potentially Suspicious COM DLL Loaded By Outlook.EXE
Detects load of DLL located in the Outlook FORMS directory. This could be an indication of a potential exploitation of CVE-2024-21378 or potential persistence via Outlook FORMS.
12.03.2024
HH.EXE Initiated A Network Connection To An Uncommon Destination Port
Detects a network connection initiated by the "hh.exe" process to an uncommon destination port. This could indicate potential process injection or uncommon communication method.
12.03.2024
Suspicious COM CLSID Registry Value Set By Outlook.EXE
Detects the creation of a COM CLSID pointing to a DLL file residing in the Outlook Forms directory. This is could potentially indicate the installation of a malicious Outlook Form. Investigate further action executed during this time frame and look for a DLL being dropped to disk and then that same DLL being loaded by the Outlook process.
12.03.2024

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2963
17660
Sigma
3204
446

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1206
windows / registry_set
187
windows / file_event
182
windows / ps_script
163
windows / security
153
linux / process_creation
108
windows / image_load
97
webserver
78
windows / system
72
macos / process_creation
56
proxy
51
linux / auditd
49
windows / network_connection
45
azure / activitylogs
43
windows / registry_event
38
aws / cloudtrail
35
azure / auditlogs
35
windows / ps_module
32
windows / application
28
azure / signinlogs
24
windows / process_access
23
okta / okta
22
windows / dns_query
20
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
linux
17
rpc_firewall / application
17
gcp / gcp.audit
16
windows / windefend
16
bitbucket / audit
14
m365 / threat_management
13
windows / create_remote_thread
12
cisco / aaa
12
windows / file_delete
12
kubernetes / application / audit
10
windows / driver_load
10
github / audit
10
windows / codeintegrity-operational
10
windows / ps_classic_start
10
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / msexchange-management
8
dns
8
azure / pim
7
windows / appxdeployment-server
7
windows / bits-client
7
gcp / google_workspace.admin
7
zeek / smb_files
7
windows / firewall-as
7
antivirus
7
windows / file_access
6
windows / registry_delete
6
jvm / application
5
windows / dns-client
5
zeek / dce_rpc
4
zeek / dns
4
windows / sysmon
4
windows / taskscheduler
4
windows / ntlm
3
linux / sshd
3
zeek / http
3
windows / wmi_event
3
linux / network_connection
3
windows / powershell-classic
3
qualys
2
windows / file_change
2
firewall
2
windows / security-mitigations
2
spring / application
2
m365 / audit
2
linux / syslog
2
windows / dns-server
2
macos / file_event
2
apache
2
onelogin / onelogin.events
2
nginx
1
windows / driver-framework
1
windows / printservice-operational
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
cisco / bgp
1
fortios / sslvpnd
1
netflow
1
cisco / ldp
1
windows / ldap
1
cisco / syslog
1
linux / auth
1
windows / applocker
1
windows / smbclient-connectivity
1
linux / cron
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
windows / process_tampering
1
django / application
1
juniper / bgp
1
windows / raw_access_thread
1
linux / guacamole
1
windows / appxpackaging-om
1
windows / shell-core
1
nodejs / application
1
linux / clamav
1
python / application
1
windows / capi2
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
linux / sudo
1
windows / certificateservicesclient-lifecycle-system
1
zeek / x509
1
windows / smbclient-security
1
windows / file_rename
1
velocity / application
1
m365 / exchange
1
windows / diagnosis-scripted
1
windows / terminalservices-localsessionmanager
1
ruby_on_rails / application
1
linux / vsftpd
1
zeek / rdp
1
windows / sysmon_status
1
database
1
m365 / threat_detection
1
zeek / kerberos
1
windows / sysmon_error
1
sql / application
1
windows
1
windows / dns-server-analytic
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
179
windows / ps_script
52
windows / registry_set
49
windows / wmi
29
windows / file_event
20
windows / image_load
14
proxy
11
windows / security
10
windows / system
10
windows / kernel-event-tracing
6
windows / network_connection
6
windows / ntfs
5
windows / ps_module
4
windows / create_remote_thread
4
windows / registry_event
4
windows / pipe_created
3
windows / ps_classic_script
3
linux / process_creation
3
windows / vhd
3
windows / registry_delete
3
webserver
3
windows / application-experience
3
windows / hyper-v-worker
3
windows / kernel-shimengine
2
windows / taskscheduler
2
windows / driver_load
2
windows / bits-client
2
windows / codeintegrity-operational
1
windows / application
1
windows / file_delete
1
windows / audit-cve
1
macos / process_creation
1
windows / process_access
1
windows / dns_query
1
windows / amsi
1
windows / registry-setinformation
1
windows / file_access
1
windows / file_rename
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html