currently serving 24181 YARA rules and 4617 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
EXPL_CVE_2026_33829_Jun26
Detects CVE-2026-33829 exploit that allows remote attackers to disclose NTLM responses from users using ms-screensketch protocol handlers
09.06.2026
EXPL_B64_CVE_2026_33829_Jun26
Detects CVE-2026-33829 exploit base64 encoded, that allows remote attackers to disclose NTLM responses from users using ms-screensketch protocol handlers
09.06.2026
HKTL_EDR_Chocker_Jun26
Detects EDRChoker tool that Abuses Windows Policy-based Quality of Service (QoS) to blind EDR agents, The tool creates a MSFT_NetQosPolicySettingData policy via WMI (ROOT\\StandardCimv2) to create a MSFT_NetQosPolicySettingData policy that throttles security process traffic to 8 bytes/sec, the agent can't send telemetry to its cloud and times out.
08.06.2026
SUSP_Binding_GYP_Jun26
Detects suspicious build configuration files containing shell command execution constructs that may be abused during npm package installation, as these files are automatically processed by node gyp in trusted build environments.
04.06.2026
SUSP_LNX_BASHRC_Jun26
Detects suspicious modifications to .bashrc files on Linux systems, potentially indicating malware activity.
04.06.2026
MAL_BACKDOOR_INSTALLER_Jun26
Detects unnamed backdoor installer on Linux and MacOS systems, which may indicate unauthorized access or control.
04.06.2026
APT_DPRK_RAT_HuggingFace_Exfil_Jun26
Detects JavaScript RAT, seen being used by DPRK Contagious Interview exfiltrating screenshots and files via HuggingFace API
03.06.2026
EXPL_WER_CVE_2026_41089_Netlogon_Jun26
Detects characteristics in WER files (crash reports) that could indicate exploitation of CVE-2026-41089, a critical vulnerability in Microsoft Windows Netlogon that allows for remote code execution through a stack-based buffer overflow in the BuildSamLogonResponse function. The presence of specific strings related to lsass.exe, netlogon.DLL, and certain error codes could be indicative of an attempted or successful exploitation of this vulnerability.
02.06.2026
MAL_MWSRAT_Jun26
Detects MWSRAT that searches the host for cryptocurrency wallets, performs local network scanning, queries the registry, and hijacks the clipboard to swap copied cryptocurrency addresses
01.06.2026
SUSP_LNX_CRONTAB_INSTALL_Jun26
Detects suspicious installation of crontab entries for persistence
01.06.2026
MAL_RUSTCLOAK_Loader_Jun26
Detects RUSTCLOAK loader that evades sandbox analysis, decrypts an encoded shellcode payload, and executes it via fiber hijacking.
01.06.2026
SUSP_JS_OBFUSC_Caesar_Cipher_Jun26
Detects obfuscated JavaScript that decodes a Caesar-ciphered, char-code-encoded payload at runtime and executes it
01.06.2026
SUSP_LNX_ETC_SHADOW_IO_URING_Jun26
Detects suspicious access to /etc/shadow using io_uring syscalls
01.06.2026
MAL_PY_Crypto_Market_Beaconing_May26
Detects a script written in Python that collects cryptocurrency prices from multiple exchanges while communicating with an external untrusted domain, potentially indicating a disguised data collection agent.
29.05.2026
MAL_MacOS_Stealer_May26
Detects stealer written in Rust that targets chromium browser data, Telegram sessions, cryptocurrency wallets, apple notes, and the macOS keychain, uses AppleScript for password prompting, stages stolen data into a ZIP archive, and exfiltrates it externally.
29.05.2026
MAL_Bash_Loader_May26
Detects a macOS Bash loader that downloads and launches decoy applications, removes macOS security attributes, executes secondary payloads
28.05.2026
MAL_AMSI_Bypass_May26
Detects .NET binaries attempting AMSI evasion via hardware breakpoints (DRx registers)
28.05.2026
MAL_GO_DNS_Backdoor_May26
Detects a backdoor in Golang code which executes arbitrary commands via DNS TXT lookups
27.05.2026
SUSP_KERNEL_MODULE_KEYLOGGER_May26
Detects a kernel module that logs keyboard input. The module is likely to be used for keylogging purposes.
26.05.2026
SUSP_Crypto_Stealer_May26
Detects crypto stealer targeting secrets such as AWS, GitHub and OpenAI. It may detect legitimate secret scanner tools.
26.05.2026
MAL_GraphWorm_Backdoor_May26
Detects GraphWorm, a custom backdoor used by Webworm APT group that uses Microsoft Graph API for C2 communication
25.05.2026
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_Go_Binary_Function_Name_Oct24
1
959c5da4b9c24d24161ae7eea0186dc33716eeb555f46c5d76af5eb6c449fc4f
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
8
66b2406e65e5b72de80c2277070c115649a4728f47a4d1460debcc093709397c
SUSP_PyInstaller_Gen_Pattern_Feb25
2
2f2f6485c36654e0909de4a8a16bfd2bf0caba3e0f5619ee4c298791c239fb20
SUSP_LNX_Bot_Exploitation_Pattern_Dec21_1
14
faa6e35a3b700d6c18b7203e871e693c87c1a9fe38603f046eb023e8554dfcd8
SUSP_Curl_Download_IP_Address_Oct21_1
14
faa6e35a3b700d6c18b7203e871e693c87c1a9fe38603f046eb023e8554dfcd8
SUSP_LNX_Chmod_777_One_Liner_Aug24
14
faa6e35a3b700d6c18b7203e871e693c87c1a9fe38603f046eb023e8554dfcd8
SUSP_ELF_Go_OBFUSC_Binary_Dec22_1
3
e480debb5bf3aad0e22be6d2f8fd082e20e9efe9dab94b29cb83ef375f1d972d
SUSP_Credential_Stealer_Indicators_Jul23_2
3
3d34ecabc39f19dc5e276e1c95c392ef834264ccb4c4720f993d8e164030489e
SUSP_ELF_Go_OBFUSC_Binary_Dec22_1
3
18f583f39c50101a036023813b7f72d5f0bf5b1dbd91964a05d8496697f8231b
SUSP_ELF_Go_OBFUSC_Binary_Dec22_1
2
f301a96fe8891e18639276eb46967a99b2050c5525053ad7ff3720a4e44fb826
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7683
Threat Hunting (not subscribable, only in THOR scanner)
5920
APT
5067
Hacktools
4871
Webshells
2402
Exploits
738
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Uninstall SystemComponent Registry Value Modification via CommandLine
Detects modification of the "SystemComponent" registry value in the "Uninstall" key through command line.
Attackers modify this value to hide installed applications from "Programs and Features", often as part of persistence or defense evasion techniques.
04.06.2026
Hiding of an Installed Application from Application Wizard
Detects the SystemComponent DWORD registry value being set to 1 under an application's Uninstall key,
which removes the application from "Programs and Features" and "Add or Remove Programs" visibility.
Threat actors use this technique to hide installed applications, from normal administrative review,
as part of persistence or defense evasion strategies.
04.06.2026
Cloud Provider Credential Dumping via Environment Variable Grep
Detects attempts to discover cloud provider credentials stored in environment variables by using 'grep' with cloud provider-specific patterns (AWS, Google Cloud, GCloud, Azure).
Attackers commonly enumerate environment variables after gaining initial access to identify or steal credentials for further exploitation, such as lateral movement or data exfiltration.
28.05.2026
Kubernetes Secrets Dumping via Kubectl
Detects attempts to dump Kubernetes secrets using kubectl.
Attackers with sufficient RBAC permissions may enumerate secrets cluster-wide to harvest credentials, API tokens, TLS certificates, or other sensitive data stored as Kubernetes secrets.
28.05.2026
Potentially Suspicious Load of Cldapi DLL
Detects the potential suspicious loading of the Cldapi.dll, which is associated with Windows Cloud Files API.
While Cldapi.dll is a legitimate system component, its loading can be abused by attackers to execute code in the context of trusted processes or escalate privilege like in Green Plasma.
27.05.2026
Bun JavaScript Runtime Executed Via Shell Spawned By Node.js On macOS
Detects a macOS shell process (e.g. zsh, bash, sh) spawned by Node.js with a command line referencing the Bun runtime, indicating a Node.js -> Shell -> Bun execution chain.
This pattern is commonly observed in supply chain attacks where a malicious npm package abuses Node.js to launch a shell that invokes Bun as a second-stage JavaScript or TypeScript payload runner.
Bun is attractive to attackers due to its native TypeScript support, fast startup, and broad system APIs, while being less scrutinized by EDR/AV solutions compared to Node.js itself.
26.05.2026
Bun Runtime Execution Via Node.js Spawned Shell On Windows
Detects a Windows shell process (e.g. cmd.exe, powershell.exe) spawned by Node.js with a command line referencing the Bun runtime, indicating a Node.js -> Shell -> Bun execution chain.
This pattern is commonly observed in supply chain attacks where a malicious npm package abuses Node.js child_process APIs to launch a shell that invokes Bun as a second-stage JavaScript or TypeScript payload runner.
Bun is attractive to attackers due to its native TypeScript support, fast startup, and broad system APIs, while being less scrutinized by EDR/AV solutions compared to Node.js itself.
21.05.2026
Bun JavaScript Runtime Executed Via Shell Spawned By Node.js On Linux
Detects a Linux shell process (e.g. bash, sh, dash) spawned by Node.js with a command line referencing the Bun runtime, indicating a Node.js -> Shell -> Bun execution chain.
This pattern is commonly observed in supply chain attacks where a malicious npm package abuses Node.js to launch a shell that invokes Bun as a second-stage JavaScript or TypeScript payload runner.
Bun is attractive to attackers due to its native TypeScript support, fast startup, and broad system APIs, while being less scrutinized by EDR/AV solutions compared to Node.js itself.
21.05.2026
Potential RID Hijacking Attempt via PowerShell
Detects PowerShell scripts that attempt to modify the SAM registry to potentially perform RID hijacking attacks.
In a RID hijacking attack, an attacker modifies the RID set of a user account like guest user to escalate privileges or impersonate another user.
19.05.2026
Potential RID Hijacking Attempt
Detects attempts to modify the SAM registry to potentially perform RID hijacking attacks.
In a RID hijacking attack, an attacker modifies the RID set of a user account like guest user to escalate privileges or impersonate another user.
19.05.2026
Potential RID Hijacking Attempt - Registry
Detects modifications to the RID Set registry keys which could indicate an attempt to perform RID hijacking attacks.
In RID hijacking, an attacker modifies the RID set of a user account like guest user to escalate privileges or impersonate another user.
19.05.2026
Suspicious Creation of Agentic Coding Skill Files in Sensitive Locations
Detects the creation of agentic coding skill files in suspicious or world-writable locations.
Agentic skill files are typically markdown files that define capabilities for agentic AI assistant such as Claude, OpenClaw etc.
Adversaries may drop malicious skill definition files in these locations before invoking them for malicious purposes.
15.05.2026
Agentic Coding Skill Files Created by Suspicious Process
Detects creation of agentic skill files by suspicious processes.
Agentic skill files are typically markdown files that define capabilities for agentic AI coding assistants like Claude Code.
Adversaries may drop malicious skill definition files and invoke them for malicious purposes.
15.05.2026
Self-Referential Payload Extraction via PowerShell Command Line
Detects PowerShell one-liners that read a file content, extract an embedded payload via regex matching, and write the result to disk for further execution.
This self-referential technique allows an attacker to embed a full implant within a single carrier file and extract it at runtime, avoiding external network-based downloads entirely.
The payload is typically delimited by sentinel markers (e.g. #PYTHON_START / #PYTHON_END) and dropped to a persistent location.
12.05.2026
Self-Referential Payload Extraction via PowerShell
Detects PowerShell scripts that read file content, extract an embedded payload via regex matching, and write the result to disk for further execution.
This self-referential technique allows an attacker to embed a full implant within a single carrier file and extract it at runtime, avoiding external network-based downloads entirely.
The payload is typically delimited by sentinel markers (e.g. #PYTHON_START / #PYTHON_END) and dropped to a persistent location.
12.05.2026
PowerShell Dynamic Module Command Invocation via Index Access - PsScript
Detects PowerShell scripts that dynamically invoke commands from the Microsoft.PowerShell.Utility module using index access on the ExportedCommands collection.
Threat actors may use this technique to bypass detection mechanisms that look for specific command names, as the actual commands being invoked are determined at runtime and may not be explicitly mentioned in the script.
11.05.2026
PowerShell Dynamic Module Command Invocation via Index Access
Detects PowerShell scripts that dynamically invoke commands from the Microsoft.PowerShell.Utility module using index access on the ExportedCommands collection.
Threat actors may use this technique to bypass detection mechanisms that look for specific command names, as the actual commands being invoked are determined at runtime and may not be explicitly mentioned in the script.
11.05.2026
HH.EXE CHM File Decompilation
Detects execution of hh.exe with the -decompile (-d) flag to extract contents of a CHM file.
Threat actors abuse this technique to drop and execute malicious payloads embedded in CHM files.
08.05.2026
HH.EXE CHM Decompilation With Non-CHM File Extension
Detects execution of hh.exe with the -decompile (-d) flag where no .chm extension is present in the command line.
Threat actors disguise CHM files with alternative extensions (e.g. .doc, .pdf)
to evade detection, then pass them to hh.exe for decompilation and payload extraction.
08.05.2026
Free Disk Space Enumeration Via Fsutil
Detects the use of fsutil to enumerate free disk space on a volume.
Threat actors may abuse this to determine available space before carrying out further actions such as data destruction or exfiltration.
04.05.2026
Net User Logon Time Restriction and Account Lockout
Detects usage of net user command to set logon time restrictions and disable accounts, a technique used by wipers to prevent user logins and lock out accounts, hindering recovery efforts.
04.05.2026
Network Interface Disabled Via Netsh
Detects netsh being used to disable a network interface.
Threat actors abuse this to cut off network connectivity and prevent remote recovery or intervention during destructive attacks.
04.05.2026
Winlogon CachedLogonsCount Registry Manipulation Via CLI
Detects command-line manipulation of the CachedLogonsCount registry value under the Winlogon key through commandline.
This value controls how many domain credential sets Windows caches locally.
Setting it to zero disables caching entirely, forcing direct domain controller authentication.
Threat actors may abuse this to prevent offline authentication or to hinder forensic credential recovery post-compromise.
04.05.2026
Robocopy Mirror Directory Wipe
Detects robocopy invoked with /MIR and /B flags, a technique commonly abused by wipers to
overwrite entire directory trees by mirroring an empty source folder in backup mode,
permanently destroying all file contents.
04.05.2026
Diskpart Volume Clean All Execution
Detects the execution of diskpart's "clean all" command, which permanently destroys all data on
a disk volume by overwriting every sector with zeros. Threat actors abuse this for data destruction
and wiper attacks.
04.05.2026
Winlogon CachedLogonsCount Registry Value Set To Zero
Detects registry set events where the CachedLogonsCount value under the Winlogon key is set to zero.
This disables Windows cached domain credentials, forcing direct domain controller authentication.
Threat actors may abuse this to prevent offline authentication or to hinder forensic credential recovery post-compromise.
04.05.2026
Large File Creation Via Fsutil
Detects fsutil being used to create a new file with a suspiciously large size.
Threat actors abuse this technique to fill all available disk space, exhausting the filesystem
and preventing the OS from writing logs, recovery artifacts, or any new data.
04.05.2026
Sensitive File Dump Via Print.EXE
Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.
28.04.2026
Kubernetes Potential Enumeration Activity
Detects potential Kubernetes enumeration or attack activity via the audit log.
This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
28.04.2026
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2814
21367
Sigma
3589
1028
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1350
windows / registry_set
219
windows / file_event
209
windows / ps_script
166
windows / security
160
linux / process_creation
139
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
69
aws / cloudtrail
55
proxy
54
linux / auditd
53
windows / network_connection
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
27
windows / process_access
25
azure / signinlogs
24
opencanary / application
24
okta / okta
22
azure / riskdetection
19
windows / pipe_created
19
windows / windefend
17
rpc_firewall / application
17
linux
16
gcp / gcp.audit
16
github / audit
15
linux / file_event
15
bitbucket / audit
14
windows / file_delete
13
m365 / threat_management
13
cisco / aaa
13
windows / create_remote_thread
12
dns
10
windows / driver_load
10
windows / registry_delete
10
kubernetes / application / audit
10
windows / codeintegrity-operational
10
windows / appxdeployment-server
9
windows / create_stream_hash
9
windows / ps_classic_start
9
windows / msexchange-management
8
windows / firewall-as
8
antivirus
7
fortigate / event
7
azure / pim
7
windows / file_access
7
windows / bits-client
7
gcp / google_workspace.admin
7
zeek / smb_files
7
kubernetes / audit
6
windows / dns-client
6
jvm / application
5
zeek / dns
5
linux / network_connection
5
zeek / http
5
windows / iis-configuration
4
zeek / dce_rpc
4
m365 / audit
4
windows / sysmon
4
macos / file_event
4
windows / taskscheduler
4
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
windows / registry_add
3
gcp / google_workspace.login
3
windows / wmi_event
3
onelogin / onelogin.events
2
firewall
2
windows / security-mitigations
2
linux / syslog
2
spring / application
2
windows / dns-server
2
apache
2
linux / sudo
1
cisco / duo
1
nginx
1
windows / dns-server-analytic
1
cisco / ldp
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
database
1
cisco / bgp
1
windows / ldap
1
django / application
1
windows / printservice-operational
1
linux / clamav
1
windows / lsa-server
1
linux / auth
1
linux / guacamole
1
windows / appmodel-runtime
1
windows / openssh
1
fortios / sslvpnd
1
linux / cron
1
juniper / bgp
1
windows / applocker
1
cisco / syslog
1
windows / appxpackaging-om
1
windows / process_tampering
1
windows / smbclient-connectivity
1
huawei / bgp
1
windows / smbserver-connectivity
1
windows / raw_access_thread
1
nodejs / application
1
paloalto / file_event / globalprotect
1
windows / capi2
1
windows / file_change
1
paloalto / appliance / globalprotect
1
linux / vsftpd
1
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
python / application
1
windows / shell-core
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_executable_detected
1
ruby_on_rails / application
1
m365 / exchange
1
zeek / rdp
1
windows / file_rename
1
windows / sysmon_error
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_status
1
sql / application
1
m365 / threat_detection
1
windows / driver-framework
1
velocity / application
1
windows
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
505
windows / registry_set
92
windows / ps_script
88
linux / process_creation
55
windows / file_event
49
windows / image_load
47
windows / security
29
windows / wmi
29
windows / system
13
proxy
13
windows / network_connection
9
windows / registry_event
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / dns_query
5
windows / sense
4
windows / pipe_created
4
webserver
4
windows / taskscheduler
4
windows / registry_delete
4
windows / create_remote_thread
4
dns
3
macos / process_creation
3
windows / ps_classic_script
3
windows / application-experience
3
windows / vhd
3
windows / hyper-v-worker
3
windows / driver_load
3
windows / codeintegrity-operational
2
windows / file_delete
2
windows / kernel-shimengine
2
linux / file_event
2
windows / smbclient-security
2
windows / process_access
2
windows / windefend
2
windows / bits-client
2
windows / file_access
2
windows / firewall-as
1
windows / file_rename
1
linux / file_delete
1
windows / amsi
1
windows / application
1
windows / audit-cve
1
windows / registry-setinformation
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR