currently serving 24185 YARA rules and 4619 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
SUSP_LNX_ARCH_PKGBUILD_NPM_Dependency_Jun26
Detects suspicious PKGBUILD with NPM dependency and install script
15.06.2026
SUSP_LNX_ARCH_SRCINFO_NPM_Dependency_Jun26
Detects suspicious .SRCINFO with NPM dependency and install script
15.06.2026
SUSP_LNX_ARCH_Install_Hook_Jun26
Detects suspicious pre and post hooks in Arch install files
15.06.2026
EXPL_CVE_2026_33829_Jun26
Detects CVE-2026-33829 exploit that allows remote attackers to disclose NTLM responses from users using ms-screensketch protocol handlers
09.06.2026
EXPL_B64_CVE_2026_33829_Jun26
Detects CVE-2026-33829 exploit base64 encoded, that allows remote attackers to disclose NTLM responses from users using ms-screensketch protocol handlers
09.06.2026
HKTL_EDR_Chocker_Jun26
Detects EDRChoker tool that Abuses Windows Policy-based Quality of Service (QoS) to blind EDR agents, The tool creates a MSFT_NetQosPolicySettingData policy via WMI (ROOT\\StandardCimv2) to create a MSFT_NetQosPolicySettingData policy that throttles security process traffic to 8 bytes/sec, the agent can't send telemetry to its cloud and times out.
08.06.2026
MAL_BACKDOOR_INSTALLER_Jun26
Detects unnamed backdoor installer on Linux and MacOS systems, which may indicate unauthorized access or control.
04.06.2026
SUSP_LNX_BASHRC_Jun26
Detects suspicious modifications to .bashrc files on Linux systems, potentially indicating malware activity.
04.06.2026
SUSP_Binding_GYP_Jun26
Detects suspicious build configuration files containing shell command execution constructs that may be abused during npm package installation, as these files are automatically processed by node gyp in trusted build environments.
04.06.2026
APT_DPRK_RAT_HuggingFace_Exfil_Jun26
Detects JavaScript RAT, seen being used by DPRK Contagious Interview exfiltrating screenshots and files via HuggingFace API
03.06.2026
EXPL_WER_CVE_2026_41089_Netlogon_Jun26
Detects characteristics in WER files (crash reports) that could indicate exploitation of CVE-2026-41089, a critical vulnerability in Microsoft Windows Netlogon that allows for remote code execution through a stack-based buffer overflow in the BuildSamLogonResponse function. The presence of specific strings related to lsass.exe, netlogon.DLL, and certain error codes could be indicative of an attempted or successful exploitation of this vulnerability.
02.06.2026
SUSP_LNX_ETC_SHADOW_IO_URING_Jun26
Detects suspicious access to /etc/shadow using io_uring syscalls
01.06.2026
MAL_MWSRAT_Jun26
Detects MWSRAT that searches the host for cryptocurrency wallets, performs local network scanning, queries the registry, and hijacks the clipboard to swap copied cryptocurrency addresses
01.06.2026
SUSP_LNX_CRONTAB_INSTALL_Jun26
Detects suspicious installation of crontab entries for persistence
01.06.2026
MAL_RUSTCLOAK_Loader_Jun26
Detects RUSTCLOAK loader that evades sandbox analysis, decrypts an encoded shellcode payload, and executes it via fiber hijacking.
01.06.2026
SUSP_JS_OBFUSC_Caesar_Cipher_Jun26
Detects obfuscated JavaScript that decodes a Caesar-ciphered, char-code-encoded payload at runtime and executes it
01.06.2026
MAL_MacOS_Stealer_May26
Detects stealer written in Rust that targets chromium browser data, Telegram sessions, cryptocurrency wallets, apple notes, and the macOS keychain, uses AppleScript for password prompting, stages stolen data into a ZIP archive, and exfiltrates it externally.
29.05.2026
MAL_PY_Crypto_Market_Beaconing_May26
Detects a script written in Python that collects cryptocurrency prices from multiple exchanges while communicating with an external untrusted domain, potentially indicating a disguised data collection agent.
29.05.2026
MAL_AMSI_Bypass_May26
Detects .NET binaries attempting AMSI evasion via hardware breakpoints (DRx registers)
28.05.2026
MAL_Bash_Loader_May26
Detects a macOS Bash loader that downloads and launches decoy applications, removes macOS security attributes, executes secondary payloads
28.05.2026
MAL_GO_DNS_Backdoor_May26
Detects a backdoor in Golang code which executes arbitrary commands via DNS TXT lookups
27.05.2026
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_Encoded_PS_ToBase64String_From_Bytes
1
0acb7a41c0e8c2127926fd0a6bee1aea25cff5971b71ec38abcc303a45d2dedb
SUSP_PS1_FromBase64String_Content_Indicator
1
0acb7a41c0e8c2127926fd0a6bee1aea25cff5971b71ec38abcc303a45d2dedb
SUSP_PS1_FromBase64String_Content_Indicator_Jan20
1
0acb7a41c0e8c2127926fd0a6bee1aea25cff5971b71ec38abcc303a45d2dedb
SUSP_OBFUSC_NET_Reactor_JIT_Encryption_Feb25
4
f7a4dbd33190770e1cf2156fa66ca843e39dc31c04de813617edddc7a2e33598
SUSP_OBFUSC_Script_Indicators_Jul25
10
997e8084a7addf3dc57b916e89b93e5270d09d843eda85efb290aa247c2b4c11
SUSP_PS1_Command_Rare_CmdLine_Arguments_Jan20
10
997e8084a7addf3dc57b916e89b93e5270d09d843eda85efb290aa247c2b4c11
SUSP_Protector_Themida_Packed_Samples_Mar21_1
7
7c68acceb212cf5d17a21218926c479825e699d191b8bf3d7edab8a964c3c08a
PUA_ConnectWise_ScreenConnect_Mar23
7
69eb06a186528d73ca0bc4739864285bf427558150df743cc146556ccbd555e3
SUSP_LNK_SuspiciousCommands_Jan23_3
13
f0b0695f06412260964bfc2533c887f76d75be094273f2692643bf877a9cef6a
SUSP_LNK_Raspberry_Robin_Jul22_1
13
f0b0695f06412260964bfc2533c887f76d75be094273f2692643bf877a9cef6a
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7683
Threat Hunting (not subscribable, only in THOR scanner)
5924
APT
5067
Hacktools
4872
Webshells
2402
Exploits
738
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
NTLM Hash Leak Via Curl NTLM Authentication
Detects the use of curl with NTLM authentication and empty credentials (-u :), which can be abused to leak the currently logged-in user's NTLMv2 challenge-response to an
attacker-controlled server, enabling offline cracking or relay attacks.
When no credentials are provided, the Microsoft-shipped curl passes a NULL identity to Windows SSPI, which automatically falls back to the current user's logon session credentials
stored in LSASS — without requiring a plaintext password.
This behavior is exclusive to the curl binary shipped by Microsoft (available since Windows 10 / Windows Server 2019), which is built with SSPI support.
04.06.2026
Uninstall SystemComponent Registry Value Modification via CommandLine
Detects modification of the "SystemComponent" registry value in the "Uninstall" key through command line.
Attackers modify this value to hide installed applications from "Programs and Features", often as part of persistence or defense evasion techniques.
04.06.2026
Hiding of an Installed Application from Application Wizard
Detects the SystemComponent DWORD registry value being set to 1 under an application's Uninstall key,
which removes the application from "Programs and Features" and "Add or Remove Programs" visibility.
Threat actors use this technique to hide installed applications, from normal administrative review,
as part of persistence or defense evasion strategies.
04.06.2026
LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089
Detects a crash of the LSASS process where netlogon.dll is the faulting module and the exception code is STATUS_STACK_BUFFER_OVERRUN (0xc0000409).
This crash, especially on Domain Controllers, might indicate the exploitation of CVE-2026-41089, a denial of service (DoS) vulnerability,
which exists in the Netlogon component of Windows and can be triggered by sending specially crafted requests to the Netlogon service,
leading to a stack-based buffer overflow and subsequent crash of the LSASS process.
02.06.2026
Cloud Provider Credential Dumping via Environment Variable Grep
Detects attempts to discover cloud provider credentials stored in environment variables by using 'grep' with cloud provider-specific patterns (AWS, Google Cloud, GCloud, Azure).
Attackers commonly enumerate environment variables after gaining initial access to identify or steal credentials for further exploitation, such as lateral movement or data exfiltration.
28.05.2026
Kubernetes Secrets Dumping via Kubectl
Detects attempts to dump Kubernetes secrets using kubectl.
Attackers with sufficient RBAC permissions may enumerate secrets cluster-wide to harvest credentials, API tokens, TLS certificates, or other sensitive data stored as Kubernetes secrets.
28.05.2026
Potentially Suspicious Load of Cldapi DLL
Detects the potential suspicious loading of the Cldapi.dll, which is associated with Windows Cloud Files API.
While Cldapi.dll is a legitimate system component, its loading can be abused by attackers to execute code in the context of trusted processes or escalate privilege like in Green Plasma.
27.05.2026
Bun JavaScript Runtime Executed Via Shell Spawned By Node.js On macOS
Detects a macOS shell process (e.g. zsh, bash, sh) spawned by Node.js with a command line referencing the Bun runtime, indicating a Node.js -> Shell -> Bun execution chain.
This pattern is commonly observed in supply chain attacks where a malicious npm package abuses Node.js to launch a shell that invokes Bun as a second-stage JavaScript or TypeScript payload runner.
Bun is attractive to attackers due to its native TypeScript support, fast startup, and broad system APIs, while being less scrutinized by EDR/AV solutions compared to Node.js itself.
26.05.2026
Bun JavaScript Runtime Executed Via Shell Spawned By Node.js On Linux
Detects a Linux shell process (e.g. bash, sh, dash) spawned by Node.js with a command line referencing the Bun runtime, indicating a Node.js -> Shell -> Bun execution chain.
This pattern is commonly observed in supply chain attacks where a malicious npm package abuses Node.js to launch a shell that invokes Bun as a second-stage JavaScript or TypeScript payload runner.
Bun is attractive to attackers due to its native TypeScript support, fast startup, and broad system APIs, while being less scrutinized by EDR/AV solutions compared to Node.js itself.
21.05.2026
Bun Runtime Execution Via Node.js Spawned Shell On Windows
Detects a Windows shell process (e.g. cmd.exe, powershell.exe) spawned by Node.js with a command line referencing the Bun runtime, indicating a Node.js -> Shell -> Bun execution chain.
This pattern is commonly observed in supply chain attacks where a malicious npm package abuses Node.js child_process APIs to launch a shell that invokes Bun as a second-stage JavaScript or TypeScript payload runner.
Bun is attractive to attackers due to its native TypeScript support, fast startup, and broad system APIs, while being less scrutinized by EDR/AV solutions compared to Node.js itself.
21.05.2026
Potential RID Hijacking Attempt via PowerShell
Detects PowerShell scripts that attempt to modify the SAM registry to potentially perform RID hijacking attacks.
In a RID hijacking attack, an attacker modifies the RID set of a user account like guest user to escalate privileges or impersonate another user.
19.05.2026
Potential RID Hijacking Attempt
Detects attempts to modify the SAM registry to potentially perform RID hijacking attacks.
In a RID hijacking attack, an attacker modifies the RID set of a user account like guest user to escalate privileges or impersonate another user.
19.05.2026
Potential RID Hijacking Attempt - Registry
Detects modifications to the RID Set registry keys which could indicate an attempt to perform RID hijacking attacks.
In RID hijacking, an attacker modifies the RID set of a user account like guest user to escalate privileges or impersonate another user.
19.05.2026
Agentic Coding Skill Files Created by Suspicious Process
Detects creation of agentic skill files by suspicious processes.
Agentic skill files are typically markdown files that define capabilities for agentic AI coding assistants like Claude Code.
Adversaries may drop malicious skill definition files and invoke them for malicious purposes.
15.05.2026
Suspicious Creation of Agentic Coding Skill Files in Sensitive Locations
Detects the creation of agentic coding skill files in suspicious or world-writable locations.
Agentic skill files are typically markdown files that define capabilities for agentic AI assistant such as Claude, OpenClaw etc.
Adversaries may drop malicious skill definition files in these locations before invoking them for malicious purposes.
15.05.2026
Self-Referential Payload Extraction via PowerShell
Detects PowerShell scripts that read file content, extract an embedded payload via regex matching, and write the result to disk for further execution.
This self-referential technique allows an attacker to embed a full implant within a single carrier file and extract it at runtime, avoiding external network-based downloads entirely.
The payload is typically delimited by sentinel markers (e.g. #PYTHON_START / #PYTHON_END) and dropped to a persistent location.
12.05.2026
Self-Referential Payload Extraction via PowerShell Command Line
Detects PowerShell one-liners that read a file content, extract an embedded payload via regex matching, and write the result to disk for further execution.
This self-referential technique allows an attacker to embed a full implant within a single carrier file and extract it at runtime, avoiding external network-based downloads entirely.
The payload is typically delimited by sentinel markers (e.g. #PYTHON_START / #PYTHON_END) and dropped to a persistent location.
12.05.2026
PowerShell Dynamic Module Command Invocation via Index Access - PsScript
Detects PowerShell scripts that dynamically invoke commands from the Microsoft.PowerShell.Utility module using index access on the ExportedCommands collection.
Threat actors may use this technique to bypass detection mechanisms that look for specific command names, as the actual commands being invoked are determined at runtime and may not be explicitly mentioned in the script.
11.05.2026
PowerShell Dynamic Module Command Invocation via Index Access
Detects PowerShell scripts that dynamically invoke commands from the Microsoft.PowerShell.Utility module using index access on the ExportedCommands collection.
Threat actors may use this technique to bypass detection mechanisms that look for specific command names, as the actual commands being invoked are determined at runtime and may not be explicitly mentioned in the script.
11.05.2026
HH.EXE CHM File Decompilation
Detects execution of hh.exe with the -decompile (-d) flag to extract contents of a CHM file.
Threat actors abuse this technique to drop and execute malicious payloads embedded in CHM files.
08.05.2026
HH.EXE CHM Decompilation With Non-CHM File Extension
Detects execution of hh.exe with the -decompile (-d) flag where no .chm extension is present in the command line.
Threat actors disguise CHM files with alternative extensions (e.g. .doc, .pdf)
to evade detection, then pass them to hh.exe for decompilation and payload extraction.
08.05.2026
Net User Logon Time Restriction and Account Lockout
Detects usage of net user command to set logon time restrictions and disable accounts, a technique used by wipers to prevent user logins and lock out accounts, hindering recovery efforts.
04.05.2026
Network Interface Disabled Via Netsh
Detects netsh being used to disable a network interface.
Threat actors abuse this to cut off network connectivity and prevent remote recovery or intervention during destructive attacks.
04.05.2026
Winlogon CachedLogonsCount Registry Manipulation Via CLI
Detects command-line manipulation of the CachedLogonsCount registry value under the Winlogon key through commandline.
This value controls how many domain credential sets Windows caches locally.
Setting it to zero disables caching entirely, forcing direct domain controller authentication.
Threat actors may abuse this to prevent offline authentication or to hinder forensic credential recovery post-compromise.
04.05.2026
Robocopy Mirror Directory Wipe
Detects robocopy invoked with /MIR and /B flags, a technique commonly abused by wipers to
overwrite entire directory trees by mirroring an empty source folder in backup mode,
permanently destroying all file contents.
04.05.2026
Diskpart Volume Clean All Execution
Detects the execution of diskpart's "clean all" command, which permanently destroys all data on
a disk volume by overwriting every sector with zeros. Threat actors abuse this for data destruction
and wiper attacks.
04.05.2026
Winlogon CachedLogonsCount Registry Value Set To Zero
Detects registry set events where the CachedLogonsCount value under the Winlogon key is set to zero.
This disables Windows cached domain credentials, forcing direct domain controller authentication.
Threat actors may abuse this to prevent offline authentication or to hinder forensic credential recovery post-compromise.
04.05.2026
Free Disk Space Enumeration Via Fsutil
Detects the use of fsutil to enumerate free disk space on a volume.
Threat actors may abuse this to determine available space before carrying out further actions such as data destruction or exfiltration.
04.05.2026
Large File Creation Via Fsutil
Detects fsutil being used to create a new file with a suspiciously large size.
Threat actors abuse this technique to fill all available disk space, exhausting the filesystem
and preventing the OS from writing logs, recovery artifacts, or any new data.
04.05.2026
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2818
21367
Sigma
3591
1028
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1351
windows / registry_set
219
windows / file_event
209
windows / ps_script
166
windows / security
160
linux / process_creation
139
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
69
aws / cloudtrail
55
proxy
54
linux / auditd
53
windows / network_connection
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
32
windows / dns_query
27
windows / process_access
25
azure / signinlogs
24
opencanary / application
24
okta / okta
22
azure / riskdetection
19
windows / pipe_created
19
windows / windefend
17
rpc_firewall / application
17
linux
16
gcp / gcp.audit
16
github / audit
15
linux / file_event
15
bitbucket / audit
14
windows / file_delete
13
m365 / threat_management
13
cisco / aaa
13
windows / create_remote_thread
12
dns
10
windows / driver_load
10
windows / registry_delete
10
kubernetes / application / audit
10
windows / codeintegrity-operational
10
windows / appxdeployment-server
9
windows / create_stream_hash
9
windows / ps_classic_start
9
windows / msexchange-management
8
windows / firewall-as
8
antivirus
7
fortigate / event
7
azure / pim
7
windows / file_access
7
windows / bits-client
7
zeek / smb_files
7
gcp / google_workspace.admin
7
kubernetes / audit
6
windows / dns-client
6
jvm / application
5
zeek / dns
5
linux / network_connection
5
zeek / http
5
windows / iis-configuration
4
zeek / dce_rpc
4
m365 / audit
4
windows / sysmon
4
macos / file_event
4
windows / taskscheduler
4
windows / powershell-classic
3
windows / ntlm
3
windows / registry_add
3
linux / sshd
3
gcp / google_workspace.login
3
windows / wmi_event
3
onelogin / onelogin.events
2
firewall
2
windows / security-mitigations
2
linux / syslog
2
windows / dns-server
2
spring / application
2
apache
2
linux / sudo
1
cisco / duo
1
cisco / ldp
1
nginx
1
windows / dns-server-analytic
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
database
1
cisco / bgp
1
windows / ldap
1
django / application
1
windows / printservice-admin
1
linux / clamav
1
windows / lsa-server
1
linux / auth
1
windows / appmodel-runtime
1
fortios / sslvpnd
1
linux / cron
1
windows / applocker
1
windows / openssh
1
windows / process_tampering
1
cisco / syslog
1
linux / guacamole
1
huawei / bgp
1
windows / appxpackaging-om
1
windows / smbclient-connectivity
1
juniper / bgp
1
windows / smbserver-connectivity
1
windows / raw_access_thread
1
nodejs / application
1
paloalto / file_event / globalprotect
1
linux / vsftpd
1
windows / capi2
1
windows / shell-core
1
windows / file_change
1
paloalto / appliance / globalprotect
1
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
python / application
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
ruby_on_rails / application
1
m365 / exchange
1
zeek / rdp
1
windows / file_rename
1
windows / sysmon_status
1
sql / application
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
m365 / threat_detection
1
windows / driver-framework
1
velocity / application
1
windows
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
505
windows / registry_set
92
windows / ps_script
88
linux / process_creation
55
windows / file_event
49
windows / image_load
47
windows / security
29
windows / wmi
29
proxy
13
windows / system
13
windows / network_connection
9
windows / registry_event
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / dns_query
5
windows / sense
4
windows / pipe_created
4
webserver
4
windows / taskscheduler
4
windows / registry_delete
4
windows / create_remote_thread
4
macos / process_creation
3
dns
3
windows / ps_classic_script
3
windows / vhd
3
windows / hyper-v-worker
3
windows / application-experience
3
windows / driver_load
3
windows / kernel-shimengine
2
windows / file_delete
2
linux / file_event
2
windows / bits-client
2
windows / smbclient-security
2
windows / codeintegrity-operational
2
windows / process_access
2
windows / windefend
2
windows / file_access
2
windows / audit-cve
1
windows / file_rename
1
linux / file_delete
1
windows / firewall-as
1
windows / amsi
1
windows / registry-setinformation
1
windows / application
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR