Valhalla Logo
currently serving 20759 YARA rules and 3706 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
HKTL_Voidgate_Jun24
Detects Voidgate, a tool to bypass AV/EDR memory scanners by performing on-the-fly decryption of individual encrypted assembly instructions
17.06.2024
MAL_RANSOM_Darkside_Jun24
Detects Darkside ransomware
16.06.2024
MAL_PikaBot_Loader_Jun24
Detects PikaBot loader
14.06.2024
MAL_PikaBot_Jun24
Detects PikaBot backdoor
14.06.2024
MAL_Zeus_Trojain_Jun24
Detects Zeus trojan
12.06.2024
MAL_Valleyrat_Loader_Jun24
Detects Valleyrat loader a malware developed by China-based threat actor
12.06.2024
SUSP_MAL_WASP_Stealer_Indicators_Jun24_1
Detects indicators of supply chain attacks that contain malicious Python code as used in WASP stealer
10.06.2024
MAL_Packed_RansomHouse_Jun24
Detects packed ransomware: RansomHouse
09.06.2024
MAL_GCleaner_Jun24
Detects GCleaner, a Pay-Per-Install (PPI) loader.
09.06.2024
MAL_Zombieware_Jun24
Detects Zombieware file infector
09.06.2024
MAL_DLL_Mustangpanda_Jun24
Detects a DLL related to Mustangpanda APT
08.06.2024
MAL_Plugx_DLL_Jun24_1
Detects Plugx DLL
08.06.2024
APT_MAL_Kimsuky_HTML_Jun24
Detects HTML with embedded VBS which sends information to C2, related to Kimsuky APT
07.06.2024
APT_MAL_XML_Kimsuky_Jun24
Detects XML file that downloads and create schudeled task for the payload, related to Kimsuky APT
07.06.2024
APT_MAL_XML_Mustangpanda_Jun24
Detects XML file that downloads next stage payload, related to Mustangpanda APT
07.06.2024
MAL_PY_Downloader_Jun24
Detects a Python script that downloads malicious DLL that targets Brazil users
06.06.2024
MAL_PY_Loader_Jun24
Detects a Python script that downloads next stage payload in memory targeting Brazil users
06.06.2024
SUSP_MAL_RANSOM_Go_Indicators_Jun26_1
Detects an unknown Go based ransomware (Linux, macOS)
04.06.2024
SUSP_MAL_RANSOM_Go_Indicators_Jun26_2
Detects an unknown Go based ransomware (Linux, macOS)
04.06.2024
MAL_BPyCode_May24
Detects BPyCode - a Python script that downloads a DLL, and executes it in-memory.
31.05.2024
MAL_DLL_ExecutorLoader_May24
Detects ExecutorLoader - a Borland Delphi developed DLL which is downloaded and executed in-memory by BPyCode, and decodes and executes the final payload which is embedded as a resource. ExecutorLoader injects the payload into a (renamed) mshta.exe instance.
31.05.2024
MAL_TunnelSpecter_May24
Detects TunnelSpecter - a previously undocumented custom backdoor used in Chinese cyberespionage campaign to target governmental entities in the Middle East, Africa and Asia.
30.05.2024
MAL_TunnelSpecter_Loader_May24
Detects TunnelSpecter loader seen used in Chinese cyberespionage campaign.
30.05.2024
SUSP_OBFUSC_Bat_May24
Detects obfuscated batch (BAT) file seen used by China-based Water Sigbin threat actor, exploiting CVE-2017-3506 and CVE-2023-21839 to deploy a crypto miner via a PowerShell script.
30.05.2024
SUSP_EXPL_CVE_2017_3506_May24_1
Detects possible exploitation of CVE-2017-3506 based on a suspicious PowerShell commands.
30.05.2024
SUSP_EXPL_CVE_2017_3506_May24_2
Detects possible exploitation of CVE-2017-3506 based on suspicious commands
30.05.2024
SUSP_EXPL_CVE_2017_3506_May24_3
Detects possible exploitation of CVE-2017-3506 based on suspicious folder locations
30.05.2024
MAL_Allasenha_May24
Detects AllaSenha banking trojan targeting Brazilian bank accounts. Leverages Azure cloud as command and control (C2) infrastructure, and is another custom variant of AllaKore RAT.
30.05.2024
MAL_SplitLoader_May24
Detects SplitLoader - a custom malware loader related to Moonstone Sleet threat actor
30.05.2024
MAL_YouieLoad_May24
Detects YouieLoad - a custom malware loader related to Moonstone Sleet threat actor
30.05.2024

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
APT_PlugX_SFX_with_Chinese_Chars
6
5fe6778d75a76642cf54a009561ca23cdaa558255968ebe0880db8422245add1
VULN_Intel_Driver_IQVW_Jan23_1
14
232a7700c4bb8eb8aadbcdb0ea2204be1a348d71e3c8b39c2a9085337132c1bc
HKTL_Shellter_Payload_Mar20_2
13
bf440c0b7157d794bc665052ed05e94424c027702b27a774591175481083637a
Hacktool_inject
13
bf440c0b7157d794bc665052ed05e94424c027702b27a774591175481083637a
Generic_Strings_Hacktools
13
bf440c0b7157d794bc665052ed05e94424c027702b27a774591175481083637a
HKTL_DDLInjection_Keywords
13
bf440c0b7157d794bc665052ed05e94424c027702b27a774591175481083637a
Hacktool_ProcessHider
13
bf440c0b7157d794bc665052ed05e94424c027702b27a774591175481083637a
Generic_Strings_Hacktools
2
65bca5756eb10ff39833450ce1ac4aac1ac1d989efdbe29a8ec47954dc79a84f
Generic_Strings_Hacktools
6
6d3820e8a728132ae6edb3472d481965f94c6f52e7a07e199fde04838bb3b789
HKTL_SilentTrinity_PS1_Posh_Stager
2
8911e0e33847a5f83e73e08d67e71e5a85564a10edd69a27452d6492fdb1d8e2
SUSP_WEBSHELL_ASPX_DLL_Indicators_Jul22_1
14
744b79df96a9cb96330208eab08e647920000690e481df5de7bfa2e4aaeb46c0
APT_MAL_Snip3_Crypter_RAT_May21_1
2
266e81d080966c2fad5e73b15f64837f75e010fc32fb26aca4fdbec24c239577
APT_PlugX_SFX_with_Chinese_Chars
5
95e223b41143bd1e3321909c9c67176e1560895a910b5d0d2747d8b910d0b5a7
APT_PlugX_SFX_with_Chinese_Chars
3
c24e63117dc25d2ccf2efb4fdbf43b37ed82a238377062fb0d92417aaa103be7
HKTL_NET_GUID_BrowserGhost
5
118a315f3c3fe93a542d629ce3e088ed7b1e973b5ef914347ed3f187278612dc
HKTL_NET_GUID_SharpChromium
5
118a315f3c3fe93a542d629ce3e088ed7b1e973b5ef914347ed3f187278612dc
Generic_Exploit_Strings_Oct18
7
ac2d0a8500399a1b5531f1ea371c8e291fdcd17f3b23c9e4411f03a33c53497a
APT_APT28_Sample_Jun18_1
1
f213bff9269e9e5d650c95a64186033b575a7a1d7f1860f91c0c7a63c3191e39
HKTL_Empire_Stager_Jul20_1
1
aeb1b890be8817c2b9e3fac9a7e4c841655d02300c30031e096d95da21e98bb4
HKTL_Empire_in_MEM
1
aeb1b890be8817c2b9e3fac9a7e4c841655d02300c30031e096d95da21e98bb4

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6105
Threat Hunting (not subscribable, only in THOR scanner)
4974
APT
4824
Hacktools
4471
Webshells
2310
Exploits
624

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Suspicious Child Process Of Program Compatibility Troubleshooter Invoker (Pcwrun.EXE)
Detects the execution of a suspicious "msdt.exe" child process from the "pcwrun.exe" utility. When a certain number of argument is met the "pcwrun.exe" main function will call the "LaunchPcw" function. This function is responsible for launching the "msdt.exe" utility. Unfortunately the path to the "msdt.exe" binary is resolved dynamically by expanding the environement variable "%windir%". An attacker can manipulate this variable via the "set" command for example, and set it's value to a custom path instead of the default "C:\Windows". Which would allow him to execute any arbitrary binary named "msdt.exe"
06.06.2024
Suspicious MsBuild.EXE Execution Without CommandLine Flags
Detects potentially suspicious MsBuild execution. In general, it is suspicious for msbuild.exe to execute without a corresponding command line. This could very likely be a sign of process injection or other suspicious activity.
06.06.2024
Suspicious Schedule Task Execution Type OnIdle Set Via Schtasks.EXE
Detects the setting of a scheduled tasks execution type to "OnIdle". This will specifies that the task runs whenever the system is idle for a specified period of time. Attackers were seen using this type of scheduled tasks in order to achieve stealth and persistence.
06.06.2024
Potentially Suspicious Script File Created In WindowsApps Directory
Detects the creation of a file with a script extension (ps1, vbs, bat) in the "WindowsApps" directory. This could be a sign of a rogue MSIX package.
06.06.2024
DLL Sideloading Via ExtExport.EXE
Detects suspicious DLL sideloading activity via ExtExport. The ExtExport allows the export of bookmarks from both the Firefox and Qihoo 360 browsers. In order to achieve this it tries to load 3 specific DLLs via the "LoadLibraryExW" API. An attacker can load any DLLs with similar names via this binary by placing them in arbitrary directories.
06.06.2024
Suspicious Outbound MsBuild Connection
Detects suspicious outbound connection initiated by an MsBuild process launched without any command line flags.
06.06.2024
Potentially Suspicious PowerShell Script With Decompression And Download Capabilities Executed
Detects the execution of a potentially suspicious PowerShell script that contains references to "Download", "Decompression" and "Execution" cmdlets along with suspicious paths and file sharing websites. Threat actors were seen leveraging PowerShell scripts that download a compressed malicious payload from a file sharing domain such as "anonfiles" or some CDN hosting platform. Then decompressing and storing the payload in an unusual location such as "Temp" directories" and then executing it everything.
06.06.2024
Suspicious Fsutil.EXE Child Process
Detects child process of "fsutil.exe" starting from uncommon locations. Starting from Windows 11 the "fsutil.exe" utility introduced a commandline flag called "trace". It allows the user to start, stop, query and decode an NTFS trace information. Internally these sub flags will make use of the "netsh.exe" and "logman.exe" utilities to decode and handle the trace respectively. An attacker can plant a fake instance of "netsh.exe" or "logman.exe" in the current directory of execution and get them launched by "fsutil.exe".
06.06.2024
Potentially Suspicious Usage Of Qemu - Virtual Machine Created With Very Low RAM Size
Detects potentially suspicious execution of the Qemu utility in a Windows environment where the allocated size for the Virtual Machine is very low. This could be a sign of abuse as shown by threat actors that have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
04.06.2024
Potentially Suspicious Usage Of Qemu - Remote Connection To External IP
Detects potentially suspicious execution of the Qemu utility in a Windows environment connecting to external IP address. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
04.06.2024
Network Connection Initiated To Cloudflared Tunnels Domains
Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
27.05.2024
Uncommon Process Access Rights For Target Image
Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
27.05.2024
Potentially Suspicious Child Process of KeyScrambler.exe
Detects potentially suspicious child processes of KeyScrambler.exe
13.05.2024
Uncommon File System Load Attempt By Format.com - ImageLoad
Detects the load of uncommon file system DLLs by the "format.com" utility. An attacker can point "format.com" to load any DLL using the "/FS" flag.
13.05.2024
Launch Agent/Daemon Execution Via Launchctl
Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
13.05.2024
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. Adversaries may attempt to capture network to gather information over the course of an operation. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
12.05.2024
UAC Notification Disabled
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
10.05.2024
UAC Secure Desktop Prompt Disabled
Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
10.05.2024
Suspicious External WebDAV Execution
Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
10.05.2024
Potentially Suspicious Malware Callback Communication - Linux
Detects programs that connect to known malware callback ports based on threat intelligence reports.
10.05.2024
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
10.05.2024
Access To Windows Outlook Mail Files By Uncommon Application
Detects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
10.05.2024
File Recovery From Backup Via Wbadmin.EXE
Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
10.05.2024
Sensitive File Dump Via Wbadmin.EXE
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
10.05.2024
Sensitive File Recovery From Backup Via Wbadmin.EXE
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
10.05.2024
Keyboard Layout - Scancode Map Modification - Registry
Detects setting of the "Scancode Map" registry value. This value allow a user to customize and map keyboard keys to different values. Ransomware was seen using this technique in order to prevent user from interacting with the machine during the encryption process.
07.05.2024
Keyboard Layout - Scancode Map Modification - CommandLine
Detects setting of the "Scancode Map" registry value via command line. This value allow a user to customize and map keyboard keys to different values. Ransomware was seen using this technique in order to prevent user from interacting with the machine during the encryption process.
03.05.2024
Remote Access Tool - HopToDesk Silent Installation
Detects installtion of HopToDesk.EXE with the silent flag. HopToDesk is a free remote desktop tool allowing users to share their screen and allow remote control access to their computers and devices. It was seen being abused by ransomware threat actors in order deploy and execute malware remotely.
03.05.2024
Renamed HopToDesk.EXE Execution
Detects the execution of a renamed version of HopToDesk.EXE HopToDesk is a free remote desktop tool allowing users to share their screen and allow remote control access to their computers and devices. It was seen being abused by ransomware threat actors in order deploy and execute malware remotely.
03.05.2024
Local Command Proxy Execution Via Winrs.EXE
Detects the execution of local command via "winrs.exe" using the WinRM service. An attacker can enable the WinRM service locally and start to proxy commands on the system through "winrshost.exe". This form of execution can be used as a living of the land binary in order to potentially bypass application whitelisting.
03.05.2024

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2965
17794
Sigma
3228
478

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1211
windows / registry_set
191
windows / file_event
184
windows / ps_script
164
windows / security
153
linux / process_creation
109
windows / image_load
98
webserver
78
windows / system
72
macos / process_creation
57
proxy
51
linux / auditd
49
windows / network_connection
48
azure / activitylogs
43
windows / registry_event
38
aws / cloudtrail
35
azure / auditlogs
35
windows / ps_module
32
windows / application
28
azure / signinlogs
24
windows / process_access
23
okta / okta
22
windows / dns_query
20
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
linux
17
rpc_firewall / application
17
gcp / gcp.audit
16
windows / windefend
16
bitbucket / audit
14
m365 / threat_management
13
windows / file_delete
12
windows / create_remote_thread
12
cisco / aaa
12
github / audit
10
windows / codeintegrity-operational
10
windows / ps_classic_start
10
kubernetes / application / audit
10
windows / driver_load
10
windows / registry_add
9
linux / file_event
9
windows / create_stream_hash
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
windows / file_access
7
gcp / google_workspace.admin
7
zeek / smb_files
7
windows / bits-client
7
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / registry_delete
6
windows / dns-client
5
jvm / application
5
zeek / dns
4
zeek / dce_rpc
4
windows / sysmon
4
windows / taskscheduler
4
linux / network_connection
4
linux / sshd
3
windows / wmi_event
3
zeek / http
3
windows / powershell-classic
3
windows / ntlm
3
windows / security-mitigations
2
windows / file_change
2
spring / application
2
firewall
2
m365 / audit
2
linux / syslog
2
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
qualys
2
apache
2
paloalto / file_event / globalprotect
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
windows / process_tampering
1
nodejs / application
1
paloalto / appliance / globalprotect
1
cisco / duo
1
linux / guacamole
1
juniper / bgp
1
windows / applocker
1
windows / raw_access_thread
1
python / application
1
linux / clamav
1
windows / appxpackaging-om
1
windows / capi2
1
windows / shell-core
1
windows / file_executable_detected
1
velocity / application
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
ruby_on_rails / application
1
m365 / exchange
1
linux / sudo
1
zeek / x509
1
windows / smbclient-security
1
windows / file_rename
1
sql / application
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / sysmon_status
1
m365 / threat_detection
1
zeek / rdp
1
windows / sysmon_error
1
database
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / dns-server-analytic
1
windows
1
windows / printservice-operational
1
nginx
1
windows / driver-framework
1
windows / printservice-admin
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
fortios / sslvpnd
1
netflow
1
cisco / ldp
1
cisco / syslog
1
linux / auth
1
cisco / bgp
1
windows / ldap
1
django / application
1
windows / smbclient-connectivity
1
linux / cron
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
202
windows / ps_script
54
windows / registry_set
51
windows / wmi
29
windows / file_event
21
windows / image_load
16
proxy
11
windows / security
10
windows / system
10
windows / network_connection
7
windows / kernel-event-tracing
6
windows / ps_module
5
windows / ntfs
5
windows / create_remote_thread
4
windows / registry_event
4
windows / ps_classic_script
3
linux / process_creation
3
windows / vhd
3
windows / registry_delete
3
webserver
3
windows / application-experience
3
windows / hyper-v-worker
3
windows / pipe_created
3
windows / taskscheduler
2
windows / driver_load
2
windows / bits-client
2
windows / kernel-shimengine
2
windows / amsi
1
windows / process_access
1
macos / process_creation
1
windows / application
1
windows / dns_query
1
windows / registry-setinformation
1
windows / audit-cve
1
windows / file_access
1
windows / codeintegrity-operational
1
windows / file_rename
1
windows / file_delete
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html