currently serving 24230 YARA rules and 4633 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
MAL_GriefLure_Modular_Backdoor_Jun26
Detects a modular backdoor, seen being used by the GriefLure APT
22.06.2026
APT_RU_EasterBunny_Forensic_Artifacts_Jun26
Detects artifacts related to APT Easter Bunny
19.06.2026
APT_RU_EasterBunny_Implant_InMemory_Jun26
Detects in memory implants related to APT Easter Bunny
19.06.2026
HKTL_CS_BOFF_RawHive_Jun26
Detects indicators of the RawHive BOFF technique used by Cobalt Strike, which involves dumping registry hives to temporary files with specific naming patterns
18.06.2026
MAL_Crimson_RAT_Jun26
Detects Crimson RAT written in C# which is used for remote access capabilities and data exfiltration features, seen being used by SideCopy APT group
17.06.2026
MAL_WHQL_Network_Backdoor_Jun26
Detects the presence of a kernel backdoor executing commands from encrypted network packets
16.06.2026
WEBSHELL_APT_PHP_INFINITERED_Jun26
Detects suspicious PHP webshell activity related to the INFINITERED APT group
16.06.2026
MAL_ShellCode_Jun26
Detects shellcode used to decompress an embedded executable, load it into memory, and execute it, seen being used by China Nexus APT group
15.06.2026
SUSP_LNX_ARCH_PKGBUILD_NPM_Dependency_Jun26
Detects suspicious PKGBUILD with NPM dependency and install script
15.06.2026
SUSP_LNX_ARCH_SRCINFO_NPM_Dependency_Jun26
Detects suspicious .SRCINFO with NPM dependency and install script
15.06.2026
SUSP_LNX_ARCH_Install_Hook_Jun26
Detects suspicious pre and post hooks in Arch install files
15.06.2026
EXPL_FreeBSD_Bumsrakete_LPE_Artifacts_Jun26
Detects artifacts of the Bumsrakete FreeBSD kTLS-RX EXTPG LPE - the dd/rm restore-and-cleanup commands as recorded by OpenBSM argv auditing or sudo command logging
13.06.2026
MAL_PY_Stealer_Jun26
Detects stealer written in Python
12.06.2026
SUSP_Container_Detection_Jun26
Detects indicators used to check if process is running in a container environment. Manual analysis is recommended.
12.06.2026
SUSP_GitHub_Action_Detection_Jun26
Detects indicators used to check if process is running in a GitHub action. Manual analysis is recommended.
12.06.2026
SUSP_Sandbox_Detection_Jun26
Detects indicators used to check if process is running in a virtual machine environment. Manual analysis is recommended.
12.06.2026
SUSP_Debugger_Detection_Jun26
Detects suspicious indicators frequently used for debugger evasion on Linux environments. Manual analysis is recommended.
12.06.2026
MAL_NewDriverMMM_KERNEL_ROOTKIT_Jun26
Detects NewDriverMMM kernel rootkit that allows unprivileged users to execute code in kernel mode
12.06.2026
EXPL_FreeBSD_Bumsrakete_Jun26
Detects Bumsrakete FreeBSD privilege escalation exploit which abuses a kernel TLS bug where sending a file over a kTLS socket corrupts it in place, then overwrites a root setuid binary with shellcode to gain root
11.06.2026
MAL_LNX_Mirai_Variant_Jun26
Detects a variant of the Mirai botnet that uses a specific lock file to prevent multiple instances from running simultaneously. This is a common technique used by malware to ensure that only one instance of the bot is active on an infected system.
10.06.2026
SUSP_OBFUSC_VBS_Encoded_Array_Eval_Jun26
Detects obfuscated VBScript using array based chr string decoding with modulo UBound keystream and eval execution
10.06.2026
SUSP_OBFUSC_JS_ActiveX_CharCode_Jun26
Detects obfuscated JScript that computes ActiveXObject ProgIDs at runtime via wrapped expressions and decodes strings with fromCharCode
10.06.2026
SUSP_OBFUSC_BAT_Jun26
Detects obfuscated code patterns commonly used in batch files
10.06.2026
SUSP_ROUKI_OBF_Jun26
Detects obfuscated code patterns commonly used by Rouki obfuscator
10.06.2026
MAL_LNX_Scales_EBPF_Rootkit_Jun26
Detects the presence of the Scales eBPF rootkit, which is a malicious tool used to hide processes and network connections on Linux systems.
10.06.2026
MAL_Persistence_Dropper_Jun26
Detects a persistence dropper disguised as the legitimate service group, hides its console window, and deliver a second stage payload, seen being used by YoroTrooper APT group
10.06.2026
MAL_TLS_Reverse_Shell_Jun26
Detects TLS reverse shell that connects to C2 and pipes a hidden cmd.exe through an encrypted OpenSSL channel, seen being used by YoroTrooper APT group
10.06.2026
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_EXPL_POC_Code_Indicators_May26_1
1
4da37de6ce5204cdadc539c26561aeb99cdd58169bba1a4ed6b1e32a96206325
SUSP_Commands_Disabling_Windows_Firewall_Jul23
2
a96efb8af6875f9f95891d8db3b6306a4a07d401598133a1f08541f89d751ba4
SUSP_Commands_Disabling_Windows_Defender_Service_Jul23
2
a96efb8af6875f9f95891d8db3b6306a4a07d401598133a1f08541f89d751ba4
SUSP_Wextract_Anomaly_Unsigned_May23
9
c44501faed7f8460936e69c2e0b43f1d6f445347269da5fd7e5b1e4676133e2d
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7704
Threat Hunting (not subscribable, only in THOR scanner)
5935
APT
5070
Hacktools
4877
Webshells
2403
Exploits
740
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
PowerShell Enumeration of Claude Code Chat History
Detects PowerShell scripts enumerating or reading files within the Claude Code conversation history directory.
Claude Code stores conversation history as JSONL files under: %USERPROFILE%\.claude\projects\<hash>\<session>.jsonl
Threat actors extract these files and apply regex matching to locate high-value secrets (cloud tokens, private keys,
database passwords) before pivoting to infrastructure such as ESXi hosts via harvested SSH credentials.
11.06.2026
PowerShell One-Liner Targeting Claude Code Chat History
Detects PowerShell one-liners trying to enumerate or read files within the Claude Code conversation history directory.
Claude Code stores conversation history as JSONL files under: %USERPROFILE%\.claude\projects\<hash>\<session>.jsonl
Threat actors extract these files and apply regex matching to locate high-value secrets (cloud tokens, private keys,
database passwords) before pivoting to infrastructure such as ESXi hosts via harvested SSH credentials.
11.06.2026
PowerShell One-Liner Credential Pattern Search
Detects PowerShell or pwsh one-liners whose command line combines a regex or string-matching primitive with
common credential-related keywords. It might indicate an attempt of credential harvesting across local files,
including config files, source code, chat history, etc. looking for secrets such as API keys, tokens,
passwords, or SSH keys.
11.06.2026
GitLab Token Access Via GLAB CLI
Detects the GitLab CLI (glab) being used to retrieve stored authentication tokens.
Threat actors might access such tokens to gain unauthorized access to GitLab repositories, CI/CD pipelines, and other resources, potentially leading to data exfiltration, code tampering, or further lateral movement within the victim's environment.
08.06.2026
GitHub Token Access Via GH CLI - Linux
Detects the GitHub CLI (gh) being used to retrieve stored authentication tokens.
Threat actors might access such tokens to gain unauthorized access to GitHub repositories, CI/CD pipelines, and other resources, potentially leading to data exfiltration, code tampering, or further lateral movement within the victim's environment.
08.06.2026
GitLab Token Access Via GLAB CLI - Linux
Detects the GitLab CLI (glab) being used to retrieve stored authentication tokens.
Threat actors might access such tokens to gain unauthorized access to GitLab repositories, CI/CD pipelines, and other resources, potentially leading to data exfiltration, code tampering, or further lateral movement within the victim's environment.
08.06.2026
Node or Bun Execution from Suspicious Locations - Linux
Detects the execution of build tools such as bun and node from potentially suspicious locations on Linux systems.
In the recent trend of npm supply chain attacks, Threat Actors have been observed to execute
build tools such as bun and node from locations that are not commonly used for legitimate purposes.
08.06.2026
NPM Package Install Executed From Suspicious Location - Linux
Detects the execution of "npm install" via node on Linux from potentially suspicious directories.
It might indicate a malicious package being installed or executed from a non-standard location.
Attackers might use npm packages to execute malicious code on the victim's machine, potentially
leading to data exfiltration, persistence, or further compromise of the system.
08.06.2026
Node or Bun Execution from Suspicious Locations
Detects the execution of build tools such as bun and node from potentially suspicious locations on Windows systems.
In the recent trend of npm supply chain attacks, Threat Actors have been observed to execute
build tools such as bun and node from locations that are not commonly used for legitimate purposes.
08.06.2026
NPM Package Install Executed From Suspicious Location
Detects the execution of "npm install" via node.exe from potentially suspicious directories on Windows systems.
It might indicate a malicious package being installed or executed from a non-standard location.
Attacker might use npm packages to execute malicious code on the victim's machine, potentially
leading to data exfiltration, persistence, or further compromise of the system.
08.06.2026
GitHub Token Access Via GH CLI
Detects the GitHub CLI (gh) being used to retrieve stored authentication tokens.
Malicious packages and scripts have been observed using these commands to silently exfiltrate the victim's stored GitHub authentication token.
08.06.2026
NTLM Hash Leak Via Curl NTLM Authentication
Detects the use of curl with NTLM authentication and empty credentials (-u :), which can be abused to leak the currently logged-in user's NTLMv2 challenge-response to an
attacker-controlled server, enabling offline cracking or relay attacks.
When no credentials are provided, the Microsoft-shipped curl passes a NULL identity to Windows SSPI, which automatically falls back to the current user's logon session credentials
stored in LSASS — without requiring a plaintext password.
This behavior is exclusive to the curl binary shipped by Microsoft (available since Windows 10 / Windows Server 2019), which is built with SSPI support.
04.06.2026
Uninstall SystemComponent Registry Value Modification via CommandLine
Detects modification of the "SystemComponent" registry value in the "Uninstall" key through command line.
Attackers modify this value to hide installed applications from "Programs and Features", often as part of persistence or defense evasion techniques.
04.06.2026
Hiding of an Installed Application from Application Wizard
Detects the SystemComponent DWORD registry value being set to 1 under an application's Uninstall key,
which removes the application from "Programs and Features" and "Add or Remove Programs" visibility.
Threat actors use this technique to hide installed applications, from normal administrative review,
as part of persistence or defense evasion strategies.
04.06.2026
LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089
Detects a crash of the LSASS process where netlogon.dll is the faulting module and the exception code is STATUS_STACK_BUFFER_OVERRUN (0xc0000409).
This crash, especially on Domain Controllers, might indicate the exploitation of CVE-2026-41089, a denial of service (DoS) vulnerability,
which exists in the Netlogon component of Windows and can be triggered by sending specially crafted requests to the Netlogon service,
leading to a stack-based buffer overflow and subsequent crash of the LSASS process.
02.06.2026
AMSI Memory Patching via .NET Reflection - PowerShell
Detects suspicious PowerShell script blocks that attempt to patch AMSI's ScanContent method in memory using the Marshal class.
This technique is used by adversaries to bypass AMSI scanning by replacing the ScanContent function under
"System.Management.Automation.AmsiUtils" with an empty or attacker-controlled method.
01.06.2026
AMSI Memory Patching via .NET Reflection
Detects runtime method handle patching via the Marshal class targeting AMSI's ScanContent method.
Adversaries overwrite method pointers in memory to redirect execution away from monitored code paths,
effectively bypassing AMSI scanning by replacing the ScanContent function under "System.Management.Automation.AmsiUtils" with an empty or attacker-controlled method.
01.06.2026
PowerShell ETW Provider Disabling via CommandLine
Detects attempts to disable or bypass PowerShell Event Tracing for Windows (ETW) via commandline.
This technique can be used to evade script block logging and hinder security monitoring.
01.06.2026
Cloud Provider Credential Dumping via Environment Variable Grep
Detects attempts to discover cloud provider credentials stored in environment variables by using 'grep' with cloud provider-specific patterns (AWS, Google Cloud, GCloud, Azure).
Attackers commonly enumerate environment variables after gaining initial access to identify or steal credentials for further exploitation, such as lateral movement or data exfiltration.
28.05.2026
Kubernetes Secrets Dumping via Kubectl
Detects attempts to dump Kubernetes secrets using kubectl.
Attackers with sufficient RBAC permissions may enumerate secrets cluster-wide to harvest credentials, API tokens, TLS certificates, or other sensitive data stored as Kubernetes secrets.
28.05.2026
Potentially Suspicious Load of Cldapi DLL
Detects the potential suspicious loading of the Cldapi.dll, which is associated with Windows Cloud Files API.
While Cldapi.dll is a legitimate system component, its loading can be abused by attackers to execute code in the context of trusted processes or escalate privilege like in Green Plasma.
27.05.2026
Bun JavaScript Runtime Executed Via Shell Spawned By Node.js On macOS
Detects a macOS shell process (e.g. zsh, bash, sh) spawned by Node.js with a command line
referencing the Bun runtime, indicating a Node.js -> Shell -> Bun execution chain.
This pattern is commonly observed in supply chain attacks where a malicious npm package abuses
Node.js to launch a shell that invokes Bun as a second-stage JavaScript or TypeScript payload runner.
Bun is attractive to attackers due to its native TypeScript support, fast startup, and broad
system APIs, while being less scrutinized by EDR/AV solutions compared to Node.js itself.
26.05.2026
Bun Runtime Execution Via Node.js Spawned Shell On Windows
Detects a Windows shell process (e.g. cmd.exe, powershell.exe) spawned by Node.js with a
command line referencing the Bun runtime, indicating a Node.js -> Shell -> Bun execution chain.
This pattern is commonly observed in supply chain attacks where a malicious npm package abuses
Node.js child_process APIs to launch a shell that invokes Bun as a second-stage JavaScript or
TypeScript payload runner.
Bun is attractive to attackers due to its native TypeScript support, fast startup, and broad
system APIs, while being less scrutinized by EDR/AV solutions compared to Node.js itself.
21.05.2026
Bun JavaScript Runtime Executed Via Shell Spawned By Node.js On Linux
Detects a Linux shell process (e.g. bash, sh, dash) spawned by Node.js with a command line
referencing the Bun runtime, indicating a Node.js -> Shell -> Bun execution chain.
This pattern is commonly observed in supply chain attacks where a malicious npm package abuses
Node.js to launch a shell that invokes Bun as a second-stage JavaScript or TypeScript payload runner.
Bun is attractive to attackers due to its native TypeScript support, fast startup, and broad
system APIs, while being less scrutinized by EDR/AV solutions compared to Node.js itself.
21.05.2026
Potential RID Hijacking Attempt via PowerShell
Detects PowerShell scripts that attempt to modify the SAM registry to potentially perform RID hijacking attacks.
In a RID hijacking attack, an attacker modifies the RID set of a user account like guest user to escalate privileges or impersonate another user.
19.05.2026
Potential RID Hijacking Attempt
Detects attempts to modify the SAM registry to potentially perform RID hijacking attacks.
In a RID hijacking attack, an attacker modifies the RID set of a user account like guest user to escalate privileges or impersonate another user.
19.05.2026
Potential RID Hijacking Attempt - Registry
Detects modifications to the RID Set registry keys which could indicate an attempt to perform RID hijacking attacks.
In RID hijacking, an attacker modifies the RID set of a user account like guest user to escalate privileges or impersonate another user.
19.05.2026
Agentic Coding Skill Files Created by Suspicious Process
Detects creation of agentic skill files by suspicious processes.
Agentic skill files are typically markdown files that define capabilities for agentic AI coding assistants like Claude Code.
Adversaries may drop malicious skill definition files and invoke them for malicious purposes.
15.05.2026
Suspicious Creation of Agentic Coding Skill Files in Sensitive Locations
Detects the creation of agentic coding skill files in suspicious or world-writable locations.
Agentic skill files are typically markdown files that define capabilities for agentic AI assistant such as Claude, OpenClaw etc.
Adversaries may drop malicious skill definition files in these locations before invoking them for malicious purposes.
15.05.2026
Self-Referential Payload Extraction via PowerShell
Detects PowerShell scripts that read file content, extract an embedded payload via regex matching, and write the result to disk for further execution.
This self-referential technique allows an attacker to embed a full implant within a single carrier file and extract it at runtime, avoiding external network-based downloads entirely.
The payload is typically delimited by sentinel markers (e.g. #PYTHON_START / #PYTHON_END) and dropped to a persistent location.
12.05.2026
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2797
21433
Sigma
3591
1042
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1351
windows / registry_set
219
windows / file_event
209
windows / ps_script
166
windows / security
160
linux / process_creation
139
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
69
aws / cloudtrail
55
proxy
54
windows / network_connection
53
linux / auditd
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
32
windows / dns_query
27
windows / process_access
25
azure / signinlogs
24
opencanary / application
24
okta / okta
22
windows / pipe_created
19
azure / riskdetection
19
rpc_firewall / application
17
windows / windefend
17
gcp / gcp.audit
16
linux
16
linux / file_event
15
github / audit
15
bitbucket / audit
14
windows / file_delete
13
m365 / threat_management
13
cisco / aaa
13
windows / create_remote_thread
12
windows / registry_delete
10
kubernetes / application / audit
10
windows / codeintegrity-operational
10
dns
10
windows / driver_load
10
windows / ps_classic_start
9
windows / appxdeployment-server
9
windows / create_stream_hash
9
windows / firewall-as
8
windows / msexchange-management
8
gcp / google_workspace.admin
7
zeek / smb_files
7
antivirus
7
fortigate / event
7
azure / pim
7
windows / bits-client
7
windows / file_access
7
windows / dns-client
6
kubernetes / audit
6
zeek / dns
5
linux / network_connection
5
zeek / http
5
jvm / application
5
m365 / audit
4
windows / sysmon
4
macos / file_event
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
windows / registry_add
3
linux / sshd
3
gcp / google_workspace.login
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
windows / security-mitigations
2
linux / syslog
2
spring / application
2
windows / dns-server
2
apache
2
onelogin / onelogin.events
2
firewall
2
windows / smbclient-connectivity
1
huawei / bgp
1
windows / capi2
1
windows / file_change
1
nodejs / application
1
paloalto / file_event / globalprotect
1
windows / appxpackaging-om
1
windows / microsoft-servicebus-client
1
windows / raw_access_thread
1
paloalto / appliance / globalprotect
1
linux / vsftpd
1
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
windows / smbserver-connectivity
1
python / application
1
windows / file_executable_detected
1
windows / diagnosis-scripted
1
windows / shell-core
1
windows / sysmon_status
1
m365 / exchange
1
zeek / rdp
1
windows / smbclient-security
1
windows / file_rename
1
ruby_on_rails / application
1
m365 / threat_detection
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
velocity / application
1
windows / driver-framework
1
sql / application
1
linux / sudo
1
cisco / duo
1
cisco / bgp
1
nginx
1
windows
1
windows / dns-server-analytic
1
cisco / ldp
1
windows / ldap
1
windows / printservice-admin
1
database
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
linux / clamav
1
windows / lsa-server
1
django / application
1
linux / auth
1
linux / cron
1
windows / appmodel-runtime
1
fortios / sslvpnd
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
windows / process_tampering
1
cisco / syslog
1
linux / guacamole
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
513
windows / registry_set
92
windows / ps_script
89
linux / process_creation
59
windows / file_event
49
windows / image_load
47
windows / wmi
29
windows / security
29
proxy
13
windows / system
13
windows / network_connection
9
windows / registry_event
8
windows / kernel-event-tracing
6
windows / ps_module
5
windows / dns_query
5
windows / ntfs
5
webserver
4
windows / taskscheduler
4
windows / create_remote_thread
4
windows / registry_delete
4
windows / sense
4
windows / pipe_created
4
windows / application-experience
3
windows / vhd
3
windows / driver_load
3
windows / hyper-v-worker
3
macos / process_creation
3
dns
3
windows / ps_classic_script
3
windows / windefend
2
windows / process_access
2
windows / bits-client
2
windows / codeintegrity-operational
2
windows / file_delete
2
windows / file_access
2
windows / kernel-shimengine
2
linux / file_event
2
windows / smbclient-security
2
windows / application
1
windows / posh_ps
1
windows / amsi
1
windows / audit-cve
1
windows / registry-setinformation
1
windows / firewall-as
1
windows / file_rename
1
linux / file_delete
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR