
currently serving 18745 YARA rules and 2924 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
HKTL_LPE_Characteristics_Jun23
Detects indicators found in local privilege escalation tool
03.06.2023
LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_2
Detects a potential compromise indicator found in MOVEit Transfer logs
03.06.2023
HKTL_LPE_PrintNotifyPotato_Jun23_1
Detects LPE tool that uses PrintNotify COM service for privilege escalation
01.06.2023
WEBSHELL_ASPX_DLL_Jun23_1
Detects compiled chopper like ASPX web shells
01.06.2023
WEBSHELL_ASPX_DLL_Jun23_2
Detects compiled chopper like ASPX web shells
01.06.2023
WEBSHELL_ASPX_DLL_MOVEit_Jun23_1
Detects compiled ASPX web shells found being used in MOVEit Transfer exploitation
01.06.2023
WEBSHELL_ASPX_MOVEit_Jun23_1
Detects ASPX web shells as being used in MOVEit Transfer exploitation
01.06.2023
LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_1
Detects a potential compromise indicator found in MOVEit Transfer logs
01.06.2023
HKTL_RuyLopez_BlockDLL_May23_1
Detects PoC code used to disable EDRs by preventing their DLLs from being loaded
29.05.2023
SUSP_HxD_Icon_Anomaly_May23_1
Detects suspicious use of the free hex editor HxD's icon in PE files that don't seem to be a legitimate version of HxD
29.05.2023
SUSP_ProcessInjector_Indicator_May23_1
Detects strings often found in malicious payloads that inject into or kill processes
29.05.2023
MAL_RK_Rhaast_May23_1
Detects indicators found in Rhaast rootkit samples (rootkit driver and client)
22.05.2023
HKTL_ProcInject_GregsBestFriend_May23_1
Detects GregsBestFriend process injection code created from the White Knight Labs Offensive Development course
20.05.2023
MAL_FIN7_PS1_POWERTRASH_May23_1
Detects sequences found in FIN7's obfuscated POWERSTRASH PowerShell malware samples
20.05.2023
MAL_CryptoMiner_May23_1
Detects malware mentioned in report on crypto mining activity
20.05.2023
MAL_Stealer_Unknown_May23_1
Detects unknown password stealer
20.05.2023
SUSP_Process_Injection_ShellCode_May23_1
Detects code found in GregsBestFriend process injection samples created from the White Knight Labs Offensive Development course
20.05.2023
SUSP_PUA_WinRing0_Driver_May23_1
Detects suspicious WinRing0 driver (often embedded in other software that needs access to Ring0, but sometimes used by malware as well)
20.05.2023
SUSP_PE_Loader_Indicators_May23_1
Detects suspicious indicators found in unknown PE loader
19.05.2023
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_JS_Document_Write_Unescape_Indicators_Mar22_1
2
f5a40219f271cb2e4398891281019a197404aa24d4060d4ad712b2d784c2e143
SUSP_Base64_Encoded_Hex_Encoded_Code
4
af6233e5a72d2ca977cf2cea4a1a0c0c9c6c9b3bbf8c706c20937057bb01f116
SUSP_Encoded_PowerShell_Policies_Sep21_1
2
b2766ae0f9d2ccb22253db093a88fef4528d149f3e82a61e1ec34ee2b8103af2
webshell_php_by_string_known_webshell
5
7babfdec1973144c849e4a552aa21e65915340411ffb6ecd47f2d4d0511364c7
PUA_ConnectWise_ScreenConnect_Mar23
1
5425b36e3ab0c13750d2f6765b3f50ce3e9c0abdde2347a2a4c497e63fb14a93
SUSP_PS1_Small_Base64Decode_Jun22_1
1
bbee0434b7096c78d76fb28fc270dc0094533fd7729c67d503ecae5c9deb497f
SUSP_PE_Discord_Attachment_Oct21_1
7
78a140f3fc328b8b58cc094f1f5a64fc35be01fc0d828aea2afcf0acf3b91207
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
5242
APT
4639
Threat Hunting (not subscribable, only in THOR scanner)
4439
Hacktools
4241
Webshells
2217
Exploits
566
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Potentially Suspicious Shell Script Creation in Profile Folder
Detects the creation of shell scripts under the "profile.d" path.
02.06.2023
Wget Creating Files in Tmp Directory
Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
02.06.2023
OS Architecture Discovery Via Grep
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
02.06.2023
Potential GobRAT File Discovery Via Grep
Detects the use of grep to discover specific files created by the GobRAT malware
02.06.2023
Suspicious Nohup Execution
Detects execution of binaries located in potentially suspicious locations via "nohup"
02.06.2023
Potentially Suspicious Execution From Tmp Folder
Detects a potentially suspicious execution of a process located in the '/tmp/' folder
02.06.2023
Shell Execution Of Process Located In Tmp Directory
Detects execution of shells from a parent process located in a temporary (/tmp) directory
02.06.2023
Execution Of Script Located In Potentially Suspicious Directory
Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
02.06.2023
Download File To Potentially Suspicious Directory Via Wget
Detects the use of wget to download content to a suspicious directory
02.06.2023
Potential SmadHook.DLL Sideloading
Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
01.06.2023
Potential Suspicious Change To Sensitive/Critical Files
Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
30.05.2023
Regsvr32 Execution From Potential Suspicious Location
Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.
26.05.2023
Regsvr32 Execution From Highly Suspicious Location
Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
26.05.2023
Scripting/CommandLine Process Spawned Regsvr32
Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
26.05.2023
Potentially Suspicious Regsvr32 HTTP/FTP Pattern
Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
24.05.2023
Potentially Suspicious ODBC Driver Registered
Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
23.05.2023
Suspicious Driver/DLL Installation Via Odbcconf.EXE
Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.
23.05.2023
Driver/DLL Installation Via Odbcconf.EXE
Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.
22.05.2023
Odbcconf.EXE Suspicious DLL Location
Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.
22.05.2023
New DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
22.05.2023
Potentially Suspicious DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
22.05.2023
Suspicious Response File Execution Via Odbcconf.EXE
Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.
22.05.2023
Response File Execution Via Odbcconf.EXE
Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
22.05.2023
Uncommon Child Process Spawned By Odbcconf.EXE
Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
22.05.2023
Suspicious Non-Browser Network Communication With Telegram API
Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
19.05.2023
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2609
16136
Sigma
2622
302
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
982
windows / ps_script
162
windows / registry_set
157
windows / file_event
145
windows / security
137
linux / process_creation
85
windows / image_load
72
windows / system
63
linux / auditd
49
macos / process_creation
43
windows / network_connection
41
proxy
38
azure / activitylogs
38
windows / registry_event
36
azure / auditlogs
33
windows / ps_module
32
aws / cloudtrail
29
windows / process_access
27
azure / signinlogs
24
windows / application
23
rpc_firewall / application
17
windows / pipe_created
17
linux
17
windows / driver_load
16
okta / okta
15
gcp / gcp.audit
14
m365 / threat_management
13
windows / dns_query
13
windows / windefend
12
cisco / aaa
12
webserver
12
windows / file_delete
11
windows / ps_classic_start
11
windows / create_remote_thread
11
windows / create_stream_hash
9
windows / registry_add
9
windows / firewall-as
8
windows / msexchange-management
8
windows / bits-client
7
github / audit
7
linux / file_event
7
zeek / smb_files
7
antivirus
7
dns
7
windows / appxdeployment-server
7
google_workspace / google_workspace.admin
6
windows / registry_delete
6
jvm / application
5
windows / dns-client
5
azure / azureactivity
5
zeek / dns
4
zeek / dce_rpc
4
windows / file_access
4
windows / wmi_event
3
windows / codeintegrity-operational
3
zeek / http
3
linux / network_connection
3
windows / taskscheduler
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
2
windows / security-mitigations
2
windows / file_rename
2
linux / syslog
2
spring / application
2
windows / dns-server
2
onelogin / onelogin.events
2
apache
2
macos / file_event
2
qualys
2
windows / file_change
2
firewall
2
nodejs / application
1
linux / sudo
1
windows / capi2
1
windows / shell-core
1
windows / file_block
1
python / application
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
django / application
1
zeek / x509
1
windows / sysmon
1
m365 / exchange
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / sysmon_status
1
m365 / threat_detection
1
zeek / rdp
1
windows / process_tampering
1
velocity / application
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
ruby_on_rails / application
1
database
1
nginx
1
windows / driver-framework
1
windows
1
windows / ps_classic_provider_start
1
sql / application
1
windows / lsa-server
1
netflow
1
cisco / ldp
1
windows / dns-server-analytic
1
windows / wmi
1
linux / auth
1
cisco / bgp
1
linux / cron
1
windows / ldap_debug
1
windows / raw_access_thread
1
linux / clamav
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
linux / guacamole
1
juniper / bgp
1
windows / applocker
1
windows / appxpackaging-om
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
133
windows / ps_script
40
windows / wmi
29
windows / registry_set
20
windows / file_event
11
proxy
11
windows / system
8
windows / security
5
windows / create_remote_thread
4
windows / image_load
3
linux / process_creation
3
windows / network_connection
3
windows / pipe_created
3
windows / ps_classic_script
3
windows / ps_module
3
windows / registry_event
3
webserver
2
windows / driver_load
2
windows / bits-client
2
windows / vhd
2
windows / taskscheduler
2
windows / dns_query
1
windows / application
1
macos / process_creation
1
windows / amsi
1
windows / process_access
1
windows / registry_delete
1
windows / audit-cve
1
windows / file_access
1
windows / registry-setinformation
1
windows / file_delete
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls