currently serving 22419 YARA rules and 4082 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
VULN_Roundcube_XSS_CVE_2023_43770_May25
Detects a vulnerable version of Roundcube Webmail for which an exploit PoC exists. An update is required.
15.05.2025
VULN_Zimbra_XSS_CVE_2024_27443_May25
Detects a vulnerable version of Zimbra for which an exploit PoC exists. An update is required.
15.05.2025
SUSP_Batch_Script_Downloader_May25
Detects a batch script that downloads second stage payload into the 'Public' folder, as seen in SAP NetWeaver CVE-2025-31324
15.05.2025
SUSP_Shell_Script_Downloader_May25
Detects shell scripts downloading second stage payloads linked to SAP NetWeaver CVE-2025-31324
15.05.2025
EXPL_PY_CVE_2023_43770_Roundcube_May25
Detects Python scripts that are used to exploit CVE-2023-43770 in Roundcube Webmail
15.05.2025
MAL_SpyPress_Roundcube_May25
Detects SpyPress.Roundcube, a JavaScript payload injected into vulnerable Roundcube webmail instances, that can steal credentials and create malicious Sieve rules
15.05.2025
MAL_JS_Roundcube_Cred_Stealer_May25
Detects JavaScript code that steals login credentials from Roundcube webmail
15.05.2025
MAL_JS_EXPL_CVE_2023_43770_Roundcube_May25
Detects malicious JavaScript that is used in exploiting CVE-2023-43770 in Roundcube Webmail
15.05.2025
MAL_LCRYPTORX_Ransomware_May25
Detects LCRYPTORX ransomware, a vbs-based ransomware that encrypts files with the .lcryx extension and demands payment for decryption
12.05.2025
HKTL_Defendnot_May25
Detects Defendnot, a tool used to disable Microsoft Defender by registering with Windows Security Center using undocumented APIs. It mimics third-party antivirus presence and persists via autorun, undermining system protection
10.05.2025
SUSP_EXPL_CVE_2025_31324_May25
Detects indicators found for CVE-2025-31324 SAP NetWeaver exploitation activity
09.05.2025
HKTL_Pocassist_May25
Detects pocassist a vulnerability testing framework written in Golang
09.05.2025
SUSP_PS1_Characteristics_May25
Detects PowerShell script that uses functions in an odd way
09.05.2025
HKTL_Glider_Proxy_May25
Detects GLider a forward proxy with multiple protocols support, and also a dns/dhcp server with ipset management features(like dnsmasq).
09.05.2025
HKTL_WinPEAS_May25
Detects a PowerShell script version of winPEAS (Windows Privilege Escalation Awesome Script), a tool used by penetration testers and red teamers to automate the process of finding privilege escalation vectors on Windows systems
09.05.2025
SUSP_Encoded_PE_In_Image_File_May25
Detects image files that contain encoded executables, a technique often used by droppers to hide payloads on disk.
09.05.2025
MAL_Lostkeys_Campaign_Stage2_May25
Detects Lostkeys campaign, Device evasion and stage 3 loader, seen being used by COLDRIVER threat group
08.05.2025
MAL_Lostkeys_May25
Detects Lostkeys that steals files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker.
08.05.2025
MAL_Lostkeys_Campaign_Decoder_May25
Detects Lostkeys campaign, decoder script, seen being used by COLDRIVER threat group
08.05.2025
MAL_Lostkeys_Campaign_Stage3_May25
Detects Lostkeys campaign stage 3 that retrieves and decodes final payload, seen being used by COLDRIVER threat group
08.05.2025
SUSP_Obfuscator_Generated_Content_May25
Detects potentially obfuscated code generated using obfuscator tool.
08.05.2025
MAL_TerraLogger_May25
Detects Terra keylogger, seen being used by threat actor called Golden Chickens
08.05.2025
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
HKTL_hacksoft_RAdmin_Files_svchost
1
2683736d031bdd828a8eedd6a893c7248ee5ddba4bfe0f62a1255dee997a8896
SUSP_PE_PasterBin_Raw_References_Nov21_1
12
d1b6fef6fa7df286136f8db66a5f8a38f449749b9937a4205ca273e241626b1a
SUSP_HKTL_LNX_Keywords_SCTEST_Oct19
2
8e9cb14462a29cb0cebdcd9acfedb206b15fedb9dcda7824b4fdd1b1fdee11ce
HKTL_JS_PowerShell_Token_Grabber_JavaScript_Inject_Mar23
5
755bd712de4de08e435251938207cecdcdb5090e13f6b2a99bbb0292f5b5b7f1
SUSP_Defense_Evasion_Known_Hostnames_Jun23
5
755bd712de4de08e435251938207cecdcdb5090e13f6b2a99bbb0292f5b5b7f1
SUSP_Defense_Evasion_Known_Usernames_Jun23
5
755bd712de4de08e435251938207cecdcdb5090e13f6b2a99bbb0292f5b5b7f1
SUSP_Credential_Stealer_Indicators_Jul23_1
5
755bd712de4de08e435251938207cecdcdb5090e13f6b2a99bbb0292f5b5b7f1
SUSP_SchTasks_Create_OnLogon_Mar25
1
384f9ed7f8089b1104f5a03fa71a86dee7b5b17cfa23a0f4546c344a2ae62f21
SUSP_JS_Document_Write_Unescape_Indicators_Mar22_1
1
036777b199f604962542498644948f6c0e5373698369d8e851e7c0a2992e324d
SUSP_JS_Document_Write_Unescape_Indicators_Mar22_1
1
ef9843b012388317bc671ed363df99e280b027c6020b63790d159014c1f4b155
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
6833
Threat Hunting (not subscribable, only in THOR scanner)
5400
APT
4956
Hacktools
4680
Webshells
2373
Exploits
665
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
MSHTA Execution via Explorer
Detects MSHTA.exe execution spawned by explorer.exe, which could indicate malicious activity.
MSHTA.exe is a utility that executes Microsoft HTML Applications (HTA) files. While legitimate in the past,
its usage in modern environments is rare and often associated with malicious activities.
Attackers frequently abuse MSHTA.exe to execute malicious scripts and bypass application allowlisting.
It is commonly used to download and execute remote payloads. Nowadays, it has been commonly observed being executed through
LNK files or ClickFix campaigns, making it easier for attackers to deliver and run malicious payloads with minimal user interaction.
07.05.2025
Execution of Remotely Hosted MSHTA File via UNC Path
Detects execution of mshta.exe with a remote UNC path in the command line (e.g., \\host\share\file.hta).
This behavior is commonly associated with threat actors delivering HTA-based payloads hosted on remote systems
to gain initial access or for persistence or to perform lateral movement.
07.05.2025
Suspicious Office Add-ins Creation
Detects the creation of Office add-ins by processes other than Microsoft Office applications, which might indicate malicious activity.
Threat actors often use these malicious add-ins to gain initial access, typically delivered through phishing emails with malicious Office documents.
05.05.2025
Fake Document Execution
Detects execution of files that contain document extensions in their name but are actually executables.
Adversaries may use this technique to masquerade malicious executables as legitimate documents to evade detection and trick users into executing them.
05.05.2025
Fake Image Execution
Detects execution of binaries that have image file extensions but are actually executables.
Adversaries may use a image file extension to disguise malware as image files to avoid detection.
05.05.2025
Suspicious Office Add-ins Execution
Detects the execution of office add-ins from suspicious locations or suspicious parent.
The office add-on can be abused for persistence and execution of malicious code.
Threat actors often use these malicious add-ins to gain initial access, typically delivered through phishing emails with malicious Office documents.
05.05.2025
Suspicious MMC Execution From Unusual Location
Detects execution of Microsoft Management Console (MMC.exe) with MSC files from suspicious locations outside of Windows default paths,
which may indicate malicious activity such as execution of weaponized MSC files for defense evasion or privilege escalation.
Common legitimate MSC files are typically located in Windows system directories.
25.04.2025
PUA - Magnet RAM Capture Service Installation - Security
Detects the service installation of Magnet RAM Capture driver, a legitimate forensics tool that can be abused for malicious purposes.
This tool is designed for memory acquisition but has been observed being misused by threat actors for credential harvesting.
The tool's signed kernel driver can be exploited to bypass security controls, making it attractive for adversaries seeking to evade detection.
24.04.2025
Suspicious BCDEdit Safe Mode Modification
Detects the use of BCDEdit to modify Windows boot configuration for Safe Mode with minimal services.
In this configuration, Windows will only load the essential system services and drivers, and will not load
any third-party software or drivers, including security programs like antivirus and EDRs.
This technique is often used by attackers to disable or bypass security software, and is considered potentially malicious activity.
24.04.2025
PowerPoint PPCore.dll Sideloading Attempt
Detects potential DLL sideloading attempts through PowerPoint.exe loading ppcore.dll from suspicious locations.
Adversary have been also observed using renamed powerpoint.exe to sideload ppcore.dll possibly to bypass detection.
23.04.2025
Suspicious NT Windows Autorun Key Modification
Detects suspicious NT Autorun Keys Modification patterns are not commonly used or modified by legitimate programs.
This could be an indication of an adversary's attempt to persist in a stealthy manner.
23.04.2025
Suspicious NT Windows Autorun Key Modification - Registry
Detects suspicious modifications patterns to the Windows NT autorun key.
This could be an indication of an adversary's attempt to persist in a stealthy manner.
23.04.2025
Potential Webshell Upload in SharePoint or Exchange Directories
Detects the creation of suspicious files in SharePoint or Exchange directories that could indicate a webshell upload.
Webshells are malicious scripts that threat actors install/upload on targeted websites to gain remote access to the system.
Often, they serve as an initial point of infection in cyberattacks.
22.04.2025
TypeLib COM Hijacking Attempt
Detects attempts to hijack TypeLib COM objects through registry modifications via reg.exe or powershell.
In this technique, adversary modify the typelib registry to redirect legitimate COM objects to malicious file found locally or hosted remotely.
22.04.2025
TypeLib COM Hijacking Attempt - Registry
Detects typelib registry modifications, potential TypeLib COM Hijacking attempts.
Attackers may alter typelib registry entries to redirect COM objects to malicious local or remote files.
22.04.2025
Hacktool Katz Variants - Credential Dumping Tool Execution (Powershell)
Detects potential usage of unwanted credential dumping hack tools that follow naming conventions similar to mimikatz.exe.
Red team developers frequently incorporate "katz" in their tool names to indicate credential dumping functionality of their tool.
21.04.2025
Hacktool - Credential Dumper Katz Variants Execution
Detects execution of potentially credential dumping hack tools with naming patterns similar to mimikatz.exe.
It's a common practice among offensive tools developers to use "katz" string at the tool name, hinting the tool as a credential dumping tool.
21.04.2025
Internet Connection Discovery
Detects attempts to check internet connectivity to common destinations using ping or tracert commands.
After a compromise, threat actors may use these commands to verify internet access or to check for network restrictions.
18.04.2025
Suspicious Process Spawned by CentreStack Portal AppPool
Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)
17.04.2025
Suspicious CrushFTP Child Process
Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as
CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests.
The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.
10.04.2025
Suspicious Attempts to Disable Windows Event Logging Service - Powershell
Detects attempts to disable Windows Event Logging service through PowerShell using CimInstance or WmiObject or Set-Service.
The Event Logging service is responsible for logging system events in Windows, which is critical for security monitoring and auditing.
Disabling this service can prevent the logging of important security events, making it a potential indicator of malicious activity.
Adversaries may use this technique to limit data available for detection and audits.
09.04.2025
Windows Event Logging Service Auto-Start Disabled
Detects service configuration modifications of event logging service to disable it.
Windows Event Logging service is responsible for logging system events, that are critical for security monitoring and auditing.
Disabling this service can prevent the logging of important security events, making it a potential indicator of malicious activity.
Adversaries may use this technique to limit data available for detection and audits.
09.04.2025
Registry Modification to Disable Event Logging - Process
Detects attempts to modify Windows Event Logging registry keys, which could indicate an adversary trying to disable system event logging.
This is a common defense evasion technique where attackers try to prevent their activities from being logged by disabling the Windows Event Logging service.
A successful attack would significantly impair system auditing and security monitoring capabilities.
09.04.2025
Suspicious Attempts to Disable Windows Event Logging Service
Detects Suspicious Attempts to Disable Windows Event Logging Service by changing the startup type to "disabled".
The Event Logging service records system events in Windows and is critical for security monitoring and auditing.
Disabling this service prevents logging of security events, which can indicate malicious activity.
Adversaries may use this technique to evade detection and limit data available for security monitoring.
09.04.2025
Registry Modification to Disable Event Logging - Registry
Detects registry modifications attempting to disable the Windows Event Log service.
The Event Log service records critical system events in Windows systems.
Adversaries may attempt to disable this service to evade detection by preventing the logging of security-relevant events.
This technique is commonly used to limit data available for security monitoring and forensic analysis.
09.04.2025
PUA - WinSCP Execution
Detects execution of WinSCP, a popular open-source SFTP clientthat can be used to transfer files between systems.
Adversaries have been known to abuse WinSCP for data exfiltration by transferring files to remote servers.
This rule might have false positives as WinSCP is very popular and widely used SFTP client, so it is possible that it may be installed on systems for legitimate purposes.
But, If you see execution of WinSCP on the computers that you don't usually expects like accounting or finance departments etc.,
this warrants further investigation as it could be a sign of data exfiltration.
08.04.2025
PUA - WinSCP Installer Execution
Detects execution of WinSCP installer, that is used to install WinSCP, a popular open-source SFTP client.
WinSCP is a file transfer client that can be used to transfer files between systems.
Adversaries have been known to abuse WinSCP for data exfiltration by transferring files to remote servers.
If you see WinSCP being installed on the computers that you don't usually expects like accounting or finance departments etc., this warrants further investigation as it could be a sign of data exfiltration.
08.04.2025
PUA - MegaTools Execution
Detects the execution of Potentially Unwanted Application (PUA) - MegaTools.
MegaTools is a command-line interface for the Mega.nz cloud storage service, which allows users to upload and download files.
Adversaries have been known to abuse MegaTools for data exfiltration by uploading or downloading files to/from Mega.nz.
If you don't usually use MegaTools on your enterprise, this warrants further investigation as it could be a sign of data exfiltration.
08.04.2025
PUA - FreeFileSync Execution
Detects execution of FreeFileSync, which is a legitimate tool but can be abused for data exfiltration.
FreeFileSync is a folder comparison and synchronization software that can be used to transfer files between systems.
If you don't usually use FreeFileSync on your enterprise, this warrants further investigation as it could be a sign of data exfiltration.
08.04.2025
PUA - GoodSync Execution
Detects execution of PUA - GoodSync, which is a legitimate tool used for file synchronization and backup, which adversaries can abuse for data exfiltration.
GoodSync is a popular file synchronization and backup software that can be used to transfer files between systems and is very common application in many organizations.
If you don't usually use GoodSync on your enterprise, this warrants further investigation as it could be a sign of data exfiltration.
08.04.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
3212
19207
Sigma
3366
716
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1258
windows / registry_set
202
windows / file_event
194
windows / ps_script
166
windows / security
156
linux / process_creation
119
windows / image_load
107
webserver
78
windows / system
72
macos / process_creation
65
windows / network_connection
52
proxy
52
linux / auditd
48
aws / cloudtrail
46
azure / activitylogs
43
windows / registry_event
38
azure / auditlogs
38
windows / ps_module
33
windows / application
29
azure / signinlogs
24
windows / process_access
22
windows / dns_query
22
okta / okta
22
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
linux
17
rpc_firewall / application
17
gcp / gcp.audit
16
windows / windefend
16
bitbucket / audit
14
windows / file_delete
13
github / audit
13
m365 / threat_management
13
windows / create_remote_thread
13
cisco / aaa
12
windows / driver_load
10
windows / codeintegrity-operational
10
kubernetes / application / audit
10
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / ps_classic_start
9
windows / msexchange-management
8
dns
8
windows / firewall-as
8
azure / pim
7
windows / appxdeployment-server
7
gcp / google_workspace.admin
7
windows / bits-client
7
windows / registry_delete
7
zeek / smb_files
7
antivirus
7
windows / file_access
6
windows / dns-client
6
jvm / application
5
kubernetes / audit
5
linux / network_connection
5
zeek / dce_rpc
4
zeek / dns
4
windows / sysmon
4
zeek / http
4
windows / taskscheduler
4
windows / iis-configuration
4
windows / ntlm
3
linux / sshd
3
m365 / audit
3
windows / wmi_event
3
windows / powershell-classic
3
windows / file_change
2
spring / application
2
firewall
2
windows / security-mitigations
2
linux / syslog
2
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
windows / ps_classic_provider_start
1
windows / printservice-admin
1
netflow
1
cisco / ldp
1
windows / lsa-server
1
windows / wmi
1
fortios / sslvpnd
1
linux / auth
1
cisco / bgp
1
django / application
1
cisco / syslog
1
linux / cron
1
windows / smbclient-connectivity
1
linux / clamav
1
juniper / bgp
1
windows / appmodel-runtime
1
windows / ldap
1
windows / process_tampering
1
nodejs / application
1
paloalto / file_event / globalprotect
1
cisco / duo
1
linux / guacamole
1
huawei / bgp
1
windows / applocker
1
windows / openssh
1
windows / raw_access_thread
1
python / application
1
paloalto / appliance / globalprotect
1
windows / appxpackaging-om
1
zeek / x509
1
windows / shell-core
1
linux / sudo
1
windows / capi2
1
windows / microsoft-servicebus-client
1
ruby_on_rails / application
1
windows / certificateservicesclient-lifecycle-system
1
windows / file_executable_detected
1
velocity / application
1
m365 / exchange
1
sql / application
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_status
1
m365 / threat_detection
1
zeek / rdp
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
database
1
zeek / kerberos
1
windows / dns-server-analytic
1
windows / driver-framework
1
windows
1
windows / printservice-operational
1
nginx
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
335
windows / registry_set
70
windows / ps_script
69
windows / image_load
40
windows / file_event
36
windows / wmi
29
windows / security
19
proxy
12
linux / process_creation
12
windows / network_connection
8
windows / system
8
windows / registry_event
7
windows / kernel-event-tracing
6
windows / ps_module
5
windows / ntfs
5
windows / taskscheduler
4
windows / create_remote_thread
4
windows / sense
4
windows / pipe_created
4
webserver
3
windows / application-experience
3
windows / vhd
3
windows / registry_delete
3
windows / hyper-v-worker
3
windows / driver_load
3
windows / ps_classic_script
3
windows / process_access
2
windows / bits-client
2
windows / kernel-shimengine
2
macos / process_creation
1
windows / codeintegrity-operational
1
windows / windefend
1
windows / amsi
1
windows / firewall-as
1
windows / dns_query
1
windows / registry-setinformation
1
windows / application
1
windows / file_access
1
windows / file_delete
1
windows / audit-cve
1
windows / file_rename
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR