currently serving 21735 YARA rules and 3892 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
SUSP_Canary_Tokens_Dec24
Detects files containing canary tokens in various formats generated for on canarytokens.org. Check if the file is a payload meant to trigger some software to connect to the respective FQDN or URL. Hits in logfiles might show successful exploitation. False positives can be any kind of article or detection rule, which mentions these tokens.
02.12.2024
HKTL_GoDAP_Dec24
Detects godap, a complete TUI for LDAP supporting pass-the-hash and DACL editing.
02.12.2024
HKTL_RustPacker_Indicators_Nov24_1
Detects RustPacker indicators - a template-based shell code packer written in Rust, with indirect syscall support
30.11.2024
SUSP_SmartScreen_Binary_Ref_Nov24
Detects suspicious SmartScreen binary references in executables
29.11.2024
SUSP_Rust_Binary_SmartScreen_Ref_Nov24
Detects suspicious SmartScreen binary references in Rust packed executables
29.11.2024
SUSP_PDF_Downloading_File_Via_JavaScript_Nov24
Detects PDFs downloading files via JavaScript
28.11.2024
SUSP_Email_Attachment_ZIP_Malformed_Nov24
Detects ZIP files that are malformed and used in phishing mails
26.11.2024
SUSP_Malformed_ZIP_Repair_Exploit_Nov24
Detects ZIP files that are malformed and used in phishing mails
26.11.2024
SUSP_OfficeDoc_Malformed_ZIP_Header_Nov24
Detects office files with a malformed ZIP header, which could be a sign of a repair exploit attempt as described by AnyRun and used in phishing mails
26.11.2024
HKTL_KrbRelayEx_Nov24_1
Detects KrbRelayEx hack tool - Kerberos Relay and Forwarder for (Fake) SMB MiTM Server
26.11.2024
SUSP_JS_Phishing_Mail_Nov24
Detects characteristics found in JavaScript code used in phishing mails
26.11.2024
MAL_GO_XOR_Loader_Nov24
Detects custom Go based C2 loader that includes payloads XORed with a key
25.11.2024
EXPL_CVE_2024_0012_PAN_OS_Nov24
Detects exploits for CVE-2024-0012, authentication bypass in the management web interface
25.11.2024
HKTL_PS1_Shadowhound_Nov24
Detects Shadowhound, a collection of PowerShell scripts for alternative SharpHound enumeration, including users, groups, computers, and certificates, using the ActiveDirectory module (ADWS) or System.DirectoryServices class (LDAP)
25.11.2024
MAL_Wezrat_Upload_Module_Nov24
Detects Wezrat module that is main purpose is to upload files to the C2 server
21.11.2024
MAL_Wezrat_Clipboard_Module_Nov24
Detects Wezrat module that is main purpose is to get clipboard data
21.11.2024
MAL_Wezrat_Persistence_Module_Nov24
Detects Wezrat module that is main purpose is to create persistence run key
21.11.2024
MAL_Wezrat_Screenshot_Module_Nov24
Detects Wezrat module that is main purpose is to take a screenshot of the victim machine
21.11.2024
APT_MAL_DeepData_Upload_Plugin_Nov24
Detects a DLL that is designed to upload files, seen used by APT41
19.11.2024
APT_MAL_DeepData_Recorder_Plugin_Nov24
Detects a DLL that is designed to record the audio environment with a microphone on the target system device, seen used by APT41
19.11.2024
APT_MAL_DeepData_Monitoring_Plugin_Nov24
Detects a DLL that is used by a threat actor to monitor the WhatsApp and Zalo apps installed on Windows, seen used by APT41
19.11.2024
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_Credential_Stealer_Indicators_Jul23_2
2
091150002e66d0c820eaf8b3218a9363b017744ee799b69a2a96a56fe9604c51
SUSP_Encoded_GetProcAddress_Mar19
6
cf924b4399752ea74fc648f1a3e91a3569c6f7f2ec748f93ba2f2a953afaca24
SUSP_PS1_Cmdlet_Defender_Exclusion_Apr21_1
1
f3841a217cc0b94e8798c90a0bc47b67a5d5c93a1b1432ce657f630f42c09158
SUSP_Wextract_Anomaly_Unsigned_May23
8
4a050fc2eb8a112d043b647c747364737fe693702d2389293225e3383d95d2be
CobaltStrike_Resources_Xor_Bin_v2_x_to_v4_x
13
b06ddb91bfd1cd674ed1a4b77ffe593c85674a2a23edd0c7f467629befb02ee2
SUSP_PUA_Go_CloudFlared_Tunnel_Sep23
1
4569c869047a092032f6eac7cf0547591a03a0d750a6b104a606807ea282d608
HKTL_PS1_Shells_Indicators_Feb22_1
7
2b584e043309823b134f46ae6131163aafb84b72bd70802d1e9b818d308e6f7c
SUSP_LNX_Reverse_Shell_Indicator_PowerShell_Jun21_1
7
2b584e043309823b134f46ae6131163aafb84b72bd70802d1e9b818d308e6f7c
SUSP_LNX_RevShell_Payloads_Jun21_1
7
2b584e043309823b134f46ae6131163aafb84b72bd70802d1e9b818d308e6f7c
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
6495
Threat Hunting (not subscribable, only in THOR scanner)
5190
APT
4906
Hacktools
4597
Webshells
2340
Exploits
638
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Suspicious ShellExec_RunDLL Call Via Ordinal
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands.
Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
01.12.2024
Setup16.EXE Execution With Custom .Lst File
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file.
These ".lst" file can contain references to external program that "Setup16.EXE" will execute.
Attackers and adversaries might leverage this as a living of the land utility.
01.12.2024
Potential File Extension Spoofing Using Right-to-Left Override
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
17.11.2024
Disable Application Bound Encryption for Chrome and Edge
Detects disabling of Application Bound Encryption for Google Chrome and Microsoft Edge by setting registry keys to 0.
14.11.2024
Expand File Over Admin Share
Detects the use of expand command to extract files from located on an administrative share, potentially used for lateral movement or staging files.
10.11.2024
Suspicious File Copy To Admin Share
Detects suspicious file copy operations to administrative shares, which may indicate lateral movement or malicious staging.
10.11.2024
Suspicious Use of RAR for File Archiving
Detects the use of `rar.exe` to create archives, which may indicate file compression for exfiltration or malicious purposes.
10.11.2024
Remote Execution Using PsExec
Detects suspicious use of PsExec to remotely execute a batch file located in unusual directories. This could indicate lateral movement or malicious activity, as seen in some cyberattack scenarios.
10.11.2024
Execution via Serviceui.exe
Detects potential abuse of ServiceUI.exe for privilege escalation using specific flags that allow running applications in a system context within a user session.
06.11.2024
Execution of ServiceUI.exe in Suspicious Location
Detects execution of ServiceUI.exe, a legitimate binary from the Microsoft Deployment Toolkit, potentially used for privilege escalation by running it outside of its expected directory.
06.11.2024
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
01.11.2024
.RDP File Created by Outlook Process
Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use RDP files as attachments.
01.11.2024
Registry Modifications to Change Default Programs Handling Files
Detects change to the default program handling file extension, which could be used by threat actors to run there malware when a certain extension is opened.
28.10.2024
ValleyRAT Malware Registry Modification
Detects creation of registry keys used to store C2 seen used by the ValleyRAT malware
28.10.2024
Hacktool Nifo Usage
Detects Nifo - a tool that disables Windows AV/EDR software by corrupting their files offline via physical access
27.10.2024
Registry Set for WinDefend Deletion
Detects the deletion of the WinDefend registry key in attempt to disable Windows Defender.
23.10.2024
Potential DLL Sideloading Via taskhost.exe
Detects potential DLL sideloading of "SbieDll.dll".
21.10.2024
Curl Variable Execution
Detecting curl execution with variable being passed as the domain to fetch data, could be used by threat actor to hide the actul malicious domain.
20.10.2024
Domain Obfuscation
Detecting domain obfuscation used by threat actor to hide the actual C2 used.
20.10.2024
MSC File Execution From Potential Suspicious Location
Detecting execution of Microsoft Management Console (MMC) files from potentially suspicious locations.
20.10.2024
IMEEX Framework Registry Modification Detected
Detects modifications to registry keys associated with the IMEEX malware framework, a tool used by attackers to gain extensive control over compromised Windows systems.
12.10.2024
Potential Conti Ransomware Activity
Detects a specific command line pattern based on flags used by the Conti ransomware
07.10.2024
Wazuh Agent Remote Execution
Detects enabling of remote commands in the Wazuh agent. By setting this value to 1, the agent is allowed to accept and execute remote commands from the Wazuh manager or other controlling systems. This could be used for legitimate remote administration, but it also opens up the potential for misuse if the Wazuh manager or server it's connecting to is malicious or compromised, as it grants significant control over the agent.
07.10.2024
ETW Logging/Processing Option Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
06.10.2024
HTTP Logging Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
06.10.2024
New Module Module Added To IIS Server
Detects the addition of a new module to an IIS server.
06.10.2024
Previously Installed IIS Module Was Removed
Detects the removal of a previously installed IIS module.
06.10.2024
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
3199
18536
Sigma
3344
548
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1248
windows / registry_set
201
windows / file_event
191
windows / ps_script
165
windows / security
157
linux / process_creation
120
windows / image_load
105
webserver
78
windows / system
72
macos / process_creation
65
windows / network_connection
52
proxy
52
linux / auditd
48
azure / activitylogs
43
aws / cloudtrail
42
windows / registry_event
38
azure / auditlogs
38
windows / ps_module
33
windows / application
28
azure / signinlogs
24
okta / okta
22
windows / process_access
22
windows / dns_query
21
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
linux
17
rpc_firewall / application
17
gcp / gcp.audit
16
windows / windefend
16
bitbucket / audit
14
windows / file_delete
13
github / audit
13
m365 / threat_management
13
windows / create_remote_thread
13
cisco / aaa
12
windows / driver_load
10
windows / codeintegrity-operational
10
windows / ps_classic_start
10
kubernetes / application / audit
10
windows / registry_add
9
linux / file_event
9
windows / create_stream_hash
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
windows / bits-client
7
gcp / google_workspace.admin
7
windows / registry_delete
7
zeek / smb_files
7
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / file_access
6
windows / dns-client
6
linux / network_connection
5
jvm / application
5
kubernetes / audit
5
zeek / dce_rpc
4
zeek / dns
4
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
linux / sshd
3
zeek / http
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
windows / file_change
2
firewall
2
windows / security-mitigations
2
spring / application
2
linux / syslog
2
m365 / audit
2
windows / dns-server
2
apache
2
onelogin / onelogin.events
2
macos / file_event
2
qualys
2
juniper / bgp
1
windows / appmodel-runtime
1
windows / ldap
1
windows / smbclient-connectivity
1
linux / cron
1
huawei / bgp
1
windows / applocker
1
windows / openssh
1
windows / process_tampering
1
nodejs / application
1
paloalto / file_event / globalprotect
1
cisco / duo
1
windows / appxpackaging-om
1
python / application
1
paloalto / appliance / globalprotect
1
linux / clamav
1
windows / raw_access_thread
1
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
windows / shell-core
1
windows / capi2
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
velocity / application
1
ruby_on_rails / application
1
m365 / exchange
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
sql / application
1
linux / sudo
1
zeek / rdp
1
windows / sysmon_status
1
m365 / threat_detection
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
database
1
windows / driver-framework
1
windows
1
windows / dns-server-analytic
1
nginx
1
windows / printservice-admin
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
netflow
1
cisco / ldp
1
cisco / bgp
1
windows / lsa-server
1
fortios / sslvpnd
1
linux / auth
1
django / application
1
cisco / syslog
1
linux / guacamole
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
237
windows / registry_set
63
windows / ps_script
56
windows / wmi
29
windows / file_event
23
windows / image_load
19
proxy
12
windows / security
11
linux / process_creation
11
windows / network_connection
7
windows / system
7
windows / registry_event
6
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / create_remote_thread
4
windows / sense
4
windows / pipe_created
4
windows / application-experience
3
windows / registry_delete
3
windows / hyper-v-worker
3
windows / ps_classic_script
3
webserver
3
windows / vhd
3
windows / driver_load
2
windows / bits-client
2
windows / kernel-shimengine
2
windows / taskscheduler
2
windows / application
1
windows / audit-cve
1
windows / codeintegrity-operational
1
windows / file_access
1
windows / file_delete
1
windows / registry-setinformation
1
windows / firewall-as
1
windows / windefend
1
windows / dns_query
1
windows / file_rename
1
macos / process_creation
1
windows / amsi
1
windows / process_access
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls