currently serving 24113 YARA rules and 4591 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
HKTL_CVE_2021_34473_May26
Detects exploit for Microsoft Exchange CVE-2021-34473
17.05.2026
HKTL_Proxyshell_Enumerate_May26
Detects exploits CVE-2021-26855 / CVE-2021-34473 to enumerate mailboxes, search emails by keyword, and download entire inbox contents including attachments all without authentication
17.05.2026
HKTL_Proxyshell_RCE_May26
Detects Exchange Management Shell command executor using PowerShell Remoting (PSRP)
17.05.2026
MAL_Vuln_Scanner_Launcher_May26
Detects automated vulnerability scanner launcher
17.05.2026
MAL_Proxy_Server_May26
Detects a custom Proxy server
17.05.2026
MAL_FortiGate_Enumeration_May26
Detects FortiGate enumeration result filtering and processing
17.05.2026
MAL_FortiGate_Endpoint_Extractor_May26
Detects Custom binary for extracting URLs/endpoints from FortiGate scan results
17.05.2026
MAL_FortiGate_Password_Extractor_May26
Detects a Custom binary for extracting passwords / system configuration from FortiGate devices
17.05.2026
MAL_Kscan_Endpoint_Extractor_May26
Detects a tool that extracts HTTP endpoints from kscan (port scanner) results, then fed into nuclei for vulnerability scanning
17.05.2026
MAL_PCPJack_Stealer_May26
Detects PCPJack stealer written in Python that steals secrets stealer targeting Brevo, Slack, ElasticEmail, AWS and WordPress credentials
12.05.2026
MAL_PCPJack_Sandbox_Evasion_Module_May26
Detects a PCPJack sandbox evasion module written in Python checking host against AWS and Azure IP ranges
12.05.2026
HKTL_HashDumper_May26
Detects HashDump hacktool that extracts boot key which is used to decrypt SAM/SYSTEM/SECURITY hives
11.05.2026
HKTL_PS1_HashDumper_May26
Detects PowerShell scripts that reconstruct binary SAM/SYSTEM/SECURITY hive files from .reg files
11.05.2026
MAL_Shellcode_Loader_May26_1
Detects a shellcode loader, seen being used to load Remcos RAT
11.05.2026
MAL_OBFUSC_NodeJS_GhostLoader_May26
Detects obfuscated Node.js Ghost loader credential harvester targeting developer tokens and system passwords
11.05.2026
MAL_TCLBanker_Loader_May26
Detects TCLBanker used to load a RAT in the next stage. TCLBanker is an evasive malware focused on online banking credential theft in the LATAM region.
10.05.2026
MAL_Cobalt_Strike_Veeam_Dumper_Beacon_May26
Detects Cobalt Strike beacon designed to extract credentials from Veeam backup solutions.
08.05.2026
SUSP_ELF_EXPL_Indicators_May26
Detects suspicious indicators in ELF files or source code related to public exploit PoCs, including specific strings and code fragments observed in online proof-of-concept material.
08.05.2026
EXPL_LNX_DirtyFrag_ForensicArtefacts_May26
Detects DirtyFrag exploit code POC usage in Linux environments
08.05.2026
MAL_PCPJack_Recon_Module_May26
Detects PCPJack recon module written in Python that probes Docker, Redis, Ray, Kubernetes and MongoDB services
08.05.2026
MAL_PCPJack_Cloud_Credential_Harvester_May26
Detects PCPJack cloud credential harvester written in Python exfiltrating SSH keys and container secrets via Telegram bot
08.05.2026
MAL_PCPJack_Encryptor_Module_May26
Detects PCPJack exfil module written in Python using X25519 and ChaCha20-Poly1305 encryption of harvested credentials
08.05.2026
MAL_PCPJack_Downloader_May26
Detects PCPJack dropper written in Bash that removes rival TeamPCP miner and stages next-stage payload
08.05.2026
EXPL_LNX_DirtyFragLPE_May26
Detects dirtyfrag, a local privilege escalation exploit for Linux.
07.05.2026
EXPL_HKTL_LNX_DirtyFragShellcode_May26
Detects a shellcode observed in dirtyfrag, a local privilege escalation exploit for Linux.
07.05.2026
MAL_LotusLite_ShellCode_Loader_May26
Detects a loader used to load a shellcode in memory to be used to download and execute the LotusLite backdoor deployed by Mustang Panda APT group.
06.05.2026
MAL_LotusLite_ShellCode_May26
Detects a shellcode used to download and execute the LotusLite backdoor deployed by Mustang Panda APT group.
06.05.2026
MAL_APT_UNC6692_SnowBelt_Chrome_Extension_Backdoor_May26
Detects SnowBelt backdoor which is delivered via a Chrome extension and communicates with an S3 bucket, it also push commands to SnowBasin through which acts as a local agent on the infected system, seen being used by UNC6692 APT group
05.05.2026
MAL_APT_UNC6692_SnowBasin_Backdoor_May26
Detects SnowBasin backdoor written in Python, a local agent used by UNC6692 APT group to execute commands on the infected system.
05.05.2026
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
PUA_ConnectWise_ScreenConnect_Mar23
10
3ac637e12c6e918488a4bffad071631e37af43825aa1bd2cb4f1e1f742089c5a
PUA_ConnectWise_ScreenConnect_Mar23
8
6ee3ff95b3ddd77c84ecbb49a2406eef3af1bb7b47e7dcab8f9349af95eb45fe
PUA_ConnectWise_ScreenConnect_Mar23
14
8e9374c9990941e68845113ddd8809ebb4aa517679db46c4f4bca287a7ce09a3
SUSP_Javascript_Obfuscation_NonAscii_Apr25
7
03273dba9887ba54a12de574dbfd66f33473f05db9c4701753e22e1eb547355f
SUSP_Wextract_Anomaly_Unsigned_May23
10
d60e482879c4c59d1caa0fa345c11f3061cfe093d20fea338cfa2802a5417894
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7638
Threat Hunting (not subscribable, only in THOR scanner)
5906
APT
5061
Hacktools
4867
Webshells
2402
Exploits
733
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Self-Referential Payload Extraction via PowerShell Command Line
Detects PowerShell one-liners that read a file content, extract an embedded payload via regex matching, and write the result to disk for further execution.
This self-referential technique allows an attacker to embed a full implant within a single carrier file and extract it at runtime, avoiding external network-based downloads entirely.
The payload is typically delimited by sentinel markers (e.g. #PYTHON_START / #PYTHON_END) and dropped to a persistent location.
12.05.2026
Self-Referential Payload Extraction via PowerShell
Detects PowerShell scripts that read file content, extract an embedded payload via regex matching, and write the result to disk for further execution.
This self-referential technique allows an attacker to embed a full implant within a single carrier file and extract it at runtime, avoiding external network-based downloads entirely.
The payload is typically delimited by sentinel markers (e.g. #PYTHON_START / #PYTHON_END) and dropped to a persistent location.
12.05.2026
PowerShell Dynamic Module Command Invocation via Index Access - PsScript
Detects PowerShell scripts that dynamically invoke commands from the Microsoft.PowerShell.Utility module using index access on the ExportedCommands collection.
Threat actors may use this technique to bypass detection mechanisms that look for specific command names, as the actual commands being invoked are determined at runtime and may not be explicitly mentioned in the script.
11.05.2026
PowerShell Dynamic Module Command Invocation via Index Access
Detects PowerShell scripts that dynamically invoke commands from the Microsoft.PowerShell.Utility module using index access on the ExportedCommands collection.
Threat actors may use this technique to bypass detection mechanisms that look for specific command names, as the actual commands being invoked are determined at runtime and may not be explicitly mentioned in the script.
11.05.2026
HH.EXE CHM File Decompilation
Detects execution of hh.exe with the -decompile (-d) flag to extract contents of a CHM file.
Threat actors abuse this technique to drop and execute malicious payloads embedded in CHM files.
08.05.2026
HH.EXE CHM Decompilation With Non-CHM File Extension
Detects execution of hh.exe with the -decompile (-d) flag where no .chm extension is present in the command line.
Threat actors disguise CHM files with alternative extensions (e.g. .doc, .pdf)
to evade detection, then pass them to hh.exe for decompilation and payload extraction.
08.05.2026
Net User Logon Time Restriction and Account Lockout
Detects usage of net user command to set logon time restrictions and disable accounts, a technique used by wipers to prevent user logins and lock out accounts, hindering recovery efforts.
04.05.2026
Network Interface Disabled Via Netsh
Detects netsh being used to disable a network interface.
Threat actors abuse this to cut off network connectivity and prevent remote recovery or intervention during destructive attacks.
04.05.2026
Winlogon CachedLogonsCount Registry Manipulation Via CLI
Detects command-line manipulation of the CachedLogonsCount registry value under the Winlogon key through commandline.
This value controls how many domain credential sets Windows caches locally.
Setting it to zero disables caching entirely, forcing direct domain controller authentication.
Threat actors may abuse this to prevent offline authentication or to hinder forensic credential recovery post-compromise.
04.05.2026
Robocopy Mirror Directory Wipe
Detects robocopy invoked with /MIR and /B flags, a technique commonly abused by wipers to
overwrite entire directory trees by mirroring an empty source folder in backup mode,
permanently destroying all file contents.
04.05.2026
Diskpart Volume Clean All Execution
Detects the execution of diskpart's "clean all" command, which permanently destroys all data on
a disk volume by overwriting every sector with zeros. Threat actors abuse this for data destruction
and wiper attacks.
04.05.2026
Winlogon CachedLogonsCount Registry Value Set To Zero
Detects registry set events where the CachedLogonsCount value under the Winlogon key is set to zero.
This disables Windows cached domain credentials, forcing direct domain controller authentication.
Threat actors may abuse this to prevent offline authentication or to hinder forensic credential recovery post-compromise.
04.05.2026
Large File Creation Via Fsutil
Detects fsutil being used to create a new file with a suspiciously large size.
Threat actors abuse this technique to fill all available disk space, exhausting the filesystem
and preventing the OS from writing logs, recovery artifacts, or any new data.
04.05.2026
Free Disk Space Enumeration Via Fsutil
Detects the use of fsutil to enumerate free disk space on a volume.
Threat actors may abuse this to determine available space before carrying out further actions such as data destruction or exfiltration.
04.05.2026
Kubernetes Potential Enumeration Activity
Detects potential Kubernetes enumeration or attack activity via the audit log.
This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
28.04.2026
Google Workspace Out Of Domain Email Forwarding
Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse.
28.04.2026
Google Workspace Government Attack Warning
Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor
28.04.2026
Suspicious Login Activity Classified By Google
Detects Google Workspace login activity that's classified as suspicious by Google.
28.04.2026
Cisco Dot1x Disabled
Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface.
Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network.
This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.
28.04.2026
Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
Detects attempts of an attacker to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2.
Enabling this feature allows memory dumps (core dumps) of SUID processes, which usually run with elevated privileges.
These dumps may contain sensitive information such as passwords, cryptographic keys or other secrets.
CVE-2025-5054: Information leak via core dumps from SUID binaries using apport.
CVE-2025-4598: Information disclosure in systemd-coredump due to insecure handling of SUID process memory dumps.
28.04.2026
Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:).
An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource.
When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash.
HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access.
The URI can be delivered via a malicious hyperlink, phishing email, or web page.
28.04.2026
Sensitive File Dump Via Print.EXE
Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.
28.04.2026
PUA - Memory Dump Mount Via MemProcFS
Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials.
MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.
27.04.2026
Service Startup Type Change Via Wmic.EXE
Detects changes to service startup type to 'disabled' or 'manual' using the WMIC command-line utility.
27.04.2026
Suspicious Task Scheduler XML Pattern Related with AtExec
Detects creation of scheduled tasks with XML patterns commonly associated with Atexec,
a component of the NetExec tool that allows execution of commands via scheduled tasks for persistence and privilege escalation.
27.04.2026
Suspicious Certificate Request Pattern via CertReq
Detects suspicious certificate request patterns that may indicate abuse of certreq.exe for privilege escalation or lateral movement.
27.04.2026
Indirect Command Execution via SFTP ProxyCommand
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter.
Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
27.04.2026
RedSun - TieringEngineService.exe Detected as EICAR Test File
Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe
dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present.
This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based
AV bypass/privilege escalation tool.
RedSun works as follows:
1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\
2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger
a Defender scan and remediation attempt
3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file
4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open
5. During the oplock break window, RedSun swaps the mount point (junction) to redirect
\\?\C:\Windows\System32 to the attacker-controlled temp path
6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges
17.04.2026
RedSun - Conhost.exe Spawned by TieringEngineService.exe
Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session.
Observed process chain
services.exe
→ TieringEngineService.exe
→ conhost.exe (SYSTEM, CommandLine: bare path, no arguments)
→ cmd.exe / shell (SYSTEM, TerminalSessionId = attacker's session)
Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe:
After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance
/ services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId().
This opens \\.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then
calls CreateProcessAsUser to spawn conhost.exe with no arguments.
Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage):
The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session.
On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly.
The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.
17.04.2026
RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic
of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe).
RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain.
The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage,
making the combination of this path prefix and the TieringEngineService.exe filename a highly
specific indicator of RedSun activity.
17.04.2026
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2823
21290
Sigma
3589
1002
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1350
windows / registry_set
219
windows / file_event
209
windows / ps_script
166
windows / security
160
linux / process_creation
139
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
69
aws / cloudtrail
55
proxy
54
linux / auditd
53
windows / network_connection
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
27
windows / process_access
25
azure / signinlogs
24
opencanary / application
24
okta / okta
22
azure / riskdetection
19
windows / pipe_created
19
windows / windefend
17
rpc_firewall / application
17
linux
16
gcp / gcp.audit
16
github / audit
15
linux / file_event
15
bitbucket / audit
14
cisco / aaa
13
windows / file_delete
13
m365 / threat_management
13
windows / create_remote_thread
12
dns
10
windows / driver_load
10
windows / registry_delete
10
kubernetes / application / audit
10
windows / codeintegrity-operational
10
windows / ps_classic_start
9
windows / create_stream_hash
9
windows / appxdeployment-server
9
windows / firewall-as
8
windows / msexchange-management
8
antivirus
7
fortigate / event
7
windows / file_access
7
azure / pim
7
windows / bits-client
7
zeek / smb_files
7
gcp / google_workspace.admin
7
kubernetes / audit
6
windows / dns-client
6
jvm / application
5
zeek / dns
5
linux / network_connection
5
zeek / http
5
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
m365 / audit
4
windows / sysmon
4
macos / file_event
4
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
windows / registry_add
3
linux / sshd
3
gcp / google_workspace.login
3
onelogin / onelogin.events
2
firewall
2
windows / security-mitigations
2
linux / syslog
2
spring / application
2
windows / dns-server
2
apache
2
velocity / application
1
linux / sudo
1
cisco / duo
1
nginx
1
windows / wmi
1
windows / dns-server-analytic
1
cisco / bgp
1
windows / ldap
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
database
1
cisco / ldp
1
windows / lsa-server
1
django / application
1
windows / printservice-operational
1
linux / clamav
1
linux / auth
1
linux / guacamole
1
windows / appmodel-runtime
1
fortios / sslvpnd
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
cisco / syslog
1
linux / cron
1
huawei / bgp
1
windows / appxpackaging-om
1
windows / process_tampering
1
windows / smbclient-connectivity
1
windows / smbserver-connectivity
1
windows / file_change
1
nodejs / application
1
paloalto / file_event / globalprotect
1
linux / vsftpd
1
windows / capi2
1
windows / microsoft-servicebus-client
1
windows / raw_access_thread
1
paloalto / appliance / globalprotect
1
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
python / application
1
windows / shell-core
1
windows / file_executable_detected
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
ruby_on_rails / application
1
m365 / exchange
1
zeek / rdp
1
windows / sysmon_error
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_status
1
sql / application
1
m365 / threat_detection
1
windows / driver-framework
1
windows
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
496
windows / ps_script
87
windows / registry_set
87
linux / process_creation
51
windows / file_event
47
windows / image_load
46
windows / security
29
windows / wmi
29
windows / system
13
proxy
12
windows / network_connection
8
windows / registry_event
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / dns_query
5
windows / sense
4
windows / pipe_created
4
windows / taskscheduler
4
windows / registry_delete
4
windows / create_remote_thread
4
dns
3
windows / ps_classic_script
3
webserver
3
windows / vhd
3
windows / application-experience
3
windows / hyper-v-worker
3
windows / driver_load
3
windows / file_access
2
windows / kernel-shimengine
2
linux / file_event
2
windows / file_delete
2
macos / process_creation
2
windows / smbclient-security
2
windows / process_access
2
windows / windefend
2
windows / bits-client
2
windows / codeintegrity-operational
2
windows / firewall-as
1
windows / file_rename
1
linux / file_delete
1
windows / application
1
windows / amsi
1
windows / audit-cve
1
windows / registry-setinformation
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR