currently serving 24259 YARA rules and 4647 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
MAL_Shellcode_Exploitdb_52297_Jun26
Detects a null-free reverse TCP shell shellcode for Linux x86 that connects back and spawns a /bin/sh shell
29.06.2026
MAL_Shellcode_Exploitdb_52296_Jun26
Detects a Linux/x86-64 execve(\"/bin/sh\") ShellCode (36 bytes)
29.06.2026
MAL_Shellcode_Exploitdb_52395_Jun26
Detects a Linux/x86-64 execve(\"/bin/sh\",[\"-c\",cmd],NULL) Arbitrary Command Execution ShellCode (63 bytes)
29.06.2026
SUSP_MacOS_Stealer_Jun26
Detects suspicious path that may indicate a macOS stealer. Further investigation is advised.
26.06.2026
SUSP_LNK_OpenSSH_LOLBIN_Data_Exfiltration_Jun26
Detects LNK files abusing OpenSSH scp.exe as a lolbin to exfiltrate user data.
26.06.2026
SUSP_Batch_Dropper_Jun26
Detects batch script that copies files via wildcard and establishes persistence through a scheduled task
24.06.2026
MAL_RawWNPF_Rootkit_Jun26
Detects RawWNPF rootkit, a kernel-mode driver that hooks the Windows NDIS driver to intercept and manipulate network traffic, often used for stealthy data exfiltration and command-and-control communication
24.06.2026
MAL_Driver_Loader_Jun26
Detects a driver loader that decrypts an encrypted PE payload from a font disguised file and reflectively maps it to hide from kernel module enumeration
24.06.2026
MAL_SprySOCKS_Backdoor_Jun26
Detects SprySOCKS backdoor that uses 'HP-Socket', a high performance networking framework. It also comes with encrypted WebSocket C2, keylogging, clipboard theft, and Microsoft Vault credential harvesting.
24.06.2026
MAL_MacOS_Amos_Stealer_Jun26
Detects Amos stealer malware targeting macOS systems, known for stealing sensitive information and credentials.
24.06.2026
MAL_Custom_ReSocks_Tool_Jun26
Detects a custom ReSocks tool used by BravoX group to create a reverse socks proxy to route traffic through a compromised host.
23.06.2026
PUA_Windows_TOR_Client_Jun26
Detects Windows TOR client binary. It is generally not used in enterprise environments and can be an indicator of potential infection or unauthorized use of TOR for anonymous communication.
23.06.2026
MAL_GriefLure_Modular_Backdoor_Jun26
Detects a modular backdoor, seen being used by the GriefLure APT
22.06.2026
SUSP_JS_Info_Gather_Jun26
Detects suspicious indicators in JavaScript related to info gathering
22.06.2026
APT_RU_EasterBunny_Forensic_Artifacts_Jun26
Detects artifacts related to APT Easter Bunny
19.06.2026
APT_RU_EasterBunny_Implant_InMemory_Jun26
Detects in memory implants related to APT Easter Bunny
19.06.2026
HKTL_CS_BOFF_RawHive_Jun26
Detects indicators of the RawHive BOFF technique used by Cobalt Strike, which involves dumping registry hives to temporary files with specific naming patterns
18.06.2026
MAL_Crimson_RAT_Jun26
Detects Crimson RAT written in C# which is used for remote access capabilities and data exfiltration features, seen being used by SideCopy APT group
17.06.2026
MAL_WHQL_Network_Backdoor_Jun26
Detects the presence of a kernel backdoor executing commands from encrypted network packets
16.06.2026
HKTL_Go_GogoKatz_Jun26
Detects Go rewrite of Mimikatz called Gogokatz, a credentials dumper for Windows, which is often used in post-exploitation activities.
16.06.2026
SUSP_PE_Loader_Indicator_Jun26
Detects characteristics found in malicious loaders
16.06.2026
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
12
2ce433626b365078ea37320639deac6fd0d3ef333e5ccaca9fc22a074c614bb9
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
12
23f04746fbb2e5e6676301ffb0dcd1d834da9e8cf555b72fcc3b68aad3966f15
SUSP_PyInstaller_Gen_Pattern_Feb25
11
a4524f183fdd0540494dd3c614ebefdf13835223da5100fe957afdf53aa5009c
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
12
2566009c7634274a9b7414552700fe0f5f04d38152708f9aa154ac4d52b6e3d5
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
12
675d7355bed17794dd0ff9e688aeb1755453d8779106ae8c0848e8f2a5ec7adc
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
12
399a67262b23af6db4133261c4756a65d0b2c5a329143fbf22a2884a5352cb6b
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
12
853546a959263d8a7a2a446b435e5ff142a2eb78f028807704c5e64081f883ea
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
8
6823f9f11babd33a90b6f2a6c91aaaeff843a384ffad064a464e9f5533c03e7e
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
13
66deb5f004b5dfaf88f63dcf52e7160e68ea54e03883deaafd66336fda2c1a71
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
12
2f0987d65c9117c6a4f18d33322f42370bd54a2f1133840a160b3b7d20b7e8f5
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
13
dcf6ec578fb177a57421f3f9b7b24b4293e8218f4d851a2875fec98ffbfa8eb9
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
13
4328c129fd645640685f7953aebf1167a73957027ea7be8e00502ad3c6b79195
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
12
0e4845891718cb4a94ecc285c422e69e6500a1a9d70bf91967de02545654ce8f
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7719
Threat Hunting (not subscribable, only in THOR scanner)
5946
APT
5070
Hacktools
4879
Webshells
2403
Exploits
740
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Environment Variable Enumeration Via WMIC
Detects enumeration of environment variables via WMIC using the Win32_Environment class.
Attackers query "environment get name,variablevalue" during host reconnaissance to discover
paths, usernames, and configuration values useful for lateral movement or payload staging.
01.07.2026
File or Directory Enumeration Via WMIC
Detects file or directory enumeration via WMIC using the Win32_Directory or CIM_DataFile classes.
Attackers use these classes to list directories or files on specific drives (e.g., "C:")
during post-exploitation reconnaissance - a technique that bypasses traditional dir /ls command monitoring.
01.07.2026
User Account Password Property Manipulation Via WMIC
Detects manipulation of password-related properties on user accounts via WMIC against
the Win32_UserAccount class. This covers direct password changes as well as policy
modifications such as disabling password expiry or preventing password changes,
all common persistence techniques to maintain access to a backdoor account.
01.07.2026
Startup Item Enumeration Via WMIC
Detects enumeration of startup items via WMIC using the Win32_StartupCommand class.
Attackers query startup items to discover persistence mechanisms that automatically execute
malicious binaries or scripts during system boot or user logon.
01.07.2026
Network Configuration Enumeration Via WMIC NicConfig
Detects enumeration of network interface configuration via WMIC using the "nicconfig" or "nic"
aliases. Attackers commonly query NIC configuration during post-exploitation reconnaissance to
discover IP addresses, MAC addresses, default gateways, and DNS servers — information used to
map the network and pivot to additional targets.
01.07.2026
Suspicious Print Processor Driver Registry Modification
Detects modifications to Windows Print Processor Driver registry values where the configured DLL is not
the default winprint.dll. This may indicate abuse of Print Processors for persistence or privilege
escalation, as used by malware such as SprySOCKS.
26.06.2026
SOCKS Proxy Tunneling Invocation
Detects processes that invoke SOCKS proxy tunneling via command-line arguments.
Threat actors abuse SOCKS-capable tools such as chisel, revsocks,
or custom SSH tunnelers to establish covert C2 channels or bypass network controls.
23.06.2026
PowerShell Enumeration of Claude Code Chat History
Detects PowerShell scripts enumerating or reading files within the Claude Code conversation history directory.
Claude Code stores conversation history as JSONL files under: %USERPROFILE%\.claude\projects\<hash>\<session>.jsonl
Threat actors extract these files and apply regex matching to locate high-value secrets (cloud tokens, private keys,
database passwords) before pivoting to infrastructure such as ESXi hosts via harvested SSH credentials.
11.06.2026
PowerShell One-Liner Targeting Claude Code Chat History
Detects PowerShell one-liners trying to enumerate or read files within the Claude Code conversation history directory.
Claude Code stores conversation history as JSONL files under: %USERPROFILE%\.claude\projects\<hash>\<session>.jsonl
Threat actors extract these files and apply regex matching to locate high-value secrets (cloud tokens, private keys,
database passwords) before pivoting to infrastructure such as ESXi hosts via harvested SSH credentials.
11.06.2026
PowerShell One-Liner Credential Pattern Search
Detects PowerShell or pwsh one-liners whose command line combines a regex or string-matching primitive with
common credential-related keywords. It might indicate an attempt of credential harvesting across local files,
including config files, source code, chat history, etc. looking for secrets such as API keys, tokens,
passwords, or SSH keys.
11.06.2026
GitLab Token Access Via GLAB CLI
Detects the GitLab CLI (glab) being used to retrieve stored authentication tokens.
Threat actors might access such tokens to gain unauthorized access to GitLab repositories, CI/CD pipelines, and other resources, potentially leading to data exfiltration, code tampering, or further lateral movement within the victim's environment.
08.06.2026
GitHub Token Access Via GH CLI - Linux
Detects the GitHub CLI (gh) being used to retrieve stored authentication tokens.
Threat actors might access such tokens to gain unauthorized access to GitHub repositories, CI/CD pipelines, and other resources, potentially leading to data exfiltration, code tampering, or further lateral movement within the victim's environment.
08.06.2026
GitLab Token Access Via GLAB CLI - Linux
Detects the GitLab CLI (glab) being used to retrieve stored authentication tokens.
Threat actors might access such tokens to gain unauthorized access to GitLab repositories, CI/CD pipelines, and other resources, potentially leading to data exfiltration, code tampering, or further lateral movement within the victim's environment.
08.06.2026
Node or Bun Execution from Suspicious Locations - Linux
Detects the execution of build tools such as bun and node from potentially suspicious locations on Linux systems.
In the recent trend of npm supply chain attacks, Threat Actors have been observed to execute
build tools such as bun and node from locations that are not commonly used for legitimate purposes.
08.06.2026
NPM Package Install Executed From Suspicious Location - Linux
Detects the execution of "npm install" via node on Linux from potentially suspicious directories.
It might indicate a malicious package being installed or executed from a non-standard location.
Attackers might use npm packages to execute malicious code on the victim's machine, potentially
leading to data exfiltration, persistence, or further compromise of the system.
08.06.2026
GitHub Token Access Via GH CLI
Detects the GitHub CLI (gh) being used to retrieve stored authentication tokens.
Malicious packages and scripts have been observed using these commands to silently exfiltrate the victim's stored GitHub authentication token.
08.06.2026
NPM Package Install Executed From Suspicious Location
Detects the execution of "npm install" via node.exe from potentially suspicious directories on Windows systems.
It might indicate a malicious package being installed or executed from a non-standard location.
Attacker might use npm packages to execute malicious code on the victim's machine, potentially
leading to data exfiltration, persistence, or further compromise of the system.
08.06.2026
Node or Bun Execution from Suspicious Locations
Detects the execution of build tools such as bun and node from potentially suspicious locations on Windows systems.
In the recent trend of npm supply chain attacks, Threat Actors have been observed to execute
build tools such as bun and node from locations that are not commonly used for legitimate purposes.
08.06.2026
NTLM Hash Leak Via Curl NTLM Authentication
Detects the use of curl with NTLM authentication and empty credentials (-u :), which can be abused to leak the currently logged-in user's NTLMv2 challenge-response to an
attacker-controlled server, enabling offline cracking or relay attacks.
When no credentials are provided, the Microsoft-shipped curl passes a NULL identity to Windows SSPI, which automatically falls back to the current user's logon session credentials
stored in LSASS — without requiring a plaintext password.
This behavior is exclusive to the curl binary shipped by Microsoft (available since Windows 10 / Windows Server 2019), which is built with SSPI support.
04.06.2026
Uninstall SystemComponent Registry Value Modification via CommandLine
Detects modification of the "SystemComponent" registry value in the "Uninstall" key through command line.
Attackers modify this value to hide installed applications from "Programs and Features", often as part of persistence or defense evasion techniques.
04.06.2026
Audit Policy Category Discovery via Auditpol.EXE
Detects the use of auditpol.exe to query audit policy to discover which audit categories are enabled on the system.
Attackers may use this information to identify potential gaps in security monitoring and adjust their tactics accordingly.
Since, this require elevated privileges, unless it is being used by the administrator for legitimate purposes, it can be
considered suspicious and warrants immediate attention.
04.06.2026
Hiding of an Installed Application from Application Wizard
Detects the SystemComponent DWORD registry value being set to 1 under an application's Uninstall key,
which removes the application from "Programs and Features" and "Add or Remove Programs" visibility.
Threat actors use this technique to hide installed applications, from normal administrative review,
as part of persistence or defense evasion strategies.
04.06.2026
LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089
Detects a crash of the LSASS process where netlogon.dll is the faulting module and the exception code is STATUS_STACK_BUFFER_OVERRUN (0xc0000409).
This crash, especially on Domain Controllers, might indicate the exploitation of CVE-2026-41089, a denial of service (DoS) vulnerability,
which exists in the Netlogon component of Windows and can be triggered by sending specially crafted requests to the Netlogon service,
leading to a stack-based buffer overflow and subsequent crash of the LSASS process.
02.06.2026
System Time Synchronization With Domain Controller via Net.exe
Detects use of net.exe to query and set the local system time from a domain controller.
Attackers may use this to reset system time after deliberate manipulation, to align clocks for Kerberos-based attacks, or to cover traces of time-based tampering.
02.06.2026
Network Sweep via CMD For Loop
Detects a subnet sweep executed via a CMD for loop iterating over an IP range using the (1,1,N) step pattern.
Attackers use this tool-agnostic pattern for network reconnaissance to identify live hosts or enumerate SMB shares across private subnets.
02.06.2026
AMSI Memory Patching via .NET Reflection - PowerShell
Detects suspicious PowerShell script blocks that attempt to patch AMSI's ScanContent method in memory using the Marshal class.
This technique is used by adversaries to bypass AMSI scanning by replacing the ScanContent function under
"System.Management.Automation.AmsiUtils" with an empty or attacker-controlled method.
01.06.2026
AMSI Memory Patching via .NET Reflection
Detects runtime method handle patching via the Marshal class targeting AMSI's ScanContent method.
Adversaries overwrite method pointers in memory to redirect execution away from monitored code paths,
effectively bypassing AMSI scanning by replacing the ScanContent function under "System.Management.Automation.AmsiUtils" with an empty or attacker-controlled method.
01.06.2026
PowerShell ETW Provider Disabling via CommandLine
Detects attempts to disable or bypass PowerShell Event Tracing for Windows (ETW) via commandline.
This technique can be used to evade script block logging and hinder security monitoring.
01.06.2026
Kubernetes Secrets Dumping via Kubectl
Detects attempts to dump Kubernetes secrets using kubectl.
Attackers with sufficient RBAC permissions may enumerate secrets cluster-wide to harvest credentials, API tokens, TLS certificates, or other sensitive data stored as Kubernetes secrets.
28.05.2026
Cloud Provider Credential Dumping via Environment Variable Grep
Detects attempts to discover cloud provider credentials stored in environment variables by using 'grep' with cloud provider-specific patterns (AWS, Google Cloud, GCloud, Azure).
Attackers commonly enumerate environment variables after gaining initial access to identify or steal credentials for further exploitation, such as lateral movement or data exfiltration.
28.05.2026
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2797
21462
Sigma
3591
1056
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1351
windows / registry_set
219
windows / file_event
209
windows / ps_script
166
windows / security
160
linux / process_creation
139
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
69
aws / cloudtrail
55
proxy
54
windows / network_connection
53
linux / auditd
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
32
windows / dns_query
27
windows / process_access
25
azure / signinlogs
24
opencanary / application
24
okta / okta
22
windows / pipe_created
19
azure / riskdetection
19
windows / windefend
17
rpc_firewall / application
17
linux
16
gcp / gcp.audit
16
github / audit
15
linux / file_event
15
bitbucket / audit
14
m365 / threat_management
13
cisco / aaa
13
windows / file_delete
13
windows / create_remote_thread
12
dns
10
windows / driver_load
10
kubernetes / application / audit
10
windows / registry_delete
10
windows / codeintegrity-operational
10
windows / ps_classic_start
9
windows / appxdeployment-server
9
windows / create_stream_hash
9
windows / firewall-as
8
windows / msexchange-management
8
antivirus
7
fortigate / event
7
azure / pim
7
windows / file_access
7
windows / bits-client
7
gcp / google_workspace.admin
7
zeek / smb_files
7
kubernetes / audit
6
windows / dns-client
6
jvm / application
5
zeek / dns
5
linux / network_connection
5
zeek / http
5
macos / file_event
4
windows / taskscheduler
4
windows / sysmon
4
windows / iis-configuration
4
zeek / dce_rpc
4
m365 / audit
4
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
windows / registry_add
3
gcp / google_workspace.login
3
linux / sshd
3
windows / dns-server
2
spring / application
2
apache
2
onelogin / onelogin.events
2
firewall
2
linux / syslog
2
windows / security-mitigations
2
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
m365 / threat_detection
1
windows / driver-framework
1
sql / application
1
cisco / duo
1
windows
1
velocity / application
1
cisco / bgp
1
nginx
1
linux / sudo
1
windows / ldap
1
windows / wmi
1
windows / dns-server-analytic
1
cisco / ldp
1
windows / lsa-server
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
database
1
linux / guacamole
1
django / application
1
windows / printservice-operational
1
linux / clamav
1
windows / appmodel-runtime
1
linux / auth
1
linux / cron
1
huawei / bgp
1
windows / applocker
1
windows / openssh
1
fortios / sslvpnd
1
juniper / bgp
1
windows / appxpackaging-om
1
windows / process_tampering
1
cisco / syslog
1
windows / smbserver-connectivity
1
windows / raw_access_thread
1
windows / smbclient-connectivity
1
linux / vsftpd
1
windows / capi2
1
windows / shell-core
1
windows / file_change
1
nodejs / application
1
paloalto / file_event / globalprotect
1
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
paloalto / appliance / globalprotect
1
python / application
1
windows / file_executable_detected
1
m365 / exchange
1
zeek / rdp
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_status
1
ruby_on_rails / application
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
522
windows / registry_set
93
windows / ps_script
89
linux / process_creation
59
windows / file_event
49
windows / image_load
47
windows / wmi
29
windows / security
29
proxy
13
windows / system
13
windows / network_connection
9
windows / registry_event
8
windows / kernel-event-tracing
6
windows / dns_query
5
windows / ntfs
5
windows / ps_module
5
windows / create_remote_thread
4
windows / registry_delete
4
windows / sense
4
windows / pipe_created
4
windows / taskscheduler
4
webserver
4
windows / hyper-v-worker
3
windows / driver_load
3
macos / process_creation
3
dns
3
windows / ps_classic_script
3
windows / vhd
3
windows / application-experience
3
windows / windefend
2
windows / process_access
2
windows / bits-client
2
windows / codeintegrity-operational
2
windows / file_access
2
linux / file_event
2
windows / kernel-shimengine
2
windows / file_delete
2
windows / smbclient-security
2
linux / Linux kernel module / THOR
2
windows / amsi
1
windows / registry-setinformation
1
windows / application
1
linux / file_delete
1
windows / audit-cve
1
windows / file_rename
1
windows / firewall-as
1
windows / environment variable / THOR
1
linux / Unix user / THOR
1
windows / posh_ps
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
