Valhalla Logo
currently serving 23789 YARA rules and 4468 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
MAL_Generic_Characteristic_Mar26
Detects binaries containing typical indicators related to stealers and RATs.
26.03.2026
MAL_JS_Credential_Stealer_Mar26
Detects JavaScript credential harvester related to threat actor TeamPCP
24.03.2026
SUSP_JS_Downloader_Mar26
Detects JavaScript downloading and executing external package using popular package managers
24.03.2026
SUSP_JS_Canister_Worm_Mar26
Detects suspicious JavaScript related to Canister worm propagating in NPM ecosystem
23.03.2026
SUSP_PY_Canister_Worm_Mar26
Detects Python script related to Canister Worm
23.03.2026
MAL_NPM_Token_Exfiltration_Mar26
Detects JavaScript harvesting NPM tokens possibly related to Canister worm
23.03.2026
SUSP_JS_Systemd_Persistence_Mar26
Detects JavaScript writing systemd service configuration to disk
23.03.2026
SUSP_JS_Python_Base64_Encoded_Mar26
Detects Base64 encoded Python script in JavaScript
23.03.2026
MAL_Kernel_RegPhantom_Mar26
Detects RegPhantom, a kernel-mode rootkit that allow attacker to inject arbitrary code from unprivileged user-mode into kernel-mode and execute it.
19.03.2026
HKTL_VMKatz_Mar26
VMKatz, a hacktool to extract Windows credentials directly from VM memory snapshots and virtual disks
16.03.2026
HKTL_EDD_Mar26
Detects Enumerate Domain Data, a hacktool designed to be similar to PowerView but in .NET
16.03.2026
SUSP_Emmenhtal_Indicator_Mar26
Detects BACKDOOR LOADER distributing commodity infostealers worldwider
16.03.2026
SUSP_OBFUSC_PS1_Reverse_Shell_Indicators_Mar26
Detects expressions used in PowerShell payloads generated by a reverse shell generator
16.03.2026
MAL_LNX_ELF_Lib_Mar26
Detects unknown malicious ELF library (process injection indicators)
16.03.2026
SUSP_Process_Injection_Marker_Mar26
Detects a marker string used in process injection attempts, which could indicate an attempt to inject code into another process for malicious purposes. Note: This detection is based on a specific string pattern and should be considered a clue rather than conclusive evidence of malicious activity.
16.03.2026
MAL_Stealer_ZIP_Export_Mar26
Detects Nyx stealer malware exports in ZIP files
16.03.2026
HKTL_WebClientRelayUp_Mar26
Detects WebClientRelayUp - an universal no-fix local privilege escalation in domain-joined Windows workstations in default configuration.
16.03.2026
HKTL_RegPwn_Mar26
Detects RegPwn, a hacktool to exploit Windows LPE CVE-2026-24291
16.03.2026
APT_MAL_AppleChris_Mar26
Detects AppleChris backdoor used by CL-STA-1087
16.03.2026
MAL_LNK_File_With_PE_Content_Mar26
Detects Windows shortcut (.lnk) files that contain portable executable (PE) content, indicating possible malware delivery.
12.03.2026
MAL_MacOS_Shub_Stealer_Mar26
Detects Shub stealer that harvests browser cookies, keychain items, and file metadata, encodes data in Base64, and exfiltrates to a remote C2 server via HTTP POST requests
11.03.2026
MAL_FireRain_RAT_Mar26
Detects FireRain RAT written in Go that uses KCP-over-UDP encrypted C2 with remote desktop, hidden shell, file transfer, and Startup folder hijack persistence
10.03.2026
SUSP_ControlFlow_Obfuscation_Mar26
Detects control flow obfuscation with opaque predicates commonly used in malware such as Silver Dragon
10.03.2026
HKTL_Flashingestor_Mar26
Detects flashingestor, a Go based hacktool for Active Directory collection
09.03.2026
SUSP_MacOS_AppleScript_Curl_Command_Mar26
Detects suspicious macOS AppleScript code executing curl via 'do shell script', often used by malware to retrieve remote C2 domains or payloads.
09.03.2026
MAL_Bibi_Wiper_Mar26
Detects BibiWiper that encrypts files, overwrites disk with random data, and destroys the MBR to render systems unbootable
09.03.2026
SUSP_OBFUSC_Base64_WAR_Mar26
Detects base64 encoded WAR files, which is unusual and could be part of a POC or attack where the WAR (usually a web shell) file is being obfuscated to evade detection. Note: This detection is based on common characteristics typically associated with the mentioned threats, must be considered a clue and does not conclusively prove maliciousness.
08.03.2026
SUSP_PS1_Loader_Mar26
Detects obfuscated PowerShell execution via invoke-Expression with nested parentheses, web content retrieval using UseBasicParsing with string replacement for payload reconstruction, and base64-encoded JavaScript
06.03.2026
MAL_Moonrise_RAT_Mar26
Detects MoonRise RAT which is a remote access trojan that provides attackers with unauthorized access and control over infected systems, often used for espionage, data theft, and other malicious activities.
05.03.2026
MAL_PY_Stealer_Mar26
Detects a Python-based browser credential and credit card infostealer targeting browsers and decrypts saved passwords and credit card data and exfiltrates to a remote C2 server
05.03.2026

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_PS1_Characteristics_Jul23_1
8
39747c56265742c57526ba47fe2cc4ef4bdcf0e99bf1cbb83fb05dea65ad8414
EXPL_PaloAlto_CVE_2024_3400_Apr24_1
10
47fa623b4598be364b2541c41116cf71afeb97d13f18c7dc6f0f2464d48d3a05
EXPL_POC_SpringCore_0day_Indicators_Mar22_1
10
47fa623b4598be364b2541c41116cf71afeb97d13f18c7dc6f0f2464d48d3a05
EXPL_CVE_2020_0796_Keywords
10
47fa623b4598be364b2541c41116cf71afeb97d13f18c7dc6f0f2464d48d3a05
SUSP_Go_Process_Injection_Indicators_Jan23
10
47fa623b4598be364b2541c41116cf71afeb97d13f18c7dc6f0f2464d48d3a05
SUSP_shellpop_Bash
10
47fa623b4598be364b2541c41116cf71afeb97d13f18c7dc6f0f2464d48d3a05
EXPL_SonicWall_VisualDoor_Jan21_1
10
47fa623b4598be364b2541c41116cf71afeb97d13f18c7dc6f0f2464d48d3a05
HKTL_DoublePulsar_Shellcode
10
47fa623b4598be364b2541c41116cf71afeb97d13f18c7dc6f0f2464d48d3a05
PUA_ConnectWise_ScreenConnect_Mar23
12
b9fea31e5f76a1deb04be05e791665f2378e9be6f48b59c9c6e5b245502b1cfa
PUA_ConnectWise_ScreenConnect_Mar23
10
1a92f2e1f2d82573cbd5c8c3e04f91f691a86faaa5ca0f6f1440452ab597009c
MAL_OBFUSC_Shell_Dropper_Dec25
13
0bf03ff8b111c8bee47f9436bffd7a03fa80fcd2b2fc80d72d8c4ad48193a779
MAL_NET_AsyncRAT_Nov25
8
cf4a3ed0ac85ded9d0f82d0baff7f6446eb39d19d68392cb030b4d87c53606b2
MAL_BAT_PS1_Loader_Sep25
8
b672b0d01d92e104cbcd4045927b61aa75c4e9527e067aa14ca12634fb5732ce
SUSP_JS_Canister_Worm_Mar26
7
158091ec92a3a91d7d2d29e6b867d47479d624bcae5f067cc80af4eff91c9729
SUSP_Commands_Disabling_Windows_Firewall_Jul23
2
6ae12f4bef213551223727304e4b85356102cf01a38cbff7bcb72ef9f2853f3f
SUSP_WEBSHELL_Eval_ChinaChopper_Oct20
6
15fd1797d64ab0f57cee3be1dc123f0e4873c40b316d5a2d306aba21b9ce6ad1
WEBSHELL_PHP_Generic_Eval
6
15fd1797d64ab0f57cee3be1dc123f0e4873c40b316d5a2d306aba21b9ce6ad1
WEBSHELL_PHP_Generic
6
15fd1797d64ab0f57cee3be1dc123f0e4873c40b316d5a2d306aba21b9ce6ad1
MAL_Webshell_Citrix_CVE_2023_3519_Aug23_1
6
15fd1797d64ab0f57cee3be1dc123f0e4873c40b316d5a2d306aba21b9ce6ad1
WEBSHELL_suspEval_Mar20
6
15fd1797d64ab0f57cee3be1dc123f0e4873c40b316d5a2d306aba21b9ce6ad1

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
7521
Threat Hunting (not subscribable, only in THOR scanner)
5835
APT
5055
Hacktools
4838
Webshells
2400
Exploits
722

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Critical Log File Deletion on Linux System
Detects deletion of critical log files on Linux systems that may indicate log tampering or evidence destruction. This technique can be used by attackers to cover their tracks after gaining unauthorized access to a system.
26.03.2026
Critical Log Manipulation via Sed Utility
Detects critical log manipulation attempts using the sed utility with in-place editing on sensitive log files. This technique can be used by attackers to cover their tracks after gaining unauthorized access to a system.
26.03.2026
Disable Input Devices via Disable-PnpDevice - ScriptBlock
Detects usage of Disable-PnpDevice PowerShell cmdlet to disable input devices such as keyboards and mouse. Adversaries may disable input devices to prevent user interaction with the system, facilitating further malicious activities without interruption. This technique can be part of a broader strategy to maintain persistence or evade detection by hindering user access.
22.03.2026
Disable Input Devices via Disable-PnpDevice
Detects usage of Disable-PnpDevice PowerShell cmdlet to disable crucial input devices such as keyboards and mouse. Adversaries may disable input devices to prevent user interaction with the system, facilitating further malicious activities without interruption. This technique can be part of a broader strategy to maintain persistence or evade detection by hindering user access.
22.03.2026
Disabling of an Input Device
Detects the disabling of critical input devices such as keyboard and mouse, which may indicate malicious activity aimed at preventing user interaction with the system. Threat actors may disable input devices during attacks to maintain persistence and prevent users from interrupting malicious operations or accessing security tools. This technique is often observed in ransomware attacks and data exfiltration scenarios where attackers seek to minimize user interference. To verify if the disabling was legitimate or part of an attack, further investigation into the context and source of the action is recommended
22.03.2026
OneDrive Execution From Suspicious Location
Detects OneDrive.exe being executed from a non-standard location, which may indicate a masqueraded malicious binary. Adversaries often rename their malicious executables to 'OneDrive.exe' to blend in with legitimate system activity and evade detection.
16.03.2026
Suspicious Process Masquerading as OneDrive
Detects suspicious process that is masquerading as OneDrive executable. This technique can be used by attackers to evade detection by running malicious processes under the guise of a legitimate application.
16.03.2026
Suspicious DNS Lookup and Execution Pattern
Detects suspicious command line patterns involving 'nslookup' piped to 'findstr' with a subsequent 'for' loop, which may indicate an attempt to query DNS for second-stage payloads and execute them. This technique can be used by adversaries to leverage DNS as a covert command and control channel, allowing them to retrieve and execute malicious payloads without directly connecting to an external server.
16.03.2026
Obfuscated Node.js Execution via CommandLine - Linux
Detects the execution of Node.js with the '--eval' flag, where the provided script contains common obfuscation patterns.
10.03.2026
Obfuscated Node.js Execution via CommandLine
Detects the execution of Node.js with the '--eval' flag, where the provided script contains common obfuscation patterns.
10.03.2026
Netsh Advfirewall Isolate Network
Detects execution of netsh.exe commands that modify Windows Advanced Firewall settings to block both inbound and outbound traffic, effectively isolating the system from network communication. This technique may be used by attackers to evade detection, prevent remediation, or disrupt incident response activities.
20.02.2026
ICACLS Deny Permission Abuse
Detects execution of icacls.exe with deny arguments targeting broad principals such as Everyone or Administrators, which may indicate malicious permission tampering.
20.02.2026
Suspicious Child Processes Spawned by AMMYYAdmin
Detects suspicious child processes spawned by AMMYYAdmin process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by AeroAdmin
Detects suspicious child processes spawned by AeroAdmin process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by Chrome Remote Desktop
Detects suspicious child processes spawned by Chrome Remote Desktop process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by LogMeIn
Detects suspicious child processes spawned by LogMeIn process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by RemotePC
Detects suspicious child processes spawned by RemotePC process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by TightVNC
Detects suspicious child processes spawned by TightVNC process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by TeamViewer
Detects suspicious child processes spawned by TeamViewer process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by Splashtop
Detects suspicious child processes spawned by Splashtop process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by Remote Utilities
Detects suspicious child processes spawned by Remote Utilities process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by AnyDesk
Detects suspicious child processes spawned by AnyDesk process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by UltraVNC
Detects suspicious child processes spawned by UltraVNC process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by SlashTop
Detects suspicious child processes spawned by SlashTop process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by ZohoAssist
Detects suspicious child processes spawned by ZohoAssist process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by ScreenConnect
Detects suspicious child processes spawned by ScreenConnect process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by VNCConnect
Detects suspicious child processes spawned by VNCConnect process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
File Operation via .NET Class
Detects the use of dotnet method in command lines which could be used for unauthorized file operations such as copying files. It could indicate suspicious activity because there are many normal ways to copy files in Windows, thus adversary may use this rarely used method to avoid detection.
06.02.2026
Suspicious Linux Command Patterns
Detects suspicious command line patterns that may indicate malicious activity such as decoding base64 content to files in some folder and executing it.
05.02.2026
Suspicious Download and Execution Combo in Linux
Detect suspicious command line patterns where a download command line utility is executed in combination with other suspicious command line utilities. This could indicate potential malicious activity such as downloading and various other actions like decoding, changing permissions, or executing the downloaded file or creating persistence.
05.02.2026

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2718
21071
Sigma
3540
928

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1331
windows / registry_set
219
windows / file_event
206
windows / ps_script
165
windows / security
160
linux / process_creation
131
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
68
aws / cloudtrail
55
proxy
54
windows / network_connection
53
linux / auditd
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
27
windows / process_access
25
azure / signinlogs
24
okta / okta
22
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
rpc_firewall / application
17
windows / windefend
16
github / audit
16
linux
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
linux / file_event
13
windows / file_delete
13
cisco / aaa
12
windows / create_remote_thread
12
windows / codeintegrity-operational
10
windows / driver_load
10
windows / registry_delete
10
kubernetes / application / audit
10
windows / ps_classic_start
9
dns
9
windows / appxdeployment-server
9
windows / create_stream_hash
9
windows / firewall-as
8
windows / msexchange-management
8
gcp / google_workspace.admin
7
antivirus
7
fortigate / event
7
windows / file_access
7
azure / pim
7
windows / bits-client
7
zeek / smb_files
7
windows / dns-client
6
zeek / dns
5
linux / network_connection
5
zeek / http
5
jvm / application
5
kubernetes / audit
5
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
m365 / audit
3
macos / file_event
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
windows / registry_add
3
linux / sshd
3
linux / syslog
2
windows / security-mitigations
2
spring / application
2
windows / dns-server
2
apache
2
onelogin / onelogin.events
2
firewall
2
windows / file_executable_detected
1
python / application
1
windows / diagnosis-scripted
1
windows / sysmon_status
1
m365 / exchange
1
zeek / rdp
1
windows / smbclient-security
1
windows / file_rename
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
ruby_on_rails / application
1
m365 / threat_detection
1
windows / driver-framework
1
sql / application
1
cisco / duo
1
windows
1
linux / sudo
1
velocity / application
1
cisco / bgp
1
nginx
1
windows / dns-server-analytic
1
cisco / ldp
1
windows / ldap
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
windows / printservice-operational
1
database
1
linux / clamav
1
windows / lsa-server
1
django / application
1
linux / auth
1
linux / guacamole
1
windows / appmodel-runtime
1
fortios / sslvpnd
1
linux / cron
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
cisco / syslog
1
huawei / bgp
1
windows / appxpackaging-om
1
windows / process_tampering
1
windows / smbclient-connectivity
1
windows / smbserver-connectivity
1
paloalto / file_event / globalprotect
1
linux / vsftpd
1
zeek / x509
1
windows / capi2
1
windows / shell-core
1
windows / file_change
1
windows / raw_access_thread
1
nodejs / application
1
paloalto / appliance / globalprotect
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
447
windows / ps_script
84
windows / registry_set
83
windows / file_event
46
windows / image_load
46
linux / process_creation
43
windows / wmi
29
windows / security
26
proxy
12
windows / system
11
windows / registry_event
8
windows / network_connection
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / create_remote_thread
4
windows / registry_delete
4
windows / sense
4
windows / pipe_created
4
windows / taskscheduler
4
windows / application-experience
3
windows / driver_load
3
windows / hyper-v-worker
3
windows / ps_classic_script
3
webserver
3
windows / vhd
3
windows / windefend
2
windows / process-creation
2
windows / dns_query
2
windows / codeintegrity-operational
2
windows / file_access
2
windows / bits-client
2
windows / file_delete
2
windows / kernel-shimengine
2
linux / file_event
2
macos / process_creation
2
windows / process_access
2
windows / audit-cve
1
windows / amsi
1
windows / registry_add
1
windows / firewall-as
1
windows / registry-setinformation
1
windows / file_rename
1
linux / file_delete
1
windows / application
1
dns
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022