Valhalla Logo
currently serving 23697 YARA rules and 4454 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
HKTL_Titus_Secret_Scanner_Feb26
Detects Titus, a CLI secrets scanner
23.02.2026
SUSP_Veeam_Password_Decrypt_Feb26
Detects suspicious PowerShell script which contain commands to handle Veeam passwords
23.02.2026
HKTL_BYOVD_Process_Killer_Feb26
Detects BYOVD Process killer. Can kill some uncommon EDRs
23.02.2026
MAL_DLL_Dropper_Feb26
Detects a DLL that drops and opens a decoy PDF
23.02.2026
MAL_MacOS_Stealer_Feb26
Detects a macOS stealer variant which uses simple xor string obfuscation and shell-based data exfiltration techniques
19.02.2026
EXPL_CVE_2026_20817_Werfault_LPE_Feb26
Detects a proof-of-concept for CVE-2026-20817, a local privilege escalation vulnerability in Windows Error Reporting (WER) that allows an attacker to gain elevated privileges.
19.02.2026
SUSP_JS_Script_Feb26
Detects suspicious JavaScript code that constructs and executes a script using character codes, often used by malware to obfuscate malicious scripts and evade detection
18.02.2026
MAL_BADIIS_Loader_Feb26_1
Detects DLL that stages the BADIIS IIS native modules and alters the IIS configuration to load them into the request pipeline of the DefaultAppPool.
18.02.2026
MAL_OBFUSC_JS_Regex_Replace_Feb26
Detects obfuscated JavaScript code that uses regex replacement to remove characters from strings, seen being used to run malicious PowerShell scripts
17.02.2026
MAL_SilentRift_Feb26
Detects SilentRift a Quantum-Resistant encrypter and In-Memory loader
17.02.2026
MAL_VBA_Hex_Dropper_Feb26
Detects malicious VBA macro that decodes hex payload, drops a payload to downloads and executes it, seen being used by MuddyWater APT group
17.02.2026
PUA_D_Shield_Feb26
Detects D-Shield Firewall a software that provides additional security features for IIS servers, including preventive protections and capabilities to add network restrictions.
17.02.2026
MAL_BADIIS_Loader_Feb26_2
Detects executable that configures a ServiceDLL that deploys BADIIS IIS
17.02.2026
MAL_Shellcode_Loader_Feb26
Detects an unknown shellcode loader
15.02.2026
MAL_LNX_Cobaltstrike_Beacon_Feb26
Detects Linux beacon written in C that communicates with the Cobalt Strike teamserver using the HTTP/S protocol
15.02.2026
MAL_Muddy_Water_Unknown_Backdoor_Feb26
Detects an unknown backdoor used by Muddywater APT group and as Anydesk utility.
15.02.2026
HKTL_ElephantPoint_Feb26
Detects ElephantPoint, a tool to find sensitive data in MS SharePoint
15.02.2026
HKTL_SnaffPoint_Feb26
Detects SnaffPoint, a tool to find sensitive data in MS SharePoint
15.02.2026
MAL_Encoded_Loader_Payload_Feb26
Detects files containing encoded PE loader used to load Xworm malware, Katz stealer and other malware
13.02.2026
MAL_Shellcode_Loader_Feb26_2
Detects shellcode delivered via an OLE object as part of a CVE-2018-0802 exploit, which downloads and executes second-stage payloads in memory
13.02.2026
EXPL_CVE_2019_11580_Feb26
Detects exploitation indicators of CVE-2019-11580 in atlassian jira, related to unauthorized plugin upload and remote code execution via the widget connector vulnerability
12.02.2026
EXPL_CVE_2026_1731_Feb26
Detects exploitation indicators of unsanitized arithmetic evaluation in BeyondTrust RS/PRA pre-auth remote access interface (CVE-2026-1731)
12.02.2026
SUSP_EXPL_Thin_Scc_Wrapper_Feb26
Detects artifacts indicative of interaction with the BeyondTrust RS/PRA pre-auth remote access interface linked to CVE-2024-12356 and CVE-2026-1731. A match suggests the system either handled legitimate remote-support traffic or was probed by scanners/attackers; it does not by itself confirm successful exploitation and should be correlated with source context and any follow-on payload or post-compromise activity.
12.02.2026
LOG_EXPL_Thin_Scc_Wrapper_Feb26
Detects suspcious indicators in web server logs which may indicate exploitation of BeyondTrust RS/PRA pre-auth remote access interface linked to CVE-2024-12356 and CVE-2026-1731. A match suggests the system either handled legitimate remote-support traffic or was probed by scanners/attackers; it does not by itself confirm successful exploitation and should be correlated with source context and any follow-on payload or post-compromise activity.
12.02.2026
LOG_EXPL_CVE_2024_12356_Feb26
Detects log entries with potentially successful exploitation addressing CVE-2024-12356 (unauthenticated RCE). Error message could also be related to invalid queries executed by legitimate user
12.02.2026
PUA_HKTL_WebSocat_Feb26
Detects WebSocat tool - a command-line client for WebSockets, like netcat (or curl) for ws:// with advanced socat-like functions. It can be used for various purposes, including testing WebSocket servers, creating WebSocket tunnels, and performing security assessments.
12.02.2026
MAL_RANSOM_0Apt_Feb26
Detects 0APT ransomware
12.02.2026
MAL_Diaoyu_Loader_Feb26
Detects Diaoyu loader that loads encrypted payloads and drops it for execution
11.02.2026
MAL_Loader_Feb26_3
Detects a loader that decrypts and loads CobaltStrike payloads, seen being used by Shadow Campaigns
11.02.2026
SUSP_UAC_Bypass_Feb26
Detects suspicious usage of fodhelper.exe and DelegateExecute for UAC bypass techniques commonly employed by malware for privilege escalation
11.02.2026

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_ELF_LNX_UPX_Compressed_File_Dec18
1
5e746047cc554099cfe1d138be53ec5a25d38436cdf917bc354d0bbaeb3f9ec8
SUSP_ELF_LNX_UPX_Compressed_File_Dec18
9
623f6eab78c376706bd910709c58f7c8e6a7267c7402aabed0215b26f2783f90
SUSP_HKTL_Gen_Pattern_Feb25_2
2
2729fd6b9a050f870aeae6e375864ab68fb56fa8c32e48fc1c42359e1db85d86
MAL_PS1_DefendNot_Execution_Indicator_Jun25
1
8f4f39cc684d05d14ef45a4da2b933b17952ee7bfb393caa86048f1a752ec3e2
SUSP_Doc_with_PowerShell_Download
1
8f4f39cc684d05d14ef45a4da2b933b17952ee7bfb393caa86048f1a752ec3e2
SUSP_Protonmail_Executable_Nov20
2
3771a8cf2052b0f4a0e4c3d8c4ba48455d019102af35fcb3c738c717955c7834
SUSP_PyInstaller_Gen_Pattern_Feb25
3
d26bd68ab65f8de4e6c12f9140faf3acaf53cdac3236db3491f2ebf8df667100
SUSP_DiscordApp_Attachments_Combo_Mar23_1
1
5a5efcda45347f7ebd0c781e8f3aafa8e404c25eb9beb15593a96bb2e1e1c696
SUSP_Keywords_EDR_Fingerprinting_Feb22_1
1
5a5efcda45347f7ebd0c781e8f3aafa8e404c25eb9beb15593a96bb2e1e1c696
SUSP_PS1_Suspicious_Indicators_Jul21_1
1
5a5efcda45347f7ebd0c781e8f3aafa8e404c25eb9beb15593a96bb2e1e1c696
SUSP_Credential_Stealer_Indicators_Jul23_2
1
5a5efcda45347f7ebd0c781e8f3aafa8e404c25eb9beb15593a96bb2e1e1c696
SUSP_FromBase64String_PAYLOAD_Combo
1
5a5efcda45347f7ebd0c781e8f3aafa8e404c25eb9beb15593a96bb2e1e1c696
SUSP_WEvtUtil_ClearLogs_Sep22_1
1
f54b779ec4012b0dfc9ad48d574cdc6ecd2a426e0f7ca596402336f08824cb8f
SUSP_ELF_Go_OBFUSC_Binary_Dec22_1
3
cf53a447c82ce9bdbf5535a13e27e24783ac1182fa1bd5ab269ecef25eb2db59
SUSP_Go_OBFUSC_Pattern_Jan23_2
3
cf53a447c82ce9bdbf5535a13e27e24783ac1182fa1bd5ab269ecef25eb2db59
SUSP_HKTL_Gen_Pattern_Feb25_2
3
4bd7ad913adc20692961a6f5e6e46fd9a4051948356a167f4d57e1c4e5d22f1d
SUSP_HKTL_Gen_Pattern_Feb25
3
4bd7ad913adc20692961a6f5e6e46fd9a4051948356a167f4d57e1c4e5d22f1d
SUSP_NET_Shellcode_Loader_Indicators_Jan24
4
c3890e39105282f71011d8d825db24bbc8b7d69b7d093a85010ed4d0c95fb812
Suspicious_String_Ransomware
12
705dcf0b99931fc645958c5e765f23f65dab7619929aa521ce73c2905c3853ff
SUSP_Defender_Disable_AV_Scanning
12
705dcf0b99931fc645958c5e765f23f65dab7619929aa521ce73c2905c3853ff

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
7481
Threat Hunting (not subscribable, only in THOR scanner)
5792
APT
5054
Hacktools
4825
Webshells
2398
Exploits
722

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Suspicious Child Processes Spawned by Chrome Remote Desktop
Detects suspicious child processes spawned by Chrome Remote Desktop process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by ScreenConnect
Detects suspicious child processes spawned by ScreenConnect process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by AnyDesk
Detects suspicious child processes spawned by AnyDesk process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by SlashTop
Detects suspicious child processes spawned by SlashTop process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by AeroAdmin
Detects suspicious child processes spawned by AeroAdmin process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by Splashtop
Detects suspicious child processes spawned by Splashtop process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by AMMYYAdmin
Detects suspicious child processes spawned by AMMYYAdmin process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by TeamViewer
Detects suspicious child processes spawned by TeamViewer process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by Remote Utilities
Detects suspicious child processes spawned by Remote Utilities process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by RemotePC
Detects suspicious child processes spawned by RemotePC process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by TightVNC
Detects suspicious child processes spawned by TightVNC process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by UltraVNC
Detects suspicious child processes spawned by UltraVNC process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by VNCConnect
Detects suspicious child processes spawned by VNCConnect process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by LogMeIn
Detects suspicious child processes spawned by LogMeIn process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by ZohoAssist
Detects suspicious child processes spawned by ZohoAssist process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
File Operation via .NET Class
Detects the use of dotnet method in command lines which could be used for unauthorized file operations such as copying files. It could indicate suspicious activity because there are many normal ways to copy files in Windows, thus adversary may use this rarely used method to avoid detection.
06.02.2026
Suspicious Double Extension Files in Linux
Detects files with double extensions in Linux systems, which could be an attempt to disguise executable content as harmless documents.
05.02.2026
Suspicious Linux Command Patterns
Detects suspicious command line patterns that may indicate malicious activity such as decoding base64 content to files in some folder and executing it.
05.02.2026
Suspicious Double Extension File Execution on Linux
Detects suspicious use of executable extensions like .sh, .py or .pl after a non-executable file extension to disguise malicious files in Linux environments
05.02.2026
Suspicious Download and Execution Combo in Linux
Detect suspicious command line patterns where a download command line utility is executed in combination with other suspicious command line utilities. This could indicate potential malicious activity such as downloading and various other actions like decoding, changing permissions, or executing the downloaded file or creating persistence.
05.02.2026
Suspicious Base64 Encoded IP in PowerShell Execution
Detects PowerShell script blocks that contain base64-encoded IP addresses, a technique commonly used for obfuscation and defense evasion. Threat actors may leverage this method to download and execute secondary payloads from IP addresses - often their command and control (C2) servers or other malicious infrastructure. By encoding these URLs in base64 within PowerShell commands, adversaries attempt to bypass detection mechanisms and evade user scrutiny. This rule helps identify suspicious activity where PowerShell is used to retrieve content from IPs via base64-encoded strings, which is rarely seen in legitimate software.
04.02.2026
Suspicious Base64 Encoded IP in Command Line
Detects processes with command lines containing base64-encoded IP addresses, which may indicate obfuscation or evasion attempts. Threat actors often host their secondary malicious payloads on IP addresses, potentially their C&C servers or other hosting infrastructure. To download these malicious payloads, the malware dropper technique involves downloading and executing a secondary payload from an IP address. And to obscure the command line from normal user scrutiny, threat actors may their script or command line arguments in base64 encoding to download and execute the secondary payload.
04.02.2026
Uncommon File Created by Notepad++ Updater Gup.EXE
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations. This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
03.02.2026
Tiny C Compiler Runtime Execution
Detects execution of Tiny C Compiler (TCC) which compiles and executes C code directly in memory. This technique was observed in Chrysalis backdoor campaigns where attackers renamed tcc.exe to svchost.exe and used it to load shellcode from .c files directly into memory, bypassing traditional detection methods.
03.02.2026
Renamed TinyCC (TCC) Compiler Execution
Detects the execution of a renamed TinyCC (TCC) Compiler (tcc.exe) Attackers have been observed renaming tcc.exe to masquerade as legitimate Windows binaries (e.g., svchost.exe) to compile and execute malicious C code in memory, such as shellcode loaders. This technique was observed in Chrysalis backdoor attacks.
03.02.2026
Suspicious Child Process of Notepad++ Updater - GUP.Exe
Detects suspicious child process creation by the Notepad++ updater process (gup.exe). This could indicate potential exploitation of the updater component to deliver unwanted malware.
03.02.2026
Reflective Loading from Masqueraded File - PowerShell
Detects a PowerShell scriptblock pattern where a masqueraded file (e.g., a .png) is read into a byte array and then reflectively loaded as a .NET assembly. This technique is used by various threat actors to evade file-based detections.
02.02.2026
Reflective Loading from Masqueraded File
Detects a PowerShell command pattern where a masqueraded file (e.g., a .png) is read into a byte array and then reflectively loaded as a .NET assembly. This technique is used by various threat actors to evade file-based detections.
02.02.2026
Notepad++ Updater DNS Query to Uncommon Domains
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure. This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
02.02.2026
CLSID DefaultIcon Value Tampering
Detects potential COM object hijacking. Adversaries have used CLSID DefaultIcon to reference malicious payload, encrypted payloads, or conceal payload execution paths as part of defense-evasion and persistence chains.
31.01.2026

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2719
20978
Sigma
3540
914

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1331
windows / registry_set
219
windows / file_event
206
windows / ps_script
165
windows / security
160
linux / process_creation
131
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
68
aws / cloudtrail
55
proxy
54
windows / network_connection
53
linux / auditd
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
27
windows / process_access
25
azure / signinlogs
24
okta / okta
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
rpc_firewall / application
17
windows / windefend
16
github / audit
16
linux
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
linux / file_event
13
windows / file_delete
13
cisco / aaa
12
windows / create_remote_thread
12
windows / driver_load
10
windows / registry_delete
10
kubernetes / application / audit
10
windows / codeintegrity-operational
10
windows / ps_classic_start
9
dns
9
windows / appxdeployment-server
9
windows / create_stream_hash
9
windows / firewall-as
8
windows / msexchange-management
8
antivirus
7
fortigate / event
7
windows / file_access
7
azure / pim
7
windows / bits-client
7
gcp / google_workspace.admin
7
zeek / smb_files
7
windows / dns-client
6
jvm / application
5
kubernetes / audit
5
zeek / dns
5
linux / network_connection
5
zeek / http
5
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
windows / sysmon
4
macos / file_event
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
windows / registry_add
3
m365 / audit
3
windows / dns-server
2
spring / application
2
apache
2
onelogin / onelogin.events
2
firewall
2
linux / syslog
2
windows / security-mitigations
2
ruby_on_rails / application
1
m365 / threat_detection
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
windows / sysmon_status
1
windows / driver-framework
1
windows
1
sql / application
1
linux / sudo
1
velocity / application
1
cisco / duo
1
cisco / bgp
1
nginx
1
windows / dns-server-analytic
1
cisco / ldp
1
windows / wmi
1
windows / printservice-admin
1
windows / ldap
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
database
1
linux / clamav
1
windows / lsa-server
1
linux / auth
1
linux / guacamole
1
windows / appmodel-runtime
1
django / application
1
fortios / sslvpnd
1
huawei / bgp
1
windows / applocker
1
windows / openssh
1
cisco / syslog
1
linux / cron
1
juniper / bgp
1
windows / appxpackaging-om
1
windows / process_tampering
1
windows / smbclient-connectivity
1
windows / smbserver-connectivity
1
paloalto / file_event / globalprotect
1
zeek / x509
1
windows / capi2
1
windows / shell-core
1
windows / file_change
1
windows / raw_access_thread
1
paloalto / appliance / globalprotect
1
windows / certificateservicesclient-lifecycle-system
1
nodejs / application
1
linux / vsftpd
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
python / application
1
windows / smbclient-security
1
m365 / exchange
1
zeek / rdp
1
windows / diagnosis-scripted
1
windows / file_rename
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
438
windows / registry_set
83
windows / ps_script
83
windows / file_event
46
windows / image_load
46
linux / process_creation
41
windows / wmi
29
windows / security
25
proxy
12
windows / system
11
windows / registry_event
8
windows / network_connection
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / pipe_created
4
windows / sense
4
windows / taskscheduler
4
windows / create_remote_thread
4
windows / registry_delete
4
webserver
3
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / vhd
3
windows / application-experience
3
windows / driver_load
3
windows / bits-client
2
windows / file_delete
2
windows / file_access
2
windows / dns_query
2
windows / kernel-shimengine
2
linux / file_event
2
macos / process_creation
2
windows / process_access
2
windows / windefend
2
windows / process-creation
2
windows / codeintegrity-operational
2
windows / firewall-as
1
windows / registry-setinformation
1
windows / file_rename
1
dns
1
windows / application
1
windows / amsi
1
windows / audit-cve
1
windows / registry_add
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022