currently serving 22534 YARA rules and 4157 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
MAL_WMIC_Format_Downloader_Jun25
Detects executables that use WMIC to download XLS files with second-stage payload
11.06.2025
SUSP_WMIC_Format_Downloader_Jun25
Detects suspicious files that use WMIC to potentially load second-stage payload
11.06.2025
EXPL_ZIP_LibraryMS_CVE_2025_24071_Jun25
Detects suspicious ZIP archive that contains a .library-ms file which could be exploiting CVE-2025-24071
10.06.2025
EXPL_ZIP_Attachments_LibraryMS_CVE_2025_24071_Jun25
Detects suspicious base64 encoded ZIP archive that contains a .library-ms file which could be exploiting CVE-2025-24071
10.06.2025
MAL_LNX_Stealer_Jun25
Detects a Linux stealer that collects sensitive information from the system and performs persistence.
10.06.2025
MAL_DDOS_Amplification_Strings_Jun25
Detects hardcoded strings used in DDoS amplification attacks.
06.06.2025
MAL_PathWiper_Jun25
Detects PathWiper, a wiper malware deployed against Ukrainian critical infrastructure, sharing capabilities with HermeticWiper.
06.06.2025
MAL_Geass_Beacon_Jun25
Detects ProjectGeass beacon, a cross-platform post-exploitation toolkit used by attackers to maintain control over infected hosts.
06.06.2025
MAL_Bootkit_Jun25
Detects Bootkit that uses an unsecured kernel driver to install a GRUB 2 bootloader.
06.06.2025
APT_RESURGE_Activity_Forensic_Artifacts_Ivanti_Jun25
Detects Resurge malware activity associated with Ivanti Connect Secure vulnerabilities
04.06.2025
MAL_LNX_RESURGE_Jun25
Detects RESURGE backdoor dropper malware associated with Ivanti Connect Secure vulnerabilities
04.06.2025
APT_WEBSHELL_PL_RESURGE_Activity_Ivanti_Jun25
Detects webshell dropped by Resurge malware associated with Ivanti Connect Secure vulnerabilities
04.06.2025
HKTL_CloudFox_Jun25
Detects CloudFox hack tool, which is used for reconnaissance and exploitation in cloud environments.
02.06.2025
MAL_Minecraft_RAT_Jun25
Detects malware named Minecraft RAT that includes credential stealing, data exfiltration and remote control capabilities.
02.06.2025
SUSP_Manticore_Offensive_Lib_Jun25
Detects Go based binaries using the offensive libraries by the Manticore Project
02.06.2025
MAL_LNX_Helios_Botnet_Jun25
Detects Helios botnet Linux malware that targets IoT devices.
02.06.2025
HKTL_Azure_Access_Permissions_Jun25
Detects Azure Access Permissions hack tool, a script to enumerate access permissions of a user's Azure Active Directory home tenant.
02.06.2025
MAL_LNX_Mirai_Variant_Jun25
Detects Mirai Linux botnet based on the presence of specific network related strings
02.06.2025
MAL_LNX_Xored_Wordlist_Jun25
Detects ELF files containing an XOR-obfuscated list of default passwords used in network devices. This is most commonly associated with worms.
02.06.2025
SUSP_Renamed_Encoded_ASCII_Characters_Jun25
Detects scripts that contain a large amount of renamed encoded ASCII characters, instead of using a function like Char(), the script uses it's own function to do the conversion
01.06.2025
APT_MAL_Sideload_DLL_Jun25
Detects loader that sideload a DLL and open PDF as a decoy as seen being used by APT32
01.06.2025
APT_MAL_Loader_Jun25
Detects a loader that involves function hooking and patching of a DLL in memory, as well as a multi-stage sequence of shellcodes that leads to the execution of the final payload in memory. seen being used by APT32
01.06.2025
SUSP_LNK_Self_Modification_Indicators_May25
Detects LNK files containing a suspicious combination of commands related to self modifying files. These often appear in loaders used for initial infection. A match warrants further analysis.
30.05.2025
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
PUA_ConnectWise_ScreenConnect_Mar23
12
e5cc17a3a8b7cfe2f53ad548456922c78468f31a7988a65a15026544af80a57d
SUSP_ELF_LNX_UPX_Compressed_File_DeepEval
10
e74229d713236f5eceb9c63d73bdeba7cd6db3edc12418b47a4209d538e3ecb1
SUSP_Encoded_PS_Unicode_GetBytes
10
307526f680dd1c60899e495010951f362449884ab61efa5d8708705c637ea2fe
SUSP_OBFUSC_Base64_DLL_Imports_Jul22_1
10
307526f680dd1c60899e495010951f362449884ab61efa5d8708705c637ea2fe
SUSP_PS1_Suspicious_Encoded_IEX_Jul21_1
10
307526f680dd1c60899e495010951f362449884ab61efa5d8708705c637ea2fe
SUSP_Encoded_NetWebclient_Download
10
307526f680dd1c60899e495010951f362449884ab61efa5d8708705c637ea2fe
SUSP_Encoded_PS_DllImport_Kernel32
10
307526f680dd1c60899e495010951f362449884ab61efa5d8708705c637ea2fe
SUSP_MSIL_NET_OBF_ConfuserEx_Constants_Jul23
1
da09b8390b18867a892b542ea5185960c47cfc42ad7de945655b46e189769951
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
6882
Threat Hunting (not subscribable, only in THOR scanner)
5435
APT
4963
Hacktools
4706
Webshells
2375
Exploits
670
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Potential Exploitation of RCE Vulnerability CVE-2025-33053
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
which involves unauthorized code execution via WebDAV through external control of file names or paths.
The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating
their working directories to point to attacker-controlled WebDAV servers, causing them to execute
malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries
through Process.Start() search order manipulation.
13.06.2025
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from
attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.
13.06.2025
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe)
accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting
Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers
instead of legitimate system binaries. The vulnerability allows unauthorized code execution through
external control of file names or paths via WebDAV.
13.06.2025
System Information Discovery via Registry Queries
Detects attempts to query system information directly from the Windows Registry.
12.06.2025
HKTL - SharpSuccessor Privilege Escalation Tool Execution
Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments.
Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.
06.06.2025
MSSQL Destructive Query
Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
04.06.2025
RegAsm.EXE Execution Without CommandLine Flags or Files
Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity.
Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.
04.06.2025
DNS Query To Common Malware Hosting and Shortener Services
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners.
These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc.
Such DNS activity can indicate potential delivery or command-and-control communication attempts.
02.06.2025
Special File Creation via Mknod Syscall
Detects usage of the `mknod` syscall to create special files (e.g., character or block devices).
Attackers or malware might use `mknod` to create fake devices, interact with kernel interfaces,
or establish covert channels in Linux systems.
Monitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications,
and it can be abused to bypass file system restrictions or create backdoors.
31.05.2025
System Info Discovery via Sysinfo Syscall
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.
Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
30.05.2025
Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR),
(4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel
ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation
or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
27.05.2025
Obfuscated PowerShell MSI Install via WindowsInstaller COM
Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`).
The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting
malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection
by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with
hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.
27.05.2025
Disable ASLR Via Personality Syscall - Linux
Detects the use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000),
which disables Address Space Layout Randomization (ASLR) in Linux. This is often used by attackers
exploit development, or to bypass memory protection mechanisms.
A successful use of this flag can reduce the effectiveness of ASLR and make memory corruption
attacks more reliable.
26.05.2025
Potential Abuse of Linux Magic System Request Key
Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges
to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes,
or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be
misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
23.05.2025
Registry Export of Third-Party Credentials
Detects the use of reg.exe to export registry paths associated with third-party credentials.
Credential stealers have been known to use this technique to extract sensitive information from the registry.
22.05.2025
Suspicious File Access to Browser Credential Storage
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts.
Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies.
This behavior is often commonly observed in credential stealing malware.
22.05.2025
DNS Query To Katz Stealer Domains
Detects DNS queries to domains associated with Katz Stealer malware.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
22.05.2025
Katz Stealer Suspicious User-Agent
Detects network connections with a suspicious user-agent string containing "katz-ontop", which may indicate Katz Stealer activity.
22.05.2025
Katz Stealer DLL Loaded
Detects loading of DLLs associated with Katz Stealer malware 2025 variants.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
The process that loads these DLLs are very likely to be malicious.
22.05.2025
DNS Query To Katz Stealer Domains - Network
Detects DNS queries to domains associated with Katz Stealer malware.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
22.05.2025
Suspicious Deno File Written from Remote Source
Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL.
This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
22.05.2025
Potential AS-REP Roasting via Kerberos TGT Requests
Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC.
This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
22.05.2025
PUA - Execution of TNIWinAgent for Network Discovery
Detects the execution of TNIWinAgent, a component of SoftInventive Lab's Total Network Inventory Software.
While this tool is legitimate and used for network inventory and asset management, threat actors may abuse
for network discovery or reconnaissance purposes. Monitoring its execution can help identify potential misuse in an environment.
21.05.2025
PUA - Execution of TSDService
Detects the execution of Total Software Deployment (TSD) service, a component of SoftInventive Lab's Total Network Inventory Software.
While this tool is legitimate and used for software deployment and management, threat actors have abused it for unauthorized software installation or system manipulation.
21.05.2025
Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
Detects potential exploitation of a chained vulnerability attack targeting Ivanti EPMM 12.5.0.0.
CVE-2025-4427 allows unauthenticated access to protected API endpoints via an authentication bypass,
which can then be leveraged to trigger CVE-2025-4428 — a remote code execution vulnerability through
template injection. This sequence enables unauthenticated remote code execution, significantly increasing
the impact of exploitation.
20.05.2025
VMware ESXi Process Termination via Pkill
Detects attempts to forcefully terminate VMware ESXi virtual machine processes using pkill command.
It is commonly exploited by adversaries to abruptly stop running Virtual Machine (VM) executable processes.
20.05.2025
ESXi Buffer Cache Modification via ESXCFG-ADVCFG
Detects attempts to modify ESXi buffer cache settings via esxcfg-advcfg.
The esxcfg-advcfg utility is a command-line tool in VMware ESXi that allows administrators to view and modify advanced system settings.
Adversaries may abuse this utility to manipulate buffer cache settings, potentially causing system performance degradation or preparing
for ransomware attacks. The tool can modify critical parameters like BufferCache/MaxCapacity and BufferCache/FlushInterval, which
could be exploited to impact data persistence or system performance.
20.05.2025
Deletion of Terminal History Cache
Detects the deletion of terminal history cache files, which are often targeted by adversaries attempting to erase evidence of their activities.
These cache files typically store information such as Remote Desktop Protocol (RDP) connection history, which can be valuable for forensic investigations.
By deleting these files, attackers aim to cover their tracks and hinder incident response efforts.
This behavior is commonly associated with defense evasion techniques and may indicate malicious activity, especially in environments where such deletions are uncommon.
20.05.2025
Deletion of Terminal Server Client History Registry Entries
Detects the deletion of Terminal Server Client history registry entries.
These histories contain information such as RDP connection history.
Adversaries may delete this history to cover their tracks after conducting malicious RDP activities.
20.05.2025
Windows Defender Disable Attempt Via SystemSettingsAdminFlows
Detects attempts to disable Windows Defender using SystemSettingsAdminFlows.exe, which is a legitimate utility that can be used to access and modify Windows Security settings.
Adversaries may disable Windows Defender to evade detection and bypass security protections. The use of SystemSettingsAdminFlows.exe
to disable Windows Defender features is not a common practice and if observed, it is most likely indicative of malicious activity.
19.05.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
3216
19318
Sigma
3393
764
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1265
windows / registry_set
202
windows / file_event
196
windows / ps_script
165
windows / security
157
linux / process_creation
119
windows / image_load
109
webserver
81
windows / system
73
macos / process_creation
65
linux / auditd
53
windows / network_connection
52
proxy
52
aws / cloudtrail
46
azure / activitylogs
43
azure / auditlogs
38
windows / registry_event
38
windows / ps_module
33
windows / application
30
windows / dns_query
24
azure / signinlogs
24
windows / process_access
23
okta / okta
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
windows / create_remote_thread
13
windows / file_delete
13
github / audit
13
m365 / threat_management
13
cisco / aaa
12
kubernetes / application / audit
10
windows / driver_load
10
windows / codeintegrity-operational
10
windows / ps_classic_start
9
windows / create_stream_hash
9
dns
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / file_access
7
gcp / google_workspace.admin
7
windows / bits-client
7
windows / registry_delete
7
zeek / smb_files
7
windows / dns-client
6
linux / network_connection
5
jvm / application
5
kubernetes / audit
5
zeek / http
5
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
zeek / dns
4
windows / sysmon
4
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
m365 / audit
3
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
firewall
2
windows / file_change
2
spring / application
2
windows / security-mitigations
2
linux / syslog
2
m365 / threat_detection
1
zeek / rdp
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_status
1
database
1
zeek / kerberos
1
windows / sysmon_error
1
windows
1
windows / dns-server-analytic
1
windows / driver-framework
1
windows / printservice-admin
1
nginx
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
netflow
1
cisco / ldp
1
windows / lsa-server
1
fortios / sslvpnd
1
linux / auth
1
cisco / bgp
1
django / application
1
cisco / syslog
1
linux / guacamole
1
windows / ldap
1
nodejs / application
1
windows / smbclient-connectivity
1
linux / cron
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / process_tampering
1
paloalto / file_event / globalprotect
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
windows / raw_access_thread
1
python / application
1
paloalto / appliance / globalprotect
1
cisco / duo
1
linux / clamav
1
windows / appxpackaging-om
1
windows / shell-core
1
zeek / x509
1
windows / capi2
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
velocity / application
1
linux / sudo
1
windows / certificateservicesclient-lifecycle-system
1
ruby_on_rails / application
1
m365 / exchange
1
windows / file_rename
1
sql / application
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
354
windows / registry_set
74
windows / ps_script
71
windows / image_load
41
windows / file_event
38
windows / wmi
29
linux / process_creation
25
windows / security
20
proxy
12
windows / system
9
windows / network_connection
8
windows / registry_event
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / sense
4
windows / pipe_created
4
windows / taskscheduler
4
windows / registry_delete
4
windows / create_remote_thread
4
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / application-experience
3
windows / hyper-v-worker
3
windows / driver_load
3
windows / codeintegrity-operational
2
windows / process_access
2
windows / windefend
2
windows / bits-client
2
windows / kernel-shimengine
2
windows / file_rename
1
windows / application
1
macos / process_creation
1
windows / firewall-as
1
windows / audit-cve
1
windows / file_access
1
windows / registry-setinformation
1
windows / dns_query
1
linux / file_event
1
windows / amsi
1
windows / file_delete
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR