
currently serving 20158 YARA rules and 3445 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
MAL_RAT_Nov23_1
Detects a RAT that allows remote control, autorun registration, execution of scripts, downloading additional files, executing these downloaded files through Regsvcs.exe, and performing reverse connections.
30.11.2023
MAL_Ntospy_Nov23
Detects Ntospy DLL Module, a Network Provider DLL module designed to steal user credentials
30.11.2023
MAL_ParaSiteSnatcher_Downloader_Nov23
Detects ParaSiteSnatcher downloader, a framework that allows threat actors to monitor, manipulate, and exfiltrate highly sensitive information from multiple sources
28.11.2023
MAL_Downloader_Nov23_1
Detects a MacOS downloader - seen being used by North Korean threat actors
27.11.2023
MAL_Downloader_Nov23_2
Detects a MacOS downloader - seen being used by North Korean threat actors
27.11.2023
APT_MAL_IronWind_Downloader_Nov23_1
Detects IronWind downloader - seen being used by TA402
27.11.2023
APT_MAL_IronWind_Downloader_Nov23_2
Detects IronWind downloader - seen being used by TA402
27.11.2023
MAL_Downloader_DLL_Nov23_2
Detects a DLL that downloads a malicious Google Chrome extension with similarities to Genesis Market's infostealer
27.11.2023
MAL_Payload_DLL_Nov23
Detects a DLL that hijacks one of Windows standard services by rewriting its executable with the malware DLL
25.11.2023
MAL_Backdoor_DLL_Nov23_2
Detects a backdoor DLL that collects system info, executes C2 commands and downloads/uploads files - seen being used in Konni RAT campaign
24.11.2023
MAL_UAC_Bypass_Module_Nov23
Detects a DLL that bypasses UAC - seen being used in Konni RAT campaign
24.11.2023
MAL_Backdoor_DLL_Nov23_1
Detects a backdoor DLL, that was seen being used by LockBit 3.0 affiliates exploiting CVE-2023-4966
23.11.2023
MAL_Trojan_DLL_Nov23
Detects a trojan DLL that installs other components - was seen being used by LockBit 3.0 affiliates exploiting CVE-2023-4966
23.11.2023
MAL_DLL_Stealer_Nov23
Detects a DLL that steals authentication credentials - was seen being used by LockBit 3.0 affiliates exploiting CVE-2023-4966
23.11.2023
MAL_Python_Backdoor_Script_Nov23
Detects a trojan (written in Python) that communicates with c2 - was seen being used by LockBit 3.0 affiliates exploiting CVE-2023-4966
23.11.2023
APT_MAL_DLL_Nov23
Detects a DLL file, which is a previously unknown web shell exhibiting sophisticated features such as custom encoding methods for client communication and in-memory execution
23.11.2023
MAL_Backdoor_Diamond_Sleet_Nov23
Detects a backdoor that was seen being used by Diamond Sleet
22.11.2023
MAL_LambLoad_Nov23
Detects LambLoad a weaponized downloader and loader containing malicious code added to a legitimate CyberLink application
22.11.2023
APT_RANSOM_Lockbit_ForensicArtifacts_Nov23
Detects patterns found in Lockbit TA attacks exploiting Citrixbleed vulnerability CVE 2023-4966
22.11.2023
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_OBFUSC_JS_Execute_Base64_Mar23
6
5cb2fea799a84db8d70b3dcc36dfaab4fc921152f93da3af314ef210e59780b7
SUSP_Base64_Encoded_Hex_Encoded_Code
3
c79b97e4ba6bb2f204190e11759706dfb5fa492908f9c11adbf7688f66755020
SUSP_OBFUSC_Reversed_Encoded_Executable_Mar22
5
fd3f7b0f6817f02f18ee637deb8ea79590c1f3c5152c8e202b66881c5cac1d51
SUSP_Base64_Encoded_Hex_Encoded_Code
1
a71fd494ef054b690054c13e4cddf653c3e587d5d555ee5d5a9a54ba2437cf4d
SUSP_PE_Discord_Attachment_Oct21_1
7
d0daeb50f1313435def687a13b36586586ff53a77948b1bbc45bae78db1f1ebc
SUSP_Base64_Encoded_Hex_Encoded_Code
3
46eb4d1be07950cfcab90166650f5e263e707fec5e252f0c5c2c596768600ec4
SUSP_Base64_Encoded_ISO_Image_Marker_Jan22
7
22bb9d0f69440fd8e7ed3c84669eefc0557560d7c28467a42c98ae36decc27ae
SUSP_HTML_Embedded_ISO_Includes_EXE_Apr21_1
7
22bb9d0f69440fd8e7ed3c84669eefc0557560d7c28467a42c98ae36decc27ae
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
5781
Threat Hunting (not subscribable, only in THOR scanner)
4809
APT
4781
Hacktools
4371
Webshells
2299
Exploits
604
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Potential CVE-2023-46214 Exploitation Attempt
Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
27.11.2023
Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
27.11.2023
Network Connection Initiated To DevTunnels Domain
Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
20.11.2023
Network Connection Initiated To Visual Studio Code Tunnels Domain
Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
20.11.2023
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
14.11.2023
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
14.11.2023
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
14.11.2023
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
14.11.2023
Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
13.11.2023
Non-Executable Extension File Renamed With Executable Extension
Detects rename operations of files with a non-executable extension such as (.txt, .pdf, etc.) to files with an executable extension such as (.exe, .dll, etc.). This is often performed by malware in order to avoid initial detections based on extensions.
11.11.2023
Arbitrary File Download Via IMEWDBLD.EXE
Detects usage of "IMEWDBLD.exe" to download arbitrary files
09.11.2023
Lace Tempest File Indicators
Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
09.11.2023
Lace Tempest PowerShell Evidence Eraser
Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
09.11.2023
Lace Tempest PowerShell Launcher
Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
09.11.2023
Lace Tempest Cobalt Strike Download
Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
09.11.2023
Lace Tempest Malware Loader Execution
Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
09.11.2023
Potential File Download Via MS-AppInstaller Protocol Handler
Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE
The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"
09.11.2023
Arbitrary File Download Via MSEDGE_PROXY.EXE
Detects usage of "msedge_proxy.exe" to download arbitrary files
09.11.2023
Remote XSL Execution Via Msxsl.EXE
Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
09.11.2023
CVE-2023-46747 Exploitation Activity - Webserver
Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
08.11.2023
CVE-2023-46747 Exploitation Activity - Proxy
Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
08.11.2023
F5 BIG-IP iControl Rest API Command Execution - Proxy
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
08.11.2023
F5 BIG-IP iControl Rest API Command Execution - Webserver
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
08.11.2023
Suspicious File Execution From Mounted ISO
Detects the execution of a file with a suspicious or double extension from a mounted ISO
07.11.2023
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
03.11.2023
Suspicious Unsigned Thor Scanner Execution
Detects loading and execution of an unsigned thor scanner binary.
29.10.2023
Backdoored Thor Scanner Execution
Detects the execution of a known malicious version of the thor scanner binary
29.10.2023
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2946
17212
Sigma
3101
344
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1178
windows / file_event
179
windows / registry_set
179
windows / ps_script
167
windows / security
149
linux / process_creation
105
windows / image_load
97
webserver
74
windows / system
71
proxy
53
macos / process_creation
49
linux / auditd
49
windows / network_connection
48
azure / activitylogs
43
windows / registry_event
38
aws / cloudtrail
34
azure / auditlogs
33
windows / ps_module
32
windows / application
28
windows / process_access
27
azure / signinlogs
24
okta / okta
22
azure / riskdetection
19
windows / pipe_created
18
windows / dns_query
17
linux
17
rpc_firewall / application
17
gcp / gcp.audit
14
m365 / threat_management
13
windows / create_remote_thread
12
cisco / aaa
12
windows / driver_load
12
windows / file_delete
12
windows / windefend
12
windows / ps_classic_start
11
windows / codeintegrity-operational
10
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
antivirus
7
windows / appxdeployment-server
7
azure / pim
7
zeek / smb_files
7
windows / bits-client
7
github / audit
7
windows / registry_delete
6
gcp / google_workspace.admin
6
windows / file_access
5
jvm / application
5
windows / dns-client
5
zeek / dce_rpc
4
zeek / dns
4
windows / sysmon
4
windows / ntlm
3
linux / sshd
3
windows / wmi_event
3
zeek / http
3
windows / taskscheduler
3
linux / network_connection
3
windows / powershell-classic
3
apache
2
onelogin / onelogin.events
2
macos / file_event
2
qualys
2
firewall
2
windows / security-mitigations
2
windows / file_change
2
m365 / audit
2
spring / application
2
linux / syslog
2
windows / dns-server
2
windows
1
windows / printservice-admin
1
sql / application
1
nginx
1
windows / driver-framework
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
windows / lsa-server
1
windows / wmi
1
cisco / syslog
1
cisco / ldp
1
windows / smbclient-connectivity
1
netflow
1
cisco / bgp
1
windows / ldap
1
linux / auth
1
windows / openssh
1
windows / process_tampering
1
linux / cron
1
huawei / bgp
1
windows / applocker
1
windows / raw_access_thread
1
linux / guacamole
1
juniper / bgp
1
windows / appmodel-runtime
1
linux / clamav
1
windows / appxpackaging-om
1
nodejs / application
1
windows / shell-core
1
python / application
1
windows / capi2
1
windows / microsoft-servicebus-client
1
django / application
1
windows / certificateservicesclient-lifecycle-system
1
windows / file_rename
1
linux / sudo
1
zeek / x509
1
windows / smbclient-security
1
m365 / exchange
1
windows / diagnosis-scripted
1
windows / sysmon_status
1
velocity / application
1
linux / vsftpd
1
zeek / rdp
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
ruby_on_rails / application
1
m365 / threat_detection
1
zeek / kerberos
1
windows / dns-server-analytic
1
database
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
154
windows / ps_script
42
windows / wmi
29
windows / registry_set
22
windows / file_event
15
proxy
11
windows / system
9
windows / image_load
8
windows / security
7
windows / network_connection
5
windows / create_remote_thread
4
linux / process_creation
3
webserver
3
windows / pipe_created
3
windows / ps_classic_script
3
windows / vhd
3
windows / ps_module
3
windows / registry_event
3
windows / driver_load
2
windows / taskscheduler
2
windows / bits-client
2
windows / dns_query
1
windows / file_access
1
windows / registry-setinformation
1
macos / process_creation
1
windows / file_delete
1
windows / file_rename
1
windows / amsi
1
windows / process_access
1
windows / audit-cve
1
windows / application
1
windows / registry_delete
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls