Valhalla Logo
currently serving 23739 YARA rules and 4457 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
HKTL_KVC_Mar26
Detects KVC, a hacktool which enables unsigned driver loading via DSE bypass and PP/PPL manipulation for LSASS memory dumping on modern Windows with HVCI/VBS
02.03.2026
HKTL_ADCSDevilCOM_Mar26
Detects ADCSDevilCOM, a hacktool for requesting certificates from ADCS using DCOM over SMB.
02.03.2026
HKTL_Go_Golinhound_Feb26
Detects Golinhound, a Go-based tool designed for reconnaissance and information gathering on Linux systems, which can be used by attackers to collect system information, network details, and other sensitive data for further exploitation or lateral movement
27.02.2026
SUSP_PY_Raw_Bytes_Tunnel_Clients_Feb26
Detects a recurring pattern of raw bytes as found in suspicious Tunnel Client scripts generated by AI (and used in attacks to steal Mexican data trove)
26.02.2026
HKTL_PY_Tunnel_Client_Feb26
Detects characteristics as found in suspicious Tunnel Client script generated by AI (and used in attacks to steal Mexican data trove)
26.02.2026
HKTL_PY_Apex_Tunnel_Client_Feb26
Detects Apex Tunnel Client script generated by AI (and used in attacks to steal Mexican data trove)
26.02.2026
SUSP_PY_HKTL_Characteristics_Feb26
Detects characteristics as found in malicious Python scripts generated by AI
26.02.2026
SUSP_HKTL_POC_Feb26_1
Detects typical exploit code patterns often found in POCs
26.02.2026
SUSP_WEBSHELL_JSP_GetParameter_Feb26_1
Detects suspicious getParameter patterns in Java files that could indicate a webshell, which are often found in malicious Java applications or scripts
26.02.2026
HKTL_LsaWhisperer_CloudAP_BOF_Feb26
Detects LsaWhisperer BOF, a sophisticated tool used to extract credentials from memory by abusing the CloudAP AAD plugin, which is part of the Windows Local Security Authority (LSA) subsystem.
24.02.2026
HKTL_LsaWhisperer_Kerberos_BOF_Feb26
Detects LSA Whisperer Kerberos BOF (Beacon Object File), a Cobalt Strike post-exploitation tool that interacts with Windows authentication packages (Kerberos) via LsaCallAuthenticationPackage API to extract Kerberos tickets without touching LSASS process memory.
24.02.2026
HKTL_LsaWhisperer_MSV1_BOF_Feb26
Detects the MSV1_0 module of LSA Whisperer BOF (Cobalt Strike beacon Object File). This module extracts DPAPI credential keys via MsV1_0GetCredentialKey/GetStrongCredentialKey API calls (unlocks Chrome passwords, Wi-Fi keys, certs, RDP creds) and generates crackable NTLMv1 responses via Lm20GetChallengeResponse regardless of NTLMv2 policy. Works through Credential Guard by using legitimate LsaCallAuthenticationPackage interface.
24.02.2026
SUSP_CloudAP_Plugin_BOF_Feb26
Detects suspicious behavior of a BOF (beacon Object File) that calls the CloudAP plugin, which is part of the Windows Local Security Authority (LSA) subsystem, often used for credential dumping and other malicious activities in memory.
24.02.2026
SUSP_LSA_Kerberos_Credential_Extraction_Indicators_Feb26
Detects indicators of a technique used to extract Kerberos tickets from memory by abusing the LsaCallAuthenticationPackage API, often used to retrieve Kerberos tickets without directly accessing LSASS process memory.
24.02.2026
HKTL_Titus_Secret_Scanner_Feb26
Detects Titus, a CLI secrets scanner
23.02.2026
MAL_MIMICRAT_Loader_Feb26
Detects the MIMICRAT Lua loader that xor decrypts an embedded Lua script for in-memory shellcode execution
23.02.2026
MAL_MIMIC_RAT_Feb26
Detects MIMIC rat designed for persistent remote access, lateral movement, and data exfiltration through malleable C2 profiles that blend with legitimate web traffic.
23.02.2026
SUSP_OBFUSC_PS1_Substring_Arithmetic_Feb26
Detects suspicious PowerShell obfuscation using substring and arithmetic index manipulation to dynamically construct commands
23.02.2026
SUSP_Veeam_Password_Decrypt_Feb26
Detects suspicious PowerShell script which contain commands to handle Veeam passwords
23.02.2026
HKTL_BYOVD_Process_Killer_Feb26
Detects BYOVD Process killer. Can kill some uncommon EDRs
23.02.2026
MAL_DLL_Dropper_Feb26
Detects a DLL that drops and opens a decoy PDF
23.02.2026
SUSP_VBA_Dropper_Feb26
Detects malicious VBA macros implementing string obfuscation and used to drop malicious payloads
20.02.2026
SUSP_Shell_Downloader_Feb26
Detects small bash scripts that download a payload via curl to a variable named path and execute it via bash
20.02.2026
SUSP_MacOS_Bash_Dropper_Base64_Payload_Feb26
Detects small bash dropper scripts that decode a base64-encoded payload and pipe it to a shell or execute it, while also opening a URL
20.02.2026
MAL_MacOS_Downloader_Feb26
Detects a macOS downloader that communicates with a c2 server over HTTPS using custom API key headers and communicates and supports dynamic tasking and collects data before exfiltration and may execute system commands using osascript and shell utilities
20.02.2026
MAL_WinOs_Module_Loader_Feb26
Detects WinOs remote control module loader
19.02.2026
MAL_Kernel_Rootkit_Feb26
Detects Kernel rootkit
19.02.2026
MAL_ThrottleStop_Kernel_Driver_Abuse_Feb26
Detects ThrottleStop kernel driver abuse to kill AV/EDRs products
19.02.2026
MAL_MacOS_Stealer_Feb26
Detects a macOS stealer variant which uses simple xor string obfuscation and shell-based data exfiltration techniques
19.02.2026
EXPL_CVE_2026_20817_Werfault_LPE_Feb26
Detects a proof-of-concept for CVE-2026-20817, a local privilege escalation vulnerability in Windows Error Reporting (WER) that allows an attacker to gain elevated privileges.
19.02.2026

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
OEBuilder_Nov17
2
02a517b175ba2eb14e99a6d86ecf21d88511ba5f7476eb7fdf2a1e0045d25650
HKTL_SUSP_Amsi_DLL_Keywords_Mar21_1
2
8c2ad2a6fbfa4a4060d623ac0f1aedff5cd5c8332b255898399f81028eedde1b
PUA_Syncro_RMM_Jan26
9
c709fe7c0dfc8937997c5a4349222478ef6ee4dbf683518af9dd13a59ee09344
Suspicious_PS_JS_Indicators
12
e3e217d3de943e534224d10c69f5f972b5898ebc8786c5393ea1aa5a3647c223
SUSP_HKTL_CobaltStrike_PS1_Loader_Indicator_Nov23_2
7
9714922dfba30d4e3dcad1b858c60182696c56bcf5c52295d3185d991d0aa77a
HKTL_PS1_Loader_Characteristics_Sep25_2
6
5d22667afe26e2e9df6929d87d963359b232541bd88097e0bbfc946894361438
SUSP_Four_Byte_XOR_PE_And_MZ
4
948ea19b7c51b3988e19c757161eceee92a034677cec0944d516edc6d46df3c5
Sofacy_Jan18_1_PE_Info_Anomaly
4
88ff6d90f02d251ba09047077e0ddb4db0e27ff19958189bb9615772235d9e1f
SUSP_Base64_Encoded_GetEnvironmentVariable
5
3a3e8da5504aa1a3d88921d9ce25a3810d0787d52a6870569ee19e53c393d723
OEBuilder_Nov17
3
6b7ef3bdd790a2dd8cd0d8834f741a6e33d9dbfb3bd00373b095124c2aad46d3
HKTL_PELoad_Jan23_7
11
755b12f444dced7101983d464805d944a0018bd6de184042e9e2f95afa90ad54
PUA_ConnectWise_ScreenConnect_Mar23
13
8b462dc1cbbdb3b67e84cc39133bba71067bd7a76871892bde77771a97886070
PUA_ConnectWise_ScreenConnect_Mar23
11
9bf7af3f47bcd2f2ea15e87f395795c1c108c3463a14ba8e5470eb9ce7b4e7e2
MAL_Mimikatz_Deployment_Strings_1
11
4aeb23571d0543a80da0bce3e9c55482148e25eac04cfe546399604a6c68b8e1
HKTL_Mimikatz_May18_Eval_6
11
4aeb23571d0543a80da0bce3e9c55482148e25eac04cfe546399604a6c68b8e1
SUSP_HKTL_Strings_Aug23_1
11
4aeb23571d0543a80da0bce3e9c55482148e25eac04cfe546399604a6c68b8e1
Powerkatz_DLL_Generic
11
4aeb23571d0543a80da0bce3e9c55482148e25eac04cfe546399604a6c68b8e1
mimikatz
11
4aeb23571d0543a80da0bce3e9c55482148e25eac04cfe546399604a6c68b8e1
Mimikatz_Special_Sig
11
4aeb23571d0543a80da0bce3e9c55482148e25eac04cfe546399604a6c68b8e1
HKTL_Mimikatz_Sep16
11
4aeb23571d0543a80da0bce3e9c55482148e25eac04cfe546399604a6c68b8e1

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
7495
Threat Hunting (not subscribable, only in THOR scanner)
5812
APT
5055
Hacktools
4835
Webshells
2399
Exploits
722

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Netsh Advfirewall Isolate Network
Detects execution of netsh.exe commands that modify Windows Advanced Firewall settings to block both inbound and outbound traffic, effectively isolating the system from network communication. This technique may be used by attackers to evade detection, prevent remediation, or disrupt incident response activities.
20.02.2026
ICACLS Deny Permission Abuse
Detects execution of icacls.exe with deny arguments targeting broad principals such as Everyone or Administrators, which may indicate malicious permission tampering.
20.02.2026
Suspicious Child Processes Spawned by Chrome Remote Desktop
Detects suspicious child processes spawned by Chrome Remote Desktop process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by LogMeIn
Detects suspicious child processes spawned by LogMeIn process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by AnyDesk
Detects suspicious child processes spawned by AnyDesk process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by Remote Utilities
Detects suspicious child processes spawned by Remote Utilities process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by SlashTop
Detects suspicious child processes spawned by SlashTop process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by RemotePC
Detects suspicious child processes spawned by RemotePC process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by ScreenConnect
Detects suspicious child processes spawned by ScreenConnect process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by Splashtop
Detects suspicious child processes spawned by Splashtop process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by TeamViewer
Detects suspicious child processes spawned by TeamViewer process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by UltraVNC
Detects suspicious child processes spawned by UltraVNC process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by TightVNC
Detects suspicious child processes spawned by TightVNC process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by VNCConnect
Detects suspicious child processes spawned by VNCConnect process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by ZohoAssist
Detects suspicious child processes spawned by ZohoAssist process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by AeroAdmin
Detects suspicious child processes spawned by AeroAdmin process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by AMMYYAdmin
Detects suspicious child processes spawned by AMMYYAdmin process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
File Operation via .NET Class
Detects the use of dotnet method in command lines which could be used for unauthorized file operations such as copying files. It could indicate suspicious activity because there are many normal ways to copy files in Windows, thus adversary may use this rarely used method to avoid detection.
06.02.2026
Suspicious Linux Command Patterns
Detects suspicious command line patterns that may indicate malicious activity such as decoding base64 content to files in some folder and executing it.
05.02.2026
Suspicious Double Extension File Execution on Linux
Detects suspicious use of executable extensions like .sh, .py or .pl after a non-executable file extension to disguise malicious files in Linux environments
05.02.2026
Suspicious Double Extension Files in Linux
Detects files with double extensions in Linux systems, which could be an attempt to disguise executable content as harmless documents.
05.02.2026
Suspicious Download and Execution Combo in Linux
Detect suspicious command line patterns where a download command line utility is executed in combination with other suspicious command line utilities. This could indicate potential malicious activity such as downloading and various other actions like decoding, changing permissions, or executing the downloaded file or creating persistence.
05.02.2026
Suspicious Base64 Encoded IP in PowerShell Execution
Detects PowerShell script blocks that contain base64-encoded IP addresses, a technique commonly used for obfuscation and defense evasion. Threat actors may leverage this method to download and execute secondary payloads from IP addresses - often their command and control (C2) servers or other malicious infrastructure. By encoding these URLs in base64 within PowerShell commands, adversaries attempt to bypass detection mechanisms and evade user scrutiny. This rule helps identify suspicious activity where PowerShell is used to retrieve content from IPs via base64-encoded strings, which is rarely seen in legitimate software.
04.02.2026
Suspicious Base64 Encoded IP in Command Line
Detects processes with command lines containing base64-encoded IP addresses, which may indicate obfuscation or evasion attempts. Threat actors often host their secondary malicious payloads on IP addresses, potentially their C&C servers or other hosting infrastructure. To download these malicious payloads, the malware dropper technique involves downloading and executing a secondary payload from an IP address. And to obscure the command line from normal user scrutiny, threat actors may their script or command line arguments in base64 encoding to download and execute the secondary payload.
04.02.2026
Uncommon File Created by Notepad++ Updater Gup.EXE
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations. This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
03.02.2026
Renamed TinyCC (TCC) Compiler Execution
Detects the execution of a renamed TinyCC (TCC) Compiler (tcc.exe) Attackers have been observed renaming tcc.exe to masquerade as legitimate Windows binaries (e.g., svchost.exe) to compile and execute malicious C code in memory, such as shellcode loaders. This technique was observed in Chrysalis backdoor attacks.
03.02.2026
Tiny C Compiler Runtime Execution
Detects execution of Tiny C Compiler (TCC) which compiles and executes C code directly in memory. This technique was observed in Chrysalis backdoor campaigns where attackers renamed tcc.exe to svchost.exe and used it to load shellcode from .c files directly into memory, bypassing traditional detection methods.
03.02.2026
Suspicious Child Process of Notepad++ Updater - GUP.Exe
Detects suspicious child process creation by the Notepad++ updater process (gup.exe). This could indicate potential exploitation of the updater component to deliver unwanted malware.
03.02.2026
Reflective Loading from Masqueraded File - PowerShell
Detects a PowerShell scriptblock pattern where a masqueraded file (e.g., a .png) is read into a byte array and then reflectively loaded as a .NET assembly. This technique is used by various threat actors to evade file-based detections.
02.02.2026
Reflective Loading from Masqueraded File
Detects a PowerShell command pattern where a masqueraded file (e.g., a .png) is read into a byte array and then reflectively loaded as a .NET assembly. This technique is used by various threat actors to evade file-based detections.
02.02.2026

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2719
21020
Sigma
3540
917

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1331
windows / registry_set
219
windows / file_event
206
windows / ps_script
165
windows / security
160
linux / process_creation
131
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
68
aws / cloudtrail
55
proxy
54
windows / network_connection
53
linux / auditd
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
27
windows / process_access
25
azure / signinlogs
24
okta / okta
22
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
rpc_firewall / application
17
gcp / gcp.audit
16
windows / windefend
16
github / audit
16
linux
16
bitbucket / audit
14
windows / file_delete
13
linux / file_event
13
m365 / threat_management
13
cisco / aaa
12
windows / create_remote_thread
12
kubernetes / application / audit
10
windows / codeintegrity-operational
10
windows / driver_load
10
windows / registry_delete
10
windows / ps_classic_start
9
dns
9
windows / create_stream_hash
9
windows / appxdeployment-server
9
windows / firewall-as
8
windows / msexchange-management
8
windows / bits-client
7
azure / pim
7
zeek / smb_files
7
gcp / google_workspace.admin
7
antivirus
7
fortigate / event
7
windows / file_access
7
windows / dns-client
6
kubernetes / audit
5
zeek / dns
5
zeek / http
5
linux / network_connection
5
jvm / application
5
zeek / dce_rpc
4
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
windows / registry_add
3
linux / sshd
3
m365 / audit
3
macos / file_event
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
windows / security-mitigations
2
linux / syslog
2
windows / dns-server
2
apache
2
spring / application
2
onelogin / onelogin.events
2
firewall
2
windows / smbserver-connectivity
1
windows / smbclient-connectivity
1
zeek / x509
1
windows / capi2
1
windows / shell-core
1
windows / file_change
1
windows / process_tampering
1
paloalto / file_event / globalprotect
1
linux / vsftpd
1
windows / certificateservicesclient-lifecycle-system
1
windows / raw_access_thread
1
nodejs / application
1
paloalto / appliance / globalprotect
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
windows / diagnosis-scripted
1
python / application
1
zeek / rdp
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_error
1
m365 / threat_detection
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
ruby_on_rails / application
1
m365 / exchange
1
windows / driver-framework
1
windows / sysmon_status
1
velocity / application
1
cisco / duo
1
nginx
1
windows
1
linux / sudo
1
sql / application
1
cisco / ldp
1
windows / ldap
1
windows / wmi
1
windows / dns-server-analytic
1
cisco / bgp
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
database
1
windows / appmodel-runtime
1
windows / lsa-server
1
windows / printservice-operational
1
linux / clamav
1
linux / auth
1
linux / guacamole
1
windows / applocker
1
windows / openssh
1
django / application
1
fortios / sslvpnd
1
huawei / bgp
1
windows / appxpackaging-om
1
cisco / syslog
1
linux / cron
1
juniper / bgp
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
441
windows / ps_script
83
windows / registry_set
83
windows / file_event
46
windows / image_load
46
linux / process_creation
41
windows / wmi
29
windows / security
25
proxy
12
windows / system
11
windows / registry_event
8
windows / network_connection
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / taskscheduler
4
windows / create_remote_thread
4
windows / registry_delete
4
windows / sense
4
windows / pipe_created
4
webserver
3
windows / vhd
3
windows / driver_load
3
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / application-experience
3
windows / process_access
2
windows / windefend
2
windows / bits-client
2
windows / process-creation
2
windows / codeintegrity-operational
2
windows / dns_query
2
windows / file_delete
2
windows / kernel-shimengine
2
windows / file_access
2
linux / file_event
2
macos / process_creation
2
windows / audit-cve
1
windows / firewall-as
1
windows / registry_add
1
windows / application
1
windows / registry-setinformation
1
windows / amsi
1
windows / file_rename
1
dns
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022