currently serving 23850 YARA rules and 4509 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
MAL_Sero_RAT_Apr26
Detects SeroRAT, a remote access trojan that has been observed in the wild. It is known for its ability to evade detection and maintain persistence on infected systems, seen being dropped by Amadey botnet.
09.04.2026
SUSP_PY_Dropper_Apr26
Detects suspicious usage of Python's base64 and subprocess libraries
07.04.2026
HKTL_Wiretap_RS_Apr26
Detects Wiretap RS - a transparent, VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.
07.04.2026
HKTL_BlueHammer_Apr26
Detects Nightmare-Eclipse/BlueHammer (FunnyApp), a Windows local privilege escalation PoC that abuses a Defender signature-update RPC and a junction/symlink race to leak the SAM hive and derive NTLM hashes - giving an unprivileged user full SYSTEM-level credential access.
07.04.2026
SUSP_BOF_Indicators_Proc_Eval_Apr26
Detects suspicious code found in a larger BOF file sample analysis set (whoami BOF)
07.04.2026
HKTL_BOF_NanoDump_Apr26
Detects strings found in NanoDump BOF samples. NanoDump is a BOF that can be used to dump the memory of a process and is often used in post-exploitation scenarios to dump LSASS and extract credentials from it.
07.04.2026
SUSP_BOF_Indicators_Process_Manip_Apr26
Detects suspicious code found in a larger BOF file sample analysis set that is related to process manipulation
07.04.2026
MAL_TangleCrypt_Apr26
Detects TangleCrypt packer seen being used by multiple malware families
06.04.2026
MAL_CrystalX_RAT_Apr26
Detects CrystalX RAT written in Go, featuring WebSocket C2 communication, remote access capabilities, credential stealing, keylogging, clipboard hijacking, and prankware-style system manipulation, including user disruption and remote screen control
06.04.2026
PUA_ThrottleStop_Driver_Apr26
Detects the ThrottleStop driver, a high-privilege hardware access driver used by legitimate software, but also observed in ransomware campaigns for EDR/AV tampering and termination via IOCTL abuse.
05.04.2026
SUSP_BOF_Indicators_Beacon_Apr26
Detects malicious beacon code found in a larger BOF file sample analysis set
03.04.2026
HKTL_BOF_Indicators_LSA_Whisperer_Apr26
Detects malicious LSA Whisperer code found in a larger BOF file sample analysis set
03.04.2026
SUSP_BOF_Indicators_Apr26_1
Detects suspicious function names and strings found in a larger BOF file sample analysis set
03.04.2026
SUSP_BOF_Indicators_Apr26_2
Detects suspicious strings found in a larger BOF file sample analysis set
03.04.2026
HKTL_SCShell_BOF_Indicators_Apr26
Detects strings found in SCShell BOF samples. SCShell is a fileless lateral movement tool that relies on ChangeServiceConfigA to run commands. The beauty of this tool is that it does not perform authentication against SMB. Everything is performed over DCERPC.
03.04.2026
SUSP_BOF_Indicators_CredPrompt_Apr26
Detects suspicious strings found in a larger BOF file sample analysis set that are related to credential prompts
03.04.2026
HKTL_BOF_Indicators_DNSTool_Apr26
Detects DNSTool-BOF code found in a larger BOF file sample analysis set. DNSTool-BOF is a BOF that can be used to perform DNS queries and exfiltrate data over DNS.
03.04.2026
SUSP_HKTL_Go_Keyloger_Apr26
Detects a unknown Go based keylogger sample found in a larger COFF file sample analysis set
03.04.2026
MAL_NPM_SupplyChain_Attack_Mar26
Detects package.json which include the malicious plain-crypto-js package as dependency
31.03.2026
SUSP_JS_Dropper_Mar26
Detects suspicious JavaScript dropper used in plain-crypto-js supply chain attacks
31.03.2026
MAL_CTRL_Stager_Mar26
Detects staging payload of the CTRL malware. Used for credential exfiltration, remote access and abitrary file execution.
31.03.2026
MAL_NET_CTRL_Client_Mar26
Detects the main payload of the CTRL malware. Used for data exfiltration, remote access and abitrary file execution.
31.03.2026
MAL_AdaptixC2_Loader_Mar26
Detects AdaptixC2 loader that evades EDR via indirect syscalls, extracts a steganographic payload, decrypts it, injects into a process
30.03.2026
MAL_WHQL_Guru_Rootkit_Mar26
Detects a driver associated with the Guru rootkit, which allows an attacker to execute arbitrary code in kernel mode from unprivileged user-mode.
30.03.2026
HKTL_Ligolo_Iwa_Mar26
Detects Ligolo-iwa, a Ligolo-ng JavaScript agent working inside Chrome/Edge by leveraging Isolated Web Applications.
30.03.2026
HKTL_Certihound_Mar26
Detects Certihound, a Active Directory Certificate Services (ADCS) enumeration library
30.03.2026
SUSP_Bash_Dropper_Mar26
Detects Bash dropper that uses echo and base64 decoding to reconstruct and execute a payload, commonly observed in macOS malware campaigns
30.03.2026
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_OBFUSC_NET_Reactor_JIT_Encryption_Feb25
1
756f550053b8cf713fad817185d599aefb7a892f3ba031b3b3f58e65d9c6912c
SUSP_HKTL_Hacktool_Strings_Oct21_1
5
66b539daa4152ce4219ddff0e221a8ef9cd9dcb27266bbe85ed425bbf8b3f4cc
PUA_ConnectWise_ScreenConnect_Mar23
8
80235d819827df4c5c73e3c2c0947385db8d9775a5197ddf878dc77695167944
PUA_ConnectWise_ScreenConnect_Mar23
8
6b3b47ca6a3ea771a55b8ce4978cd59fcca744095261ec4a553ded754ec5b405
PUA_ConnectWise_ScreenConnect_Mar23
7
1371f13df8db71c2d6cf13cad1a08dc5b8ab50bc7e1e849cbeacde090a026722
WEBSHELL_PHP_OBFUSC_Encoded_Mixed_Dec_And_Hex
2
671583ff73a7f34cdeafaa0de0e45747759c12ccf7082b32918ca9b4a6fa5ff3
SUSP_Wextract_Anomaly_Unsigned_May23
9
756e7e920ceabb01b39fa79ba8e5a439f30a6617cdde06c8efc6f074715084ef
HKTL_PS1_Villain_C2_Implant_Apr23_1
1
1fea644e73fa6d090b155f7ee6568daacba1a8170aceb9222d4316ed44a63eec
SUSP_OBFUSC_NET_Reactor_JIT_Encryption_Feb25
5
cd0ccabb2dfbbe961d05b4b8b64682f34056aeb451d206540d8b8b1b8313f1e0
SUSP_ZIP_PDF_Phishing_Executable_Jun25
3
3e9debda073c977934dd3cbe5024361305809514cd06c798c56f2e601373340c
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7550
Threat Hunting (not subscribable, only in THOR scanner)
5857
APT
5055
Hacktools
4848
Webshells
2400
Exploits
722
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Suspicious File Rename
Detects suspicious renaming of benign file types such as documents or images to executable file types.
Threat actors often drops files with innocent extensions and later rename them to executable formats during execution to evade detection.
02.04.2026
DNS Exfiltration via DNSExfiltrator - Network
Detects DNS exfiltration activity using the DNSExfiltrator tool, which encodes data in DNS queries using certain encoding.
02.04.2026
VSCode Tasks.json File Creation
Detects the creation of `.vscode/tasks.json` files which can be abused to auto-run malicious scripts when a VSCode workspace is opened and trusted by the user.
This technique was observed in the "Contagious Interview" campaign where threat actors exploited VS Code's workspace trust model to execute malicious tasks upon opening a new project.
Attackers may create or modify `tasks.json` to define tasks that run malicious commands or scripts automatically when the workspace is opened and trusted by the user.
Legitimate use cases include developers configuring build or deployment tasks, but unexpected creation of such files in unfamiliar projects may indicate malicious activity.
02.04.2026
Unusually Long DNS Query - Network
Detects unusually long DNS queries that may indicate DNS tunneling, data exfiltration attempts, or C2 communication.
Usage of DNS for C&C communication or data exfiltration often involves crafting long DNS queries to encode information.
02.04.2026
Suspicious Download and Execution Pattern via VSCode/Cursor Tasks - Linux
Detects suspicious patterns where Visual Studio Code or Cursor spawns processes that both download and execute files, which may indicate abuse of the `tasks.json` configuration for malicious purposes.
This technique has been observed in campaigns such as "Contagious Interview," where adversaries leverage VSCode's workspace trust model to execute arbitrary code by embedding malicious commands in `tasks.json`.
Attackers may craft or alter `tasks.json` to automatically trigger downloads and execution of payloads when a user opens and trusts a workspace in VSCode or Cursor, enabling initial access or further compromise.
02.04.2026
Suspicious Download and Execution Pattern via VSCode Tasks
Detects suspicious patterns where Visual Studio Code (VSCode) spawns processes that both download and execute files, which may indicate abuse of the `tasks.json` configuration for malicious purposes.
This technique has been observed in campaigns such as "Contagious Interview," where adversaries leverage VSCode's workspace trust model to execute arbitrary code by embedding malicious commands in `tasks.json`.
Attackers may craft or alter `tasks.json` to automatically trigger downloads and execution of payloads when a user opens and trusts a workspace in VSCode, enabling initial access or further compromise.
02.04.2026
DNS Exfiltration via DNSExfiltrator
Detects DNS exfiltration activity using the DNSExfiltrator tool, which encodes data in DNS queries using certain encoding.
02.04.2026
Unusually Long DNS Query
Detects unusually long DNS queries that may indicate DNS tunneling, data exfiltration attempts, or C2 communication.
Usage of DNS for C&C communication or data exfiltration often involves crafting long DNS queries to encode information.
02.04.2026
File Operation via .NET Class
Detects the use of dotnet method in command lines which could be used for unauthorized file operations such as copying files.
It could indicate suspicious activity because there are many normal ways to copy files in Windows, thus adversary may use this rarely used method to avoid detection.
02.04.2026
Suspicious Download and Piping to Interpreters Pattern
Detects the usage of download utilities like curl or wget followed by piping the downloaded content directly into an interpreter such as Node.js, Python, Bash, PowerShell, Perl, or Ruby.
This pattern is often used by attackers to download and execute malicious scripts or payloads directly in memory, bypassing traditional file-based detection mechanisms.
Review thee process lineage for context to determine if the activity is legitimate or malicious.
02.04.2026
PUA - HoboCopy Execution
Detects the execution of HoboCopy, a command-line tool that can be used to copy locked files using Volume Shadow Copy Service (VSS). This tool can be abused by attackers to copy sensitive files like SAM, SYSTEM, or NTDS.dit.
Event though it can be used for legitimate backup purposes, its presence in modern Windows environments is very rare and potentially associated with malicious activity.
27.03.2026
Critical Log File Deletion on Linux System
Detects deletion of critical log files on Linux systems that may indicate log tampering or evidence destruction.
This technique can be used by attackers to cover their tracks after gaining unauthorized access to a system.
26.03.2026
Critical Log Manipulation via Sed Utility
Detects critical log manipulation attempts using the sed utility with in-place editing on sensitive log files.
This technique can be used by attackers to cover their tracks after gaining unauthorized access to a system.
26.03.2026
Potential Abuse of Winpty-Agent.Exe for Reconnaissance
Detects potential abuse of winpty-agent.exe, a pseudo-terminal utility commonly used by developer tools and remote monitoring software, for executing reconnaissance commands.
23.03.2026
Renamed Network Lookout Execution - Remote Access Software
Detects execution of "Network Lookout Net Monitor for Employees Pro" that has been renamed. It is commercial employee monitoring software, that however, attackers have been observed to abuse for unauthorized surveillance and remote access.
23.03.2026
Renamed SimpleHelp Client Binary Execution - Remote Access Software
Detects the execution of a renamed SimpleHelp client binary. These binary are executed by threat actors to connect to certain SimpleHelp servers for remote access and control.
Even though it is legitimate RMM software, the use of renamed binaries is a common tactic employed by attackers to evade detection and persist on compromised systems.
23.03.2026
Disable Input Devices via Disable-PnpDevice
Detects usage of Disable-PnpDevice PowerShell cmdlet to disable crucial input devices such as keyboards and mouse.
Adversaries may disable input devices to prevent user interaction with the system, facilitating further malicious activities without interruption.
This technique can be part of a broader strategy to maintain persistence or evade detection by hindering user access.
22.03.2026
Disable Input Devices via Disable-PnpDevice - ScriptBlock
Detects usage of Disable-PnpDevice PowerShell cmdlet to disable input devices such as keyboards and mouse.
Adversaries may disable input devices to prevent user interaction with the system, facilitating further malicious activities without interruption.
This technique can be part of a broader strategy to maintain persistence or evade detection by hindering user access.
22.03.2026
Disabling of an Input Device
Detects the disabling of critical input devices such as keyboard and mouse, which may indicate malicious activity aimed at preventing user interaction with the system.
Threat actors may disable input devices during attacks to maintain persistence and prevent users from interrupting malicious operations or accessing security tools.
This technique is often observed in ransomware attacks and data exfiltration scenarios where attackers seek to minimize user interference.
To verify if the disabling was legitimate or part of an attack, further investigation into the context and source of the action is recommended
22.03.2026
Suspicious PowerShell Use of DIR Alias with Glob Pattern
Detects PowerShell process creation using the DIR alias with a glob pattern, which may indicate suspicious and obfuscated activity.
20.03.2026
Suspicious HTTP URL Invocation Patterns via Download Utilities - Linux
Detects suspicious command line patterns involving download utilities like curl or wget invoking invalidly formatted HTTP protocols (e.g., 'http:/example.com' instead of 'http://example.com').
This may indicate an attempt to obfuscate the URL or bypass certain detection mechanisms while still reaching out to external servers for command and control or data exfiltration.
18.03.2026
Suspicious HTTP URL Invocation Patterns via Download Utilities
Detects suspicious command line patterns involving download utilities like curl or wget invoking invalidly formatted HTTP protocols (e.g., 'http:/example.com' instead of 'http://example.com').
This may indicate an attempt to obfuscate the URL or bypass certain detection mechanisms while still reaching out to external servers for command and control or data exfiltration.
18.03.2026
OneDrive Execution From Suspicious Location
Detects OneDrive.exe being executed from a non-standard location, which may indicate a masqueraded malicious binary.
Adversaries often rename their malicious executables to 'OneDrive.exe' to blend in with legitimate system activity and evade detection.
16.03.2026
Suspicious Process Masquerading as OneDrive
Detects suspicious process that is masquerading as OneDrive executable.
This technique can be used by attackers to evade detection by running malicious processes under the guise of a legitimate application.
16.03.2026
Suspicious DNS Lookup and Execution Pattern
Detects suspicious command line patterns involving 'nslookup' piped to 'findstr' with a subsequent 'for' loop, which may indicate an attempt to query DNS for second-stage payloads and execute them.
This technique can be used by adversaries to leverage DNS as a covert command and control channel, allowing them to retrieve and execute malicious payloads without directly connecting to an external server.
16.03.2026
Obfuscated Node.js Execution via CommandLine - Linux
Detects the execution of Node.js with the '--eval' flag, where the provided script contains common obfuscation patterns.
10.03.2026
Obfuscated Node.js Execution via CommandLine
Detects the execution of Node.js with the '--eval' flag, where the provided script contains common obfuscation patterns.
10.03.2026
Linux Glob Based CLI Obfuscation
Detects the use of glob patterns to obfuscate command line arguments on Linux systems, which is a technique used by attackers to evade detection
04.03.2026
Suspicious PowerShell Get-Command Execution With Glob Patterns
Detects execution of obfuscated variations of PowerShell Get-Command using glob patterns (wildcards or character ranges), potentially used for command obfuscation and evasion
04.03.2026
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2721
21129
Sigma
3540
969
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1331
windows / registry_set
219
windows / file_event
206
windows / ps_script
165
windows / security
160
linux / process_creation
131
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
68
aws / cloudtrail
55
proxy
54
windows / network_connection
53
linux / auditd
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
27
windows / process_access
25
azure / signinlogs
24
okta / okta
22
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
rpc_firewall / application
17
gcp / gcp.audit
16
windows / windefend
16
github / audit
16
linux
16
bitbucket / audit
14
linux / file_event
13
m365 / threat_management
13
windows / file_delete
13
cisco / aaa
12
windows / create_remote_thread
12
windows / codeintegrity-operational
10
windows / driver_load
10
windows / registry_delete
10
kubernetes / application / audit
10
windows / ps_classic_start
9
dns
9
windows / appxdeployment-server
9
windows / create_stream_hash
9
windows / firewall-as
8
windows / msexchange-management
8
zeek / smb_files
7
gcp / google_workspace.admin
7
antivirus
7
fortigate / event
7
windows / file_access
7
azure / pim
7
windows / bits-client
7
windows / dns-client
6
zeek / dns
5
linux / network_connection
5
zeek / http
5
jvm / application
5
kubernetes / audit
5
windows / sysmon
4
windows / iis-configuration
4
windows / taskscheduler
4
zeek / dce_rpc
4
windows / registry_add
3
m365 / audit
3
macos / file_event
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
windows / dns-server
2
apache
2
spring / application
2
onelogin / onelogin.events
2
firewall
2
linux / syslog
2
windows / security-mitigations
2
windows / certificateservicesclient-lifecycle-system
1
windows / shell-core
1
nodejs / application
1
paloalto / appliance / globalprotect
1
linux / vsftpd
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
windows / diagnosis-scripted
1
python / application
1
m365 / exchange
1
zeek / rdp
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_status
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
ruby_on_rails / application
1
m365 / threat_detection
1
windows / driver-framework
1
windows
1
sql / application
1
velocity / application
1
cisco / duo
1
cisco / bgp
1
nginx
1
linux / sudo
1
cisco / ldp
1
windows / ldap
1
windows / wmi
1
windows / dns-server-analytic
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
database
1
linux / clamav
1
windows / lsa-server
1
windows / printservice-operational
1
linux / guacamole
1
windows / appmodel-runtime
1
linux / auth
1
linux / cron
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
django / application
1
fortios / sslvpnd
1
huawei / bgp
1
windows / appxpackaging-om
1
cisco / syslog
1
windows / smbserver-connectivity
1
windows / process_tampering
1
windows / smbclient-connectivity
1
zeek / x509
1
windows / capi2
1
windows / file_change
1
windows / raw_access_thread
1
paloalto / file_event / globalprotect
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
468
windows / registry_set
86
windows / ps_script
85
linux / process_creation
48
windows / file_event
47
windows / image_load
46
windows / wmi
29
windows / security
28
windows / system
13
proxy
12
windows / registry_event
8
windows / network_connection
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / taskscheduler
4
windows / create_remote_thread
4
windows / registry_delete
4
windows / dns_query
4
windows / sense
4
windows / pipe_created
4
windows / ps_classic_script
3
webserver
3
windows / vhd
3
windows / hyper-v-worker
3
windows / driver_load
3
windows / application-experience
3
dns
3
windows / process_access
2
windows / bits-client
2
windows / windefend
2
windows / process-creation
2
windows / codeintegrity-operational
2
windows / kernel-shimengine
2
windows / file_delete
2
windows / file_access
2
linux / file_event
2
macos / process_creation
2
windows / smbclient-security
2
windows / audit-cve
1
windows / firewall-as
1
windows / registry_add
1
windows / registry-setinformation
1
windows / application
1
windows / file_rename
1
windows / amsi
1
linux / file_delete
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR