Valhalla Logo
currently serving 23809 YARA rules and 4483 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
MAL_NPM_SupplyChain_Attack_Mar26
Detects package.json which include the malicious plain-crypto-js package as dependency
31.03.2026
SUSP_JS_Dropper_Mar26
Detects suspicious JavaScript dropper used in plain-crypto-js supply chain attacks
31.03.2026
MAL_WHQL_Guru_Rootkit_Mar26
Detects a driver associated with the Guru rootkit, which allows an attacker to execute arbitrary code in kernel mode from unprivileged user-mode.
30.03.2026
MAL_LiteLLM_SupplyChain_Mar26
Detects malicious indicators used in LiteLLM supply chain attack
28.03.2026
MAL_Telnyx_SupplyChain_Mar26
Detects malicious indicators used in Telnyx supply chain attack
28.03.2026
SUSP_TeamPCP_Indicators_Mar26
Detects suspicious indicators used by TeamPCP in supply chain attacks
28.03.2026
MAL_TOnePipeShell_Implant_Mar26
Detects TOnePipeShell implant
26.03.2026
MAL_Generic_Characteristic_Mar26
Detects binaries containing typical indicators related to stealers and RATs.
26.03.2026
MAL_Office_VBA_Shellcode_Loader_Mar26
Detects Microsoft Office files with embedded VBA payloads for shellcode loading. These payloads have been observed to be used by APT actor Donot.
26.03.2026
MAL_Shellcode_Downloader_Mar26
Detects shellcode downloader
25.03.2026
MAL_JS_Credential_Stealer_Mar26
Detects JavaScript credential harvester related to threat actor TeamPCP
24.03.2026
SUSP_JS_Downloader_Mar26
Detects JavaScript downloading and executing external package using popular package managers
24.03.2026
MAL_BackupSpy_Mar26
Detects BackupSpy and its logfile as used by APT36
23.03.2026
MAL_MailCreep_Mar26
Detects MailCreep malware as used by APT36
23.03.2026
PUA_Rustunnel_Mar26
Detects rustunnel, an open-source tunnel service written in Rust that replicates the core functionality of ngrok
23.03.2026
HKTL_KslDump_Mar26
Detects KslDump, a hacktool to extract credentials from PPL-protected LSASS using only Microsoft-signed components
23.03.2026
SUSP_JS_Canister_Worm_Mar26
Detects suspicious JavaScript related to Canister worm propagating in NPM ecosystem
23.03.2026
SUSP_PY_Canister_Worm_Mar26
Detects Python script related to Canister Worm
23.03.2026
MAL_NPM_Token_Exfiltration_Mar26
Detects JavaScript harvesting NPM tokens possibly related to Canister worm
23.03.2026
SUSP_JS_Systemd_Persistence_Mar26
Detects JavaScript writing systemd service configuration to disk
23.03.2026
SUSP_JS_Python_Base64_Encoded_Mar26
Detects Base64 encoded Python script in JavaScript
23.03.2026
MAL_SnappyClient_Implant_Mar26
Detects SnappyClient implant that gives attackers full control over a victim machine, acts like a modular spying and control tool used in cybercrime campaigns
19.03.2026
MAL_Kernel_RegPhantom_Mar26
Detects RegPhantom, a kernel-mode rootkit that allow attacker to inject arbitrary code from unprivileged user-mode into kernel-mode and execute it.
19.03.2026
HKTL_EDD_Mar26
Detects Enumerate Domain Data, a hacktool designed to be similar to PowerView but in .NET
16.03.2026
APT_MAL_AppleChris_Mar26
Detects AppleChris backdoor used by CL-STA-1087
16.03.2026
SUSP_Emmenhtal_Indicator_Mar26
Detects BACKDOOR LOADER distributing commodity infostealers worldwider
16.03.2026
MAL_RAT_Mar26
Detects a RAT that establishes a persistent, supports file operations, process control, and remote shell execution, and uses RC4-encrypted C2 communication with XOR-obfuscated configuration
16.03.2026
HKTL_WebClientRelayUp_Mar26
Detects WebClientRelayUp - an universal no-fix local privilege escalation in domain-joined Windows workstations in default configuration.
16.03.2026
SUSP_OBFUSC_PS1_Reverse_Shell_Indicators_Mar26
Detects expressions used in PowerShell payloads generated by a reverse shell generator
16.03.2026
MAL_LNX_ELF_Lib_Mar26
Detects unknown malicious ELF library (process injection indicators)
16.03.2026

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
MAL_CobaltStrike_Apr18_1_CSharp_Powershell_Combo
6
c0fcb59a74e6c4f76dc5bece9bd44b930cdd09c895ec8a95de9ac23cecf1120a
SUSP_Encoded_GetCurrentThreadId
8
efcdd14d3f6a46ae907b010fced85acc2893de9e685312d606c535ceb3bd27d7
SUSP_Encoded_GetCurrentThreadId_FileOnly
8
efcdd14d3f6a46ae907b010fced85acc2893de9e685312d606c535ceb3bd27d7
SUSP_Encoded_GetCurrentThreadId_Ext1_Aug20
8
efcdd14d3f6a46ae907b010fced85acc2893de9e685312d606c535ceb3bd27d7
SUSP_Encoded_DisableRealtimeMonitoring_Mar20
1
02659229b65048f5dca7c1424b388366cd215306d8368618a721ab3541dae848
MAL_CobaltStrike_Apr18_1_CSharp_Powershell_Combo
7
0389fdb5ebaf17cb069516ee3560f79fd96af55ffb173bbdb76b1b702c5645b4
SUSP_Encoded_GetCurrentThreadId
1
173615f3d0f75fc118cfc88b837a73b4e89135b63acfffef9650ce32c9197d56
SUSP_Encoded_GetCurrentThreadId_Ext1_Aug20
1
173615f3d0f75fc118cfc88b837a73b4e89135b63acfffef9650ce32c9197d56
SUSP_Encoded_WriteProcessMemory_FileOnly
1
173615f3d0f75fc118cfc88b837a73b4e89135b63acfffef9650ce32c9197d56
SUSP_Encoded_WriteProcessMemory_Ext1
1
173615f3d0f75fc118cfc88b837a73b4e89135b63acfffef9650ce32c9197d56
SUSP_Encoded_Kernel32_Functions
1
173615f3d0f75fc118cfc88b837a73b4e89135b63acfffef9650ce32c9197d56
SUSP_Encoded_WriteProcessMemory
1
173615f3d0f75fc118cfc88b837a73b4e89135b63acfffef9650ce32c9197d56
SUSP_Encoded_GetCurrentThreadId_FileOnly
1
173615f3d0f75fc118cfc88b837a73b4e89135b63acfffef9650ce32c9197d56
Generic_Strings_Hacktools
10
30ae8c7ee6464b1891446a6b419f4e87e7da035262ea27fb202b4dc831cc2e34
SUSP_JS_Remote_Download_Mar23_2
1
6a7d0af4dc18f703ef5a3bcbf242568f3b9284de3ff929bff0c4aa508a04d8c3
MAL_CobaltStrike_Apr18_1_CSharp_Powershell_Combo
7
60aafc8d247138b688cb68577f318a22bf44213567bfbada7365569b95c35100
SUSP_HKTL_Gen_Pattern_Feb25
7
0202837b0e928c1c6d1ace1068cb88d05c0bb1178f5def5367bc9e91a7bac386
SUSP_HKTL_Gen_Pattern_Feb25_2
7
0202837b0e928c1c6d1ace1068cb88d05c0bb1178f5def5367bc9e91a7bac386
SUSP_Common_Malware_Indicators_Nov25
9
8443d4f0269acf940eb335508414a1768033cdf871dea7c8d27e21b8db03999a
SUSP_Go_Process_Injection_Indicators_Jan23
9
8443d4f0269acf940eb335508414a1768033cdf871dea7c8d27e21b8db03999a

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
7535
Threat Hunting (not subscribable, only in THOR scanner)
5840
APT
5055
Hacktools
4839
Webshells
2400
Exploits
722

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Suspicious Download and Execution Pattern via VSCode/Cursor Tasks - Linux
Detects suspicious patterns where Visual Studio Code or Cursor spawns processes that both download and execute files, which may indicate abuse of the `tasks.json` configuration for malicious purposes. This technique has been observed in campaigns such as "Contagious Interview," where adversaries leverage VSCode's workspace trust model to execute arbitrary code by embedding malicious commands in `tasks.json`. Attackers may craft or alter `tasks.json` to automatically trigger downloads and execution of payloads when a user opens and trusts a workspace in VSCode or Cursor, enabling initial access or further compromise.
02.04.2026
DNS Exfiltration via DNSExfiltrator - Network
Detects DNS exfiltration activity using the DNSExfiltrator tool, which encodes data in DNS queries using certain encoding.
02.04.2026
Unusually Long DNS Query - Network
Detects unusually long DNS queries that may indicate DNS tunneling, data exfiltration attempts, or C2 communication. Usage of DNS for C&C communication or data exfiltration often involves crafting long DNS queries to encode information.
02.04.2026
Suspicious Download and Execution Pattern via VSCode Tasks
Detects suspicious patterns where Visual Studio Code (VSCode) spawns processes that both download and execute files, which may indicate abuse of the `tasks.json` configuration for malicious purposes. This technique has been observed in campaigns such as "Contagious Interview," where adversaries leverage VSCode's workspace trust model to execute arbitrary code by embedding malicious commands in `tasks.json`. Attackers may craft or alter `tasks.json` to automatically trigger downloads and execution of payloads when a user opens and trusts a workspace in VSCode, enabling initial access or further compromise.
02.04.2026
DNS Exfiltration via DNSExfiltrator
Detects DNS exfiltration activity using the DNSExfiltrator tool, which encodes data in DNS queries using certain encoding.
02.04.2026
Unusually Long DNS Query
Detects unusually long DNS queries that may indicate DNS tunneling, data exfiltration attempts, or C2 communication. Usage of DNS for C&C communication or data exfiltration often involves crafting long DNS queries to encode information.
02.04.2026
Suspicious Download and Piping to Interpreters Pattern
Detects the usage of download utilities like curl or wget followed by piping the downloaded content directly into an interpreter such as Node.js, Python, Bash, PowerShell, Perl, or Ruby. This pattern is often used by attackers to download and execute malicious scripts or payloads directly in memory, bypassing traditional file-based detection mechanisms. Review thee process lineage for context to determine if the activity is legitimate or malicious.
02.04.2026
File Operation via .NET Class
Detects the use of dotnet method in command lines which could be used for unauthorized file operations such as copying files. It could indicate suspicious activity because there are many normal ways to copy files in Windows, thus adversary may use this rarely used method to avoid detection.
02.04.2026
Suspicious File Rename
Detects suspicious renaming of benign file types such as documents or images to executable file types. Threat actors often drops files with innocent extensions and later rename them to executable formats during execution to evade detection.
02.04.2026
VSCode Tasks.json File Creation
Detects the creation of `.vscode/tasks.json` files which can be abused to auto-run malicious scripts when a VSCode workspace is opened and trusted by the user. This technique was observed in the "Contagious Interview" campaign where threat actors exploited VS Code's workspace trust model to execute malicious tasks upon opening a new project. Attackers may create or modify `tasks.json` to define tasks that run malicious commands or scripts automatically when the workspace is opened and trusted by the user. Legitimate use cases include developers configuring build or deployment tasks, but unexpected creation of such files in unfamiliar projects may indicate malicious activity.
02.04.2026
PUA - HoboCopy Execution
Detects the execution of HoboCopy, a command-line tool that can be used to copy locked files using Volume Shadow Copy Service (VSS). This tool can be abused by attackers to copy sensitive files like SAM, SYSTEM, or NTDS.dit. Event though it can be used for legitimate backup purposes, its presence in modern Windows environments is very rare and potentially associated with malicious activity.
27.03.2026
Critical Log File Deletion on Linux System
Detects deletion of critical log files on Linux systems that may indicate log tampering or evidence destruction. This technique can be used by attackers to cover their tracks after gaining unauthorized access to a system.
26.03.2026
Critical Log Manipulation via Sed Utility
Detects critical log manipulation attempts using the sed utility with in-place editing on sensitive log files. This technique can be used by attackers to cover their tracks after gaining unauthorized access to a system.
26.03.2026
Potential Abuse of Winpty-Agent.Exe for Reconnaissance
Detects potential abuse of winpty-agent.exe, a pseudo-terminal utility commonly used by developer tools and remote monitoring software, for executing reconnaissance commands.
23.03.2026
Renamed SimpleHelp Client Binary Execution - Remote Access Software
Detects the execution of a renamed SimpleHelp client binary. These binary are executed by threat actors to connect to certain SimpleHelp servers for remote access and control. Even though it is legitimate RMM software, the use of renamed binaries is a common tactic employed by attackers to evade detection and persist on compromised systems.
23.03.2026
Renamed Network Lookout Execution - Remote Access Software
Detects execution of "Network Lookout Net Monitor for Employees Pro" that has been renamed. It is commercial employee monitoring software, that however, attackers have been observed to abuse for unauthorized surveillance and remote access.
23.03.2026
Disable Input Devices via Disable-PnpDevice - ScriptBlock
Detects usage of Disable-PnpDevice PowerShell cmdlet to disable input devices such as keyboards and mouse. Adversaries may disable input devices to prevent user interaction with the system, facilitating further malicious activities without interruption. This technique can be part of a broader strategy to maintain persistence or evade detection by hindering user access.
22.03.2026
Disable Input Devices via Disable-PnpDevice
Detects usage of Disable-PnpDevice PowerShell cmdlet to disable crucial input devices such as keyboards and mouse. Adversaries may disable input devices to prevent user interaction with the system, facilitating further malicious activities without interruption. This technique can be part of a broader strategy to maintain persistence or evade detection by hindering user access.
22.03.2026
Disabling of an Input Device
Detects the disabling of critical input devices such as keyboard and mouse, which may indicate malicious activity aimed at preventing user interaction with the system. Threat actors may disable input devices during attacks to maintain persistence and prevent users from interrupting malicious operations or accessing security tools. This technique is often observed in ransomware attacks and data exfiltration scenarios where attackers seek to minimize user interference. To verify if the disabling was legitimate or part of an attack, further investigation into the context and source of the action is recommended
22.03.2026
Suspicious HTTP URL Invocation Patterns via Download Utilities - Linux
Detects suspicious command line patterns involving download utilities like curl or wget invoking invalidly formatted HTTP protocols (e.g., 'http:/example.com' instead of 'http://example.com'). This may indicate an attempt to obfuscate the URL or bypass certain detection mechanisms while still reaching out to external servers for command and control or data exfiltration.
18.03.2026
Suspicious HTTP URL Invocation Patterns via Download Utilities
Detects suspicious command line patterns involving download utilities like curl or wget invoking invalidly formatted HTTP protocols (e.g., 'http:/example.com' instead of 'http://example.com'). This may indicate an attempt to obfuscate the URL or bypass certain detection mechanisms while still reaching out to external servers for command and control or data exfiltration.
18.03.2026
OneDrive Execution From Suspicious Location
Detects OneDrive.exe being executed from a non-standard location, which may indicate a masqueraded malicious binary. Adversaries often rename their malicious executables to 'OneDrive.exe' to blend in with legitimate system activity and evade detection.
16.03.2026
Suspicious Process Masquerading as OneDrive
Detects suspicious process that is masquerading as OneDrive executable. This technique can be used by attackers to evade detection by running malicious processes under the guise of a legitimate application.
16.03.2026
Suspicious DNS Lookup and Execution Pattern
Detects suspicious command line patterns involving 'nslookup' piped to 'findstr' with a subsequent 'for' loop, which may indicate an attempt to query DNS for second-stage payloads and execute them. This technique can be used by adversaries to leverage DNS as a covert command and control channel, allowing them to retrieve and execute malicious payloads without directly connecting to an external server.
16.03.2026
Obfuscated Node.js Execution via CommandLine - Linux
Detects the execution of Node.js with the '--eval' flag, where the provided script contains common obfuscation patterns.
10.03.2026
Obfuscated Node.js Execution via CommandLine
Detects the execution of Node.js with the '--eval' flag, where the provided script contains common obfuscation patterns.
10.03.2026
ICACLS Deny Permission Abuse
Detects execution of icacls.exe with deny arguments targeting broad principals such as Everyone or Administrators, which may indicate malicious permission tampering.
20.02.2026
Netsh Advfirewall Isolate Network
Detects execution of netsh.exe commands that modify Windows Advanced Firewall settings to block both inbound and outbound traffic, effectively isolating the system from network communication. This technique may be used by attackers to evade detection, prevent remediation, or disrupt incident response activities.
20.02.2026
Suspicious Child Processes Spawned by LogMeIn
Detects suspicious child processes spawned by LogMeIn process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by Chrome Remote Desktop
Detects suspicious child processes spawned by Chrome Remote Desktop process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system. Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2721
21088
Sigma
3540
943

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1331
windows / registry_set
219
windows / file_event
206
windows / ps_script
165
windows / security
160
linux / process_creation
131
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
68
aws / cloudtrail
55
proxy
54
windows / network_connection
53
linux / auditd
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
27
windows / process_access
25
azure / signinlogs
24
okta / okta
22
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
rpc_firewall / application
17
windows / windefend
16
github / audit
16
linux
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / file_delete
13
linux / file_event
13
cisco / aaa
12
windows / create_remote_thread
12
windows / codeintegrity-operational
10
windows / driver_load
10
windows / registry_delete
10
kubernetes / application / audit
10
windows / ps_classic_start
9
dns
9
windows / create_stream_hash
9
windows / appxdeployment-server
9
windows / firewall-as
8
windows / msexchange-management
8
zeek / smb_files
7
gcp / google_workspace.admin
7
antivirus
7
fortigate / event
7
windows / file_access
7
windows / bits-client
7
azure / pim
7
windows / dns-client
6
linux / network_connection
5
zeek / http
5
jvm / application
5
kubernetes / audit
5
zeek / dns
5
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
m365 / audit
3
macos / file_event
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
windows / registry_add
3
linux / syslog
2
windows / dns-server
2
apache
2
spring / application
2
onelogin / onelogin.events
2
firewall
2
windows / security-mitigations
2
windows / microsoft-servicebus-client
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_executable_detected
1
python / application
1
zeek / rdp
1
windows / file_rename
1
m365 / exchange
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_status
1
ruby_on_rails / application
1
m365 / threat_detection
1
windows / driver-framework
1
windows
1
windows / sysmon_error
1
sql / application
1
cisco / bgp
1
nginx
1
linux / sudo
1
velocity / application
1
cisco / duo
1
cisco / ldp
1
windows / ldap
1
windows / dns-server-analytic
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
windows / appmodel-runtime
1
windows / printservice-operational
1
database
1
linux / clamav
1
linux / auth
1
linux / guacamole
1
huawei / bgp
1
windows / applocker
1
django / application
1
fortios / sslvpnd
1
juniper / bgp
1
windows / appxpackaging-om
1
windows / openssh
1
windows / process_tampering
1
cisco / syslog
1
linux / cron
1
windows / smbserver-connectivity
1
windows / smbclient-connectivity
1
linux / vsftpd
1
zeek / x509
1
windows / capi2
1
windows / shell-core
1
windows / file_change
1
windows / raw_access_thread
1
paloalto / file_event / globalprotect
1
windows / certificateservicesclient-lifecycle-system
1
nodejs / application
1
paloalto / appliance / globalprotect
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
455
windows / ps_script
84
windows / registry_set
83
windows / file_event
47
windows / image_load
46
linux / process_creation
45
windows / wmi
29
windows / security
26
proxy
12
windows / system
11
windows / registry_event
8
windows / network_connection
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / registry_delete
4
windows / create_remote_thread
4
windows / dns_query
4
windows / pipe_created
4
windows / sense
4
windows / taskscheduler
4
windows / application-experience
3
windows / driver_load
3
windows / hyper-v-worker
3
dns
3
windows / ps_classic_script
3
webserver
3
windows / vhd
3
windows / process-creation
2
windows / windefend
2
windows / codeintegrity-operational
2
windows / bits-client
2
windows / file_access
2
windows / file_delete
2
linux / file_event
2
windows / kernel-shimengine
2
macos / process_creation
2
windows / process_access
2
windows / amsi
1
windows / application
1
windows / audit-cve
1
windows / registry_add
1
windows / registry-setinformation
1
windows / firewall-as
1
windows / file_rename
1
linux / file_delete
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022