currently serving 20158 YARA rules and 3445 Sigma rules

API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule

Description

Date

Ref

HKTL_Whitechocolatemacademianut_Dec23

Detects cookie stealer WhiteChocolateMacademiaNut

04.12.2023

MAL_RAT_Nov23_1

Detects a RAT that allows remote control, autorun registration, execution of scripts, downloading additional files, executing these downloaded files through Regsvcs.exe, and performing reverse connections.

30.11.2023

MAL_Raccoon_Agent_Backdoor_Nov23

Detects Agent Raccoon backdoor

30.11.2023

MAL_Mimilite_Nov23

Detects Mimilite - a customized version of Mimikatz

30.11.2023

MAL_Ntospy_Nov23

Detects Ntospy DLL Module, a Network Provider DLL module designed to steal user credentials

30.11.2023

MAL_RANSOM_Turtle_Nov23

Detects Turtle ransomware

30.11.2023

APT_MAL_Kimsuky_Backdoor_Nov23

Detects Kimsuky APT backdoor

30.11.2023

MAL_ParaSiteSnatcher_Downloader_Nov23

Detects ParaSiteSnatcher downloader, a framework that allows threat actors to monitor, manipulate, and exfiltrate highly sensitive information from multiple sources

28.11.2023

MAL_Downloader_Nov23_1

Detects a MacOS downloader - seen being used by North Korean threat actors

27.11.2023

MAL_Downloader_Nov23_2

Detects a MacOS downloader - seen being used by North Korean threat actors

27.11.2023

MAL_AppleScript_Downloader_Nov23

Detects a suspicious AppleScript downloader

27.11.2023

APT_MAL_IronWind_Downloader_Nov23_1

Detects IronWind downloader - seen being used by TA402

27.11.2023

APT_MAL_IronWind_Downloader_Nov23_2

Detects IronWind downloader - seen being used by TA402

27.11.2023

MAL_Downloader_DLL_Nov23_2

Detects a DLL that downloads a malicious Google Chrome extension with similarities to Genesis Market's infostealer

27.11.2023

MAL_Guntior_Rootkit_Dropper_Nov23

Detects Guntior rootkit dropper

25.11.2023

MAL_Payload_DLL_Nov23

Detects a DLL that hijacks one of Windows standard services by rewriting its executable with the malware DLL

25.11.2023

MAL_Guntior_Rootkit_Nov23

Detects Guntior rootkit

25.11.2023

MAL_Backdoor_DLL_Nov23_2

Detects a backdoor DLL that collects system info, executes C2 commands and downloads/uploads files - seen being used in Konni RAT campaign

24.11.2023

MAL_UAC_Bypass_Module_Nov23

Detects a DLL that bypasses UAC - seen being used in Konni RAT campaign

24.11.2023

MAL_Socks5Systemz_Proxy_Bot_Loader_Nov23

Detects Socks5Systemz proxy bot loader

24.11.2023

MAL_Socks5Systemz_Proxy_Bot_Nov23

Detects Socks5Systemz proxy bot

24.11.2023

MAL_Backdoor_DLL_Nov23_1

Detects a backdoor DLL, that was seen being used by LockBit 3.0 affiliates exploiting CVE-2023-4966

23.11.2023

MAL_Trojan_DLL_Nov23

Detects a trojan DLL that installs other components - was seen being used by LockBit 3.0 affiliates exploiting CVE-2023-4966

23.11.2023

MAL_DLL_Stealer_Nov23

Detects a DLL that steals authentication credentials - was seen being used by LockBit 3.0 affiliates exploiting CVE-2023-4966

23.11.2023

MAL_Python_Backdoor_Script_Nov23

Detects a trojan (written in Python) that communicates with c2 - was seen being used by LockBit 3.0 affiliates exploiting CVE-2023-4966

23.11.2023

APT_MAL_DLL_Nov23

Detects a DLL file, which is a previously unknown web shell exhibiting sophisticated features such as custom encoding methods for client communication and in-memory execution

23.11.2023

MAL_Backdoor_Diamond_Sleet_Nov23

Detects a backdoor that was seen being used by Diamond Sleet

22.11.2023

MAL_LambLoad_Nov23

Detects LambLoad a weaponized downloader and loader containing malicious code added to a legitimate CyberLink application

22.11.2023

APT_RANSOM_Lockbit_ForensicArtifacts_Nov23

Detects patterns found in Lockbit TA attacks exploiting Citrixbleed vulnerability CVE 2023-4966

22.11.2023

SUSP_Plink_CommandLine_Flag_Combo_Nov23_1

Detects plink port forwarding pattern found in malicious scripts and forensic artifacts

22.11.2023

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule

Average AV Detection Rate

Sample Count

Info

MAL_GuLoader_Shellcode_Oct22_3

0.0

SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1

0.04

180

SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1

0.21

SUSP_BAT_OBFUSC_Apr23_2

0.59

SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File

0.64

SUSP_PUA_RustDesk_Apr23_1

0.68

SUSP_BAT_PS1_Combo_Jan23_2

0.71

SUSP_JS_OBFUSC_Feb23_2

1.04

1736

SUSP_WEvtUtil_ClearLogs_Sep22_1

1.12

SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23

1.19

SUSP_OBFUSC_PY_Loader_Jun23_1

1.48

SUSP_Webshell_OBFUSC_Indicators_Aug22_1

2.07

SUSP_URL_Split_Jun23

2.5

SUSP_OBFUSC_JS_Atob_Anomalies_Feb23

2.69

PUA_RuskDesk_Remote_Desktop_Jun23_1

2.78

SUSP_JS_Redirector_Mar23

2.81

108

SUSP_JS_Executing_Powershell_Apr23

3.14

274

SUSP_PY_Reverse_Shell_Indicators_Jan23_1

3.25

SUSP_OBFUSC_JS_Execute_Base64_Mar23

3.26

SUSP_Encoded_Registry_Key_Paths_Sep22_1

3.39

SUSP_PE_OK_RU_URL_Jun23

3.59

HKTL_Clash_Tunneling_Tool_Aug22_2

3.75

SUSP_PY_OBFUSC_Hyperion_Aug22_1

4.0

SUSP_BAT_OBFUSC_Apr23_1

4.0

SUSP_RANSOM_Note_Aug22

4.01

171

SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2

4.52

SUSP_BAT_PS1_Contents_Jan23_1

5.11

SUSP_OBFUSC_PS1_FormatStrings_Dec22_1

5.33

SUSP_BAT_OBFUSC_Apr23_4

5.35

SUSP_OBFUSC_BAT_Dec22_1

5.84

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule

AVs

Hash

SUSP_Four_Byte_XOR_PE_And_MZ

3ae234ec1adbc5e133e9aa67c28b92abccb1d7b009594c34d46dd94070361ee3

SUSP_OBFUSC_JS_Execute_Base64_Mar23

5cb2fea799a84db8d70b3dcc36dfaab4fc921152f93da3af314ef210e59780b7

SUSP_RANSOM_Note_Aug22

8ec4cdb106a2bd44e745af32beb2c158071d3e000cadf28e862d8cfba6fdf7b8

SUSP_B64_Atob_Aug23

c79b97e4ba6bb2f204190e11759706dfb5fa492908f9c11adbf7688f66755020

SUSP_Base64_Encoded_Hex_Encoded_Code

c79b97e4ba6bb2f204190e11759706dfb5fa492908f9c11adbf7688f66755020

SUSP_Reversed_Base64_Encoded_EXE

fd3f7b0f6817f02f18ee637deb8ea79590c1f3c5152c8e202b66881c5cac1d51

SUSP_OBFUSC_Reversed_Encoded_Executable_Mar22

fd3f7b0f6817f02f18ee637deb8ea79590c1f3c5152c8e202b66881c5cac1d51

SUSP_B64_Atob_Aug23

a71fd494ef054b690054c13e4cddf653c3e587d5d555ee5d5a9a54ba2437cf4d

SUSP_Base64_Encoded_Hex_Encoded_Code

a71fd494ef054b690054c13e4cddf653c3e587d5d555ee5d5a9a54ba2437cf4d

SUSP_GO_Screenshot_Capable_Oct22

ceba49f65fa244833b10f0da3a4ec106fc91a632a1a0bf45afe01919525ac6d0

SUSP_PE_Discord_Attachment_Oct21_1

d0daeb50f1313435def687a13b36586586ff53a77948b1bbc45bae78db1f1ebc

SUSP_Dir_Ref_in_File_ProgramData

d0daeb50f1313435def687a13b36586586ff53a77948b1bbc45bae78db1f1ebc

SUSP_Base64_Encoded_Hex_Encoded_Code

46eb4d1be07950cfcab90166650f5e263e707fec5e252f0c5c2c596768600ec4

SUSP_B64_Atob_Aug23

46eb4d1be07950cfcab90166650f5e263e707fec5e252f0c5c2c596768600ec4

SUSP_Base64_Encoded_ISO_Image_Marker_Jan22

22bb9d0f69440fd8e7ed3c84669eefc0557560d7c28467a42c98ae36decc27ae

SUSP_HTML_Embedded_ISO_Includes_EXE_Apr21_1

22bb9d0f69440fd8e7ed3c84669eefc0557560d7c28467a42c98ae36decc27ae

SUSP_Encoded_GetProcAddress

22bb9d0f69440fd8e7ed3c84669eefc0557560d7c28467a42c98ae36decc27ae

SUSP_VBS_WScript_Combo_May22_2

0285c9d1d485fd10156dba1aa0a21b2fa85f53908692b4952f8eb065e3d120f6

SUSP_JS_Regwrite_RUN_Key

0285c9d1d485fd10156dba1aa0a21b2fa85f53908692b4952f8eb065e3d120f6

SUSP_Base64_Encoded_Hex_Encoded_Code

20c7c542307b9e27359237e8b9a69d1ed14d44afa327f55c84c88b92e315effc

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag

Count

Malware

5781

Threat Hunting (not subscribable, only in THOR scanner)

4809

APT

4781

Hacktools

4371

Webshells

2299

Exploits

604

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule

Description

Date

Ref

Info

Potential CVE-2023-46214 Exploitation Attempt

Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing

27.11.2023

Exploitation Attempt Of CVE-2023-46214 Using Public POC Code

Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code

27.11.2023

Network Connection Initiated To DevTunnels Domain

Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

20.11.2023

Network Connection Initiated To Visual Studio Code Tunnels Domain

Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

20.11.2023

CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

14.11.2023

CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)

14.11.2023

CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)

14.11.2023

CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)

14.11.2023

Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp

Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.

13.11.2023

Non-Executable Extension File Renamed With Executable Extension

Detects rename operations of files with a non-executable extension such as (.txt, .pdf, etc.) to files with an executable extension such as (.exe, .dll, etc.). This is often performed by malware in order to avoid initial detections based on extensions.

11.11.2023

Arbitrary File Download Via IMEWDBLD.EXE

Detects usage of "IMEWDBLD.exe" to download arbitrary files

09.11.2023

Lace Tempest File Indicators

Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7

09.11.2023

Lace Tempest PowerShell Evidence Eraser

Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team

09.11.2023

Lace Tempest PowerShell Launcher

Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team

09.11.2023

Lace Tempest Cobalt Strike Download

Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team

09.11.2023

Lace Tempest Malware Loader Execution

Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team

09.11.2023

Potential File Download Via MS-AppInstaller Protocol Handler

Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"

09.11.2023

Arbitrary File Download Via MSEDGE_PROXY.EXE

Detects usage of "msedge_proxy.exe" to download arbitrary files

09.11.2023

Remote XSL Execution Via Msxsl.EXE

Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.

09.11.2023

CVE-2023-46747 Exploitation Activity - Webserver

Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.

08.11.2023

CVE-2023-46747 Exploitation Activity - Proxy

Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.

08.11.2023

F5 BIG-IP iControl Rest API Command Execution - Proxy

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

08.11.2023

F5 BIG-IP iControl Rest API Command Execution - Webserver

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

08.11.2023

Suspicious File Execution From Mounted ISO

Detects the execution of a file with a suspicious or double extension from a mounted ISO

07.11.2023

Uncommon Delegation Console Set

Detects uncommon delegation console values

03.11.2023

Uncommon Delegation Terminal Set

Detects uncommon delegation console values

03.11.2023

Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback

Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.

03.11.2023

Suspicious Unsigned Thor Scanner Execution

Detects loading and execution of an unsigned thor scanner binary.

29.10.2023

Backdoored Thor Scanner Execution

Detects the execution of a known malicious version of the thor scanner binary

29.10.2023

Backdoored Thor Scanner Load

Detects the loading and execution of a known malicious thor scanner version.

29.10.2023

YARA/SIGMA Rule Count

Rule Type

Community Feed

Nextron Private Feed

Yara

2946

17212

Sigma

3101

344

Sigma Rules Per Category (Community)

Type

Count

windows / process_creation

1178

windows / file_event

179

windows / registry_set

179

windows / ps_script

167

windows / security

149

linux / process_creation

105

windows / image_load

webserver

windows / system

proxy

macos / process_creation

linux / auditd

windows / network_connection

azure / activitylogs

windows / registry_event

aws / cloudtrail

azure / auditlogs

windows / ps_module

windows / application

windows / process_access

azure / signinlogs

okta / okta

azure / riskdetection

windows / pipe_created

windows / dns_query

linux

rpc_firewall / application

gcp / gcp.audit

m365 / threat_management

windows / create_remote_thread

cisco / aaa

windows / driver_load

windows / file_delete

windows / windefend

windows / ps_classic_start

windows / codeintegrity-operational

windows / create_stream_hash

windows / registry_add

linux / file_event

windows / firewall-as

windows / msexchange-management

dns

antivirus

windows / appxdeployment-server

azure / pim

zeek / smb_files

windows / bits-client

github / audit

windows / registry_delete

gcp / google_workspace.admin

windows / file_access

jvm / application

windows / dns-client

zeek / dce_rpc

zeek / dns

windows / sysmon

windows / ntlm

linux / sshd

windows / wmi_event

zeek / http

windows / taskscheduler

linux / network_connection

windows / powershell-classic

apache

onelogin / onelogin.events

macos / file_event

qualys

firewall

windows / security-mitigations

windows / file_change

m365 / audit

spring / application

linux / syslog

windows / dns-server

windows

windows / printservice-admin

sql / application

nginx

windows / driver-framework

windows / ps_classic_provider_start

windows / printservice-operational

windows / lsa-server

windows / wmi

cisco / syslog

cisco / ldp

windows / smbclient-connectivity

netflow

cisco / bgp

windows / ldap

linux / auth

windows / openssh

windows / process_tampering

linux / cron

huawei / bgp

windows / applocker

windows / raw_access_thread

linux / guacamole

juniper / bgp

windows / appmodel-runtime

linux / clamav

windows / appxpackaging-om

nodejs / application

windows / shell-core

python / application

windows / capi2

windows / microsoft-servicebus-client

django / application

windows / certificateservicesclient-lifecycle-system

windows / file_rename

linux / sudo

zeek / x509

windows / smbclient-security

m365 / exchange

windows / diagnosis-scripted

windows / sysmon_status

velocity / application

linux / vsftpd

zeek / rdp

windows / terminalservices-localsessionmanager

windows / sysmon_error

ruby_on_rails / application

m365 / threat_detection

zeek / kerberos

windows / dns-server-analytic

database

Sigma Rules Per Category (Nextron Private Feed)

Type

Count

windows / process_creation

154

windows / ps_script

windows / wmi

windows / registry_set

windows / file_event

proxy

windows / system

windows / image_load

windows / security

windows / network_connection

windows / create_remote_thread

linux / process_creation

webserver

windows / pipe_created

windows / ps_classic_script

windows / vhd

windows / ps_module

windows / registry_event

windows / driver_load

windows / taskscheduler

windows / bits-client

windows / dns_query

windows / file_access

windows / registry-setinformation

macos / process_creation

windows / file_delete

windows / file_rename

windows / amsi

windows / process_access

windows / audit-cve

windows / application

windows / registry_delete

Tenable Nessus

Requirement: Privileged Scan

YARA Scanning with Nessus works only when scanning with credentials (privileged scan)

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

You can only upload a single .yar file
Filesystem scan has to be activated
You have to define the target locations
The Nessus plugin ID will be 91990
Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html