We are pleased to announce a significant enhancement for users of THOR Cloud and THOR Cloud Lite:
YARA Forge rule sets are now available for integration.
YARA Forge is a curated, quality-assured feed of YARA rules developed as a private project. It automates the aggregation, normalization, and optimization of YARA rules from various public repositories contributed by individuals and organizations. Each rule undergoes extensive quality checks to ensure accuracy, performance, and compatibility. The result is a streamlined set of YARA rules ready for operational use across a variety of platforms.
What is YARA Forge?
YARA Forge specializes in delivering standardized, vetted YARA rule sets in three editions:
-
Core Set:
A performance-optimized package containing only high-accuracy rules with minimal false positives. Recommended for environments where stability and detection reliability are paramount.
-
Extended Set:
Includes the Core Set plus additional high-quality threat hunting rules. It offers broader detection capabilities at a controlled cost in scan impact and false positives.
-
Full Set:
Contains all operational rules gathered from public sources, maximizing detection coverage while accepting a higher rate of false positives and increased resource usage.
YARA Forge employs structured collection processes, normalization according to an internal style guide, automated tagging for CVEs and MITRE ATT&CK techniques, duplicate removal based on rule logic, and a multi-stage quality assessment leveraging YARA and yaraQA
How Does This Benefit THOR Cloud Lite Users?
The integration of YARA Forge represents a major enhancement for THOR Cloud Lite users, who can now extend their detection coverage significantly beyond the original open-source rule set previously included by default.
Key improvements:
- Broader and deeper coverage across a wider range of threat types.
- Access to regularly updated, high-quality YARA rules without manual maintenance.
- Simple activation through the global settings of THOR Cloud and THOR Cloud Lite.
Scope and Quality of the Integrated Ruleset
With the integration of YARA Forge into THOR Cloud and THOR Cloud Lite, users now benefit from a significantly expanded ruleset that draws from a wide range of high-quality public repositories. While the previously included SignatureBase ruleset already contained approximately 4,300 YARA rules, the full YARA Forge rule package introduces a total of 11,310 unique rules, more than doubling the detection surface.
This increase is not merely quantitative—it introduces substantial qualitative improvements as well. YARA Forge aggregates detection logic from over 40 curated repositories. Notable examples include:
- LOLDrivers: 565 rules focused on malicious and vulnerable drivers.
- Malpedia: 1,469 rules covering well-attributed malware families.
- ReversingLabs: 1,228 rules based on large-scale binary classification.
- SEKOIA: 746 threat actor and technique-specific rules.
- DitekSHen and Cluster25: Comprehensive hunting-oriented rulebases.
- …and many others (full source table shown below).
Importantly, users will not experience duplicate matches when enabling the YARA Forge packages. To ensure this, YARA Forge assigns a unique rule ID (UUID) to every rule and deduplicates the ruleset during initialization. Even if a rule appears in multiple source repositories or overlaps with the existing SignatureBase set, it will be initialized only once.
While SignatureBase already included many generic detection rules, the YARA Forge Full Set adds hundreds of high-confidence, narrowly scoped rules that improve detection of:
- APT toolkits and implants
- Commercial offensive frameworks
- Commodity loaders and packers
- Malicious drivers and kernel-level threats
- Campaign-specific indicators contributed by research teams
This rule set enhancement represents a substantial improvement in coverage and fidelity for all users of THOR Cloud and THOR Cloud Lite. The ability to select from Core, Extended, or Full sets allows teams to choose the right balance between performance and detection depth.
We recommend users review the repository breakdown and consider enabling the Extended or Full rulesets for maximum benefit.
Activation
Activation is manual for now:
Navigate to Scan Settings → Global Settings → YARA Forge in the THOR Cloud or THOR Cloud Lite interface and select the desired package (Core, Extended, or Full).
We currently encourage every user to enable this option and are evaluating whether to make YARA Forge the new default source in the future.
Important Licensing Considerations
While integrating YARA Forge, we had to address some important licensing constraints.
Specifically, we removed the Elastic rules from the YARA Forge feed prior to the integration. Although publicly available, Elastic’s YARA rules are distributed under the Elastic License 2.0, which explicitly prohibits serving the rules as part of an online service offering.
To remain fully compliant with licensing terms and avoid legal risks, we excluded these rules from the integrated YARA Forge packages.
However, individuals who wish to use these rules may operate YARA Forge locally, include Elastic’s repositories during the rule collection phase, and upload the resulting full rule set manually to THOR Cloud or THOR Cloud Lite for private use.
We recognize that this is an unfortunate limitation. A significant number of high-quality, community-contributed detection rules originate from Elastic. We would have preferred to offer the entire dataset to our community directly, but compliance and legal clarity take priority.
Summary
By integrating YARA Forge into THOR Cloud and THOR Cloud Lite, we aim to provide a major uplift in detection capabilities for all users—especially those operating under the resource-limited Lite license.
The integration process has been designed to be seamless and user-driven, offering immediate value while maintaining full transparency regarding licensing and rule sourcing.
We encourage all users to explore the available YARA Forge packages today and leverage this opportunity to further enhance their detection strategies.
