diff --git a/pkg/action/scan.go b/pkg/action/scan.go
index b7c19b913..bbfb71183 100644
--- a/pkg/action/scan.go
+++ b/pkg/action/scan.go
@@ -86,6 +86,9 @@ func Scan(c Config) (*bincapz.Report, error) {
 				klog.Errorf("scan path: %v", err)
 				continue
 			}
+			if fr == nil {
+				continue
+			}
 			if c.Renderer != nil {
 				if err := c.Renderer.File(*fr); err != nil {
 					return r, fmt.Errorf("render: %w", err)
diff --git a/rules/admin/package-install.yara b/rules/admin/package-install.yara
index 327150fac..e3952b845 100644
--- a/rules/admin/package-install.yara
+++ b/rules/admin/package-install.yara
@@ -39,8 +39,10 @@ rule apt_get_installer : suspicious {
 	description = "Installs software using apt-get"
   strings:
     $val = /apt-get install[ \w\-\_%]{0,32}/
+
+	$foo = "install foo"
   condition:
-	$val
+	$val and not $foo
 }
 
 rule apk_installer : suspicious {
diff --git a/rules/admin/sudoers-edit.yara b/rules/admin/sudoers-edit.yara
index a533478b0..fa67a842d 100644
--- a/rules/admin/sudoers-edit.yara
+++ b/rules/admin/sudoers-edit.yara
@@ -1,12 +1,14 @@
 
 rule sudo_editor : suspicious {
   meta:
+	description = "references /etc/sudoers"
     hash_2020_FinSpy_helper2 = "af4ad3b8bf81a877a47ded430ac27fdcb3ddd33d3ace52395f76cbdde46dbfe0"
     hash_2017_AptorDoc_Dok_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5"
   strings:
     $etc_sudoers = "/etc/sudoers"
     $nopasswd = "NOPASSWD:"
 	$not_sample = "sudoers man page"
+	$not_vim = "VIMRUNTIME"
   condition:
-    filesize < 5242880 and ($etc_sudoers or $nopasswd) and not $not_sample
+    filesize < 5242880 and ($etc_sudoers or $nopasswd) and none of ($not*)
 }
diff --git a/rules/combo/backdoor/net_exec.yara b/rules/combo/backdoor/net_exec.yara
index bc900a6d9..fb9e6eb81 100644
--- a/rules/combo/backdoor/net_exec.yara
+++ b/rules/combo/backdoor/net_exec.yara
@@ -88,7 +88,7 @@ rule exec_getprog_socket_waitpid_combo {
 }
 
 
-rule exec_chdir_and_socket : suspicious {
+rule exec_chdir_and_socket : notable {
   strings:
     $socket = "socket" fullword
     $chdir = "chdir" fullword
diff --git a/rules/combo/backdoor/net_term.yara b/rules/combo/backdoor/net_term.yara
index 504dd6650..ac5810704 100644
--- a/rules/combo/backdoor/net_term.yara
+++ b/rules/combo/backdoor/net_term.yara
@@ -10,7 +10,7 @@ rule readdir_openpty_socket : suspicious {
 		all of them in (1200..3000)
 }
 
-rule pseudoterminal_tunnel : critical {
+rule pseudoterminal_tunnel : suspicious {
 	meta:
 		description = "accesses pseudoterminals and sets up a tunnel"
 	strings:
@@ -19,8 +19,10 @@ rule pseudoterminal_tunnel : critical {
 
 		$t = "tunnel" fullword
 		$t2 = "TUNNEL" fullword
+
+		$not_qemu = "QEMU_IS_ALIGNED"
 	condition:
-		any of ($p*) and any of ($t*)
+		any of ($p*) and any of ($t*) and none of ($not_qemu*)
 }
 
 
diff --git a/rules/combo/backdoor/php.yara b/rules/combo/backdoor/php.yara
index 4fc38eb70..d1e701d10 100644
--- a/rules/combo/backdoor/php.yara
+++ b/rules/combo/backdoor/php.yara
@@ -69,8 +69,10 @@ rule php_bin_hashbang : critical {
   strings:
     $x_php = "<?php"
     $script = "#!/bin/"
+
+	$not_php = "PHP_VERSION_ID"
   condition:
-    $script and any of ($x*)
+    $script and any of ($x*) and none of ($not*)
 }
 
 rule php_urlvar_recon_exec : critical {
@@ -91,8 +93,10 @@ rule php_urlvar_recon_exec : critical {
     $f_phpinfo = "phpinfo("
     $x_GET = "_GET"
     $x_POST = "_POST"
+
+	$not_php = "PHP_VERSION_ID"
   condition:
-    any of ($e*) and any of ($f*) and any of ($x*)
+    any of ($e*) and any of ($f*) and any of ($x*) and none of ($not*)
 }
 
 rule php_system_to_perl {
@@ -111,13 +115,15 @@ rule php_eval_gzinflate_base64_backdoor : critical {
     hash_2023_0xShell_lndex = "9b073472cac7f3f8274165a575e96cfb4f4eb38471f6a8e57bb9789f3f307495"
     hash_2023_0xShell_lndex = "9b073472cac7f3f8274165a575e96cfb4f4eb38471f6a8e57bb9789f3f307495"
   strings:
-    $eval = "eval("
-    $html_special = "htmlspecialchars_decode"
-    $gzinflate = "gzinflate("
-    $base64_decode = "base64_decode"
+    $f_eval = "eval("
+    $f_html_special = "htmlspecialchars_decode"
+    $f_gzinflate = "gzinflate("
+    $f_base64_decode = "base64_decode"
+
+	$not_php = "PHP_FLOAT_DIG" fullword
   condition:
-    all of them
-}
+    all of ($f*) and none of ($not*)
+ }
 
 
 rule php_obfuscated_with_hex_characters : critical {
@@ -214,11 +220,15 @@ rule php_insecure_curl_uploader : critical {
     hash_2023_0xShell_f = "9ce3da0322ee42e9119abb140b829efc3c94ea802df7a6f3968829645e1a5330"
   strings:
     $CURLOPT_SSL_VERIFYPEER = "CURLOPT_SSL_VERIFYPEER"
+	$php = "<?php"
+
     $f_file_get_contents = "file_get_contents"
     $f_eval = "eval"
     $f_stream_get_contents = "stream_get_contents"
+
+	$not_php = "PHP_VERSION_ID"
   condition:
-    $CURLOPT_SSL_VERIFYPEER and any of ($f*)
+    $CURLOPT_SSL_VERIFYPEER and $php and any of ($f*) and none of ($not*)
 }
 
 rule php_eval_get_contents : critical {
diff --git a/rules/combo/backdoor/py_setuptools.yara b/rules/combo/backdoor/py_setuptools.yara
new file mode 100644
index 000000000..225aea42e
--- /dev/null
+++ b/rules/combo/backdoor/py_setuptools.yara
@@ -0,0 +1,79 @@
+import "math"
+
+rule setuptools_cmd_exec : suspicious {
+	meta:
+		description = "Python library installer that executes external commands"
+	strings:
+		$setup = "setup(" fullword
+
+		$setuptools = "setuptools"
+		$distutils = "distutils"
+
+		$s_sys_val = /os.system\([\"\'\w\ \-\)\/]{0,64}/
+		$s_subprocess_val = /subprocess.\w{0,32}\([\"\'\/\w\ \-\)]{0,64}/
+		$s_import = "import subprocess"
+	condition:
+		$setup and ($setuptools or $distutils) and any of ($s_*)
+}
+
+rule setuptools_eval : critical {
+	meta:
+		description = "Python library installer that evaluates arbitrary code"
+	strings:
+		$setup = "setup(" fullword
+
+		$setuptools = "setuptools"
+		$distutils = "distutils"
+
+		$s_sys_val = /eval\([\"\'\w\ \-\)\/]{0,64}/ fullword
+		$s_subprocess_val = /exec\([\"\'\/\w\ \-\)]{0,64}/ fullword
+	condition:
+		$setup and ($setuptools or $distutils) and any of ($s_*)
+}
+
+rule setuptools_url_access : suspicious {
+	meta:
+		description = "Python library installer that accesses external URLs"
+	strings:
+		$setup = "setup(" fullword
+
+		$setuptools = "setuptools"
+		$distutils = "distutils"
+
+		$s_requests = /requests.get\([\"\'\w\ \-\)\/]{0,64}/
+		$s_urlopen = /urlopen\([\"\'\w\ \-\)\/]{0,64}/
+	condition:
+		$setup and ($setuptools or $distutils) and any of ($s_*)
+}
+
+
+
+rule setuptools_random : critical {
+	meta:
+		description = "Python library installer that exhibits random behavior"
+	strings:
+		$setup = "setup(" fullword
+
+		$setuptools = "setuptools"
+		$distutils = "distutils"
+
+		$s_sys_val = "import random" fullword
+	condition:
+		$setup and ($setuptools or $distutils) and any of ($s_*)
+}
+
+
+
+rule setuptools_builtins : notable {
+	meta:
+		description = "Python library installer that directly references builtins"
+	strings:
+		$setup = "setup(" fullword
+
+		$setuptools = "setuptools"
+		$distutils = "distutils"
+
+		$s_sys_val = "__builtins__" fullword
+	condition:
+		$setup and ($setuptools or $distutils) and any of ($s_*)
+}
\ No newline at end of file
diff --git a/rules/combo/dropper/bash.yara b/rules/combo/dropper/bash.yara
index 69b65f165..7664e4c46 100644
--- a/rules/combo/dropper/bash.yara
+++ b/rules/combo/dropper/bash.yara
@@ -7,9 +7,9 @@ rule fetch_chmod_run_oneliner_value : critical {
 		any of them
 }
 
-rule curl_chmod_relative_run : suspicious {
+rule curl_chmod_relative_run : notable {
   meta:
-	description = "fetches file, makes it executable, runs it"
+	description = "may fetch file, make it executable, and run it"
   strings:
 	$chmcurlod = /curl [\-\w \$\@\{\w\/\.\:]{0,96}/
 	$chmod = /chmod [\-\w \$\@\{\w\/\.]{0,64}/
@@ -18,9 +18,9 @@ rule curl_chmod_relative_run : suspicious {
 	all of them
 }
 
-rule wget_chmod_relative_run : suspicious {
+rule wget_chmod_relative_run : notable {
   meta:
-	description = "fetches file, makes it executable, runs it"
+	description = "may fetch file, make it executable, and run it"
   strings:
 	$chmcurlod = /wget [\-\w \$\@\{\w\/\.\:]{0,96}/
 	$chmod = /chmod [\-\w \$\@\{\w\/\.]{0,64}/
diff --git a/rules/combo/dropper/python.yara b/rules/combo/dropper/python.yara
index d1bf34030..92bd05a65 100644
--- a/rules/combo/dropper/python.yara
+++ b/rules/combo/dropper/python.yara
@@ -12,3 +12,15 @@ rule http_open_write_system : suspicious {
   condition:
     filesize < 16384 and any of ($h*) and $open and $write and any of ($sys*)
 }
+
+rule setuptools_dropper : critical {
+	meta:
+		description = "setuptools script that downloads and executes content"
+	strings:
+		$setup = "setup("
+		$setuptools = "setuptools"
+		$requests = "requests.get"
+		$os_sys = "os.system"
+	condition:
+		all of them
+}
\ No newline at end of file
diff --git a/rules/combo/net/tunnel_proxy.yara b/rules/combo/net/tunnel_proxy.yara
index 18f10e3d8..b328c90cf 100644
--- a/rules/combo/net/tunnel_proxy.yara
+++ b/rules/combo/net/tunnel_proxy.yara
@@ -1,4 +1,4 @@
-rule tunnel_proxy : suspicious {
+rule tunnel_proxy : notable {
   meta:
 	description = "network tunnel proxy"
   strings:
diff --git a/rules/combo/recon/system_network.yara b/rules/combo/recon/system_network.yara
index 0a49c2750..a3e20cd32 100644
--- a/rules/combo/recon/system_network.yara
+++ b/rules/combo/recon/system_network.yara
@@ -1,4 +1,4 @@
-rule recon_commands : suspicious {
+rule basic_recon : notable {
   meta:
     hash_2020_trojan_webshell_quwmldl_rfxn = "f1375cf097b3f28247762147f8ee3755e0ce26e24fbf8a785fe4e5b42c1fed05"
     hash_2017_Perl_FruitFly_afpscan = "bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55"
@@ -12,8 +12,30 @@ rule recon_commands : suspicious {
     $c_whoami = "whoami" fullword
     $c_id = "id" fullword
     $c_hostname = "hostname" fullword
-    $c_ifconfig = "ifconfig" fullword
     $c_uname = "uname -a"
+	$c_ip_addr = "ip addr" fullword
+    $not_usage = "Usage: inet"
+    $not_apple_smb = "com.apple.smbd"
+    $not_bashopts = "BASHOPTS"
+    $not_private = "/System/Library/PrivateFrameworks/"
+	$not_license = "For license information please see"
+  condition:
+    filesize < 26214400 and 3 of ($c*) and none of ($not*)
+}
+
+
+rule invasive_recon : notable {
+  meta:
+    hash_2020_trojan_webshell_quwmldl_rfxn = "f1375cf097b3f28247762147f8ee3755e0ce26e24fbf8a785fe4e5b42c1fed05"
+    hash_2017_Perl_FruitFly_afpscan = "bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55"
+    hash_2021_ANDR_miner_eomap = "329255e33f43e6e9ae5d5efd6f5c5745c35a30d42fb5099beb51a6e40fe9bd76"
+    hash_2021_ADR_CoinMiner_nutar = "fb6b327104eb37d42f83b552430ef9b1e45ee49c737d562876650d75e3a88e57"
+    hash_2023_Sodinokibi = "f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5"
+    hash_2023_Linux_Malware_Samples_2c98 = "2c98b196a51f737f29689d16abeea620b0acfa6380bdc8e94a7a927477d81e3a"
+    hash_2023_Linux_Malware_Samples_3ffc = "3ffc2327a5dd17978f62c44807e5bf9904bcdef222012a11e48801faf6861a67"
+    hash_2023_Linux_Malware_Samples_564a = "564a666d0a7efc39c9d53f5c6c4d95d5f7f6b7bff2dc9aa3c871f8c49650a99b"
+  strings:
+    $c_ifconfig = "ifconfig" fullword
     $c_lspi = "lspci"
 	$c_ufw = "ufw status"
 	$c_sudo = "sudo -l"
@@ -26,5 +48,5 @@ rule recon_commands : suspicious {
     $not_private = "/System/Library/PrivateFrameworks/"
 	$not_license = "For license information please see"
   condition:
-    filesize < 26214400 and 3 of ($c*) and none of ($not*)
+    filesize < 26214400 and any of ($c*) and none of ($not*)
 }
diff --git a/rules/combo/recon/upload_sysinfo.yara b/rules/combo/recon/upload_sysinfo.yara
index b097dad62..581dc674a 100644
--- a/rules/combo/recon/upload_sysinfo.yara
+++ b/rules/combo/recon/upload_sysinfo.yara
@@ -1,9 +1,10 @@
-rule sw_vers_and_libcurl : suspicious macos {
+rule sw_vers_and_libcurl : notable {
   meta:
+	description = "fetches macOS system version and uses libcurl"
     hash_2023_KandyKorn_kandykorn = "927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6"
     hash_2023_Downloads_Chrome_Update = "eed1859b90b8832281786b74dc428a01dbf226ad24b182d09650c6e7895007ea"
   strings:
-    $sw_vers = "sw_vers"
+    $sw_vers = "sw_vers" fullword
     $bin_zsh = "libcurl"
   condition:
     all of them
diff --git a/rules/combo/stealer/browser.yara b/rules/combo/stealer/browser.yara
index 62684c8b2..ad47140c1 100644
--- a/rules/combo/stealer/browser.yara
+++ b/rules/combo/stealer/browser.yara
@@ -73,4 +73,4 @@ rule multiple_browser_refs : suspicious {
 	$b_Chrome = "Chrome"
   condition:
     any of ($h*) and any of ($z*) and 2 of ($b*)
-}
\ No newline at end of file
+}
diff --git a/rules/combo/stealer/discord.yara b/rules/combo/stealer/discord.yara
index 2784755d1..4af109d98 100644
--- a/rules/combo/stealer/discord.yara
+++ b/rules/combo/stealer/discord.yara
@@ -3,7 +3,7 @@ rule discord_password_post_chat : suspicious {
 	description = "gets passwords, makes HTTP requests, and uses Discord"
   strings:
 	$c1 = "discordapp.com"
-	$c2 = "Discord"
+//	$c2 = "Discord"
 
 	$h1 = "get("
 	$h2 = "post("
diff --git a/rules/combo/stealer/ssh.yara b/rules/combo/stealer/ssh.yara
index dda25416d..b24199ddd 100644
--- a/rules/combo/stealer/ssh.yara
+++ b/rules/combo/stealer/ssh.yara
@@ -1,5 +1,7 @@
 
-rule tar_ssh_net : suspicious {
+rule tar_ssh_net : notable {
+  meta:
+	description = "possible SSH stealer"
   strings:
 	$s_curl = "curl" fullword
 	$s_wget = "wget" fullword
diff --git a/rules/combo/stealer/wallet.yara b/rules/combo/stealer/wallet.yara
index 96234bceb..0f2f3e01f 100644
--- a/rules/combo/stealer/wallet.yara
+++ b/rules/combo/stealer/wallet.yara
@@ -14,6 +14,7 @@ rule crypto_stealer : critical {
 	$w_ms = "MonstraWallet"
 	$w_oa = "OasisWallet"
 	$w_bn = "BinanceChain"
+	$w_ir = "Iridium"
 	$w_tl = "TronLink" 
 	$w_hycon = "Hycon L"
 	$w_coin = "Coinbas"
diff --git a/rules/evasion/base64-python.yara b/rules/evasion/base64-python.yara
new file mode 100644
index 000000000..eaf2b99c3
--- /dev/null
+++ b/rules/evasion/base64-python.yara
@@ -0,0 +1,17 @@
+rule base64_http_val : critical {
+    meta:
+        description = "contains base64 Python code"
+    strings:
+		$exec = "exec(" base64
+		$eval = "eval(" base64
+		$import = "__import__" base64
+		$importlib = "importlib" base64
+		$import_module = "import_module" base64
+		$urllib = "urllib.request" base64
+		$requests_get = "requests.get" base64
+		$urlopen = "urlopen" base64
+		$read = "read()" base64
+		$decode = "decode()" base64
+    condition:
+        2 of them
+}
diff --git a/rules/evasion/binary-opaque.yara b/rules/evasion/binary-opaque.yara
index 24119e2be..f0b4e006f 100644
--- a/rules/evasion/binary-opaque.yara
+++ b/rules/evasion/binary-opaque.yara
@@ -1,4 +1,4 @@
-rule opaque_binary : suspicious {
+rule opaque_binary : notable {
   meta:
     hash_2023_MacOS_applet = "54db4cc34db4975a60c919cd79bb01f9e0c3e8cf89571fee09c75dfff77a0bcd"
     hash_2021_CDDS_arch = "a63466d09c3a6a2596a98de36083b6d268f393a27f7b781e52eeb98ae055af97"
@@ -12,6 +12,8 @@ rule opaque_binary : suspicious {
     $word_with_spaces = /[a-z]{2,} [a-z]{2,}/
 	$not_gmon_start = "__gmon_start__"
 	$not_usage = "usage:" fullword
+	$not_usage2 = "Usage:" fullword
+	$not_USAGE = "USAGE:" fullword
 	$not_java = "java/lang"
   condition:
 	// matches elf or macho
diff --git a/rules/evasion/bitwise_math.yara b/rules/evasion/bitwise_math.yara
new file mode 100644
index 000000000..83a580fa9
--- /dev/null
+++ b/rules/evasion/bitwise_math.yara
@@ -0,0 +1,9 @@
+
+rule excessive_bitwise_math : notable {
+  meta:
+	description = "excessive use of bitwise math"
+  strings:
+	$x = /\-{0,1}\d{1,8} \<\< \-{0,1}\d{1,8}/
+condition:
+   filesize < 128000 and #x > 10
+}
\ No newline at end of file
diff --git a/rules/evasion/content-length-0.yara b/rules/evasion/content-length-0.yara
index a63a9dfac..ba14d92a8 100644
--- a/rules/evasion/content-length-0.yara
+++ b/rules/evasion/content-length-0.yara
@@ -1,4 +1,4 @@
-rule content_length_0 : suspicious {
+rule content_length_0 : notable {
   meta:
 	description = "Sets HTTP content length to zero"
   strings:
diff --git a/rules/evasion/lib_alias.yara b/rules/evasion/lib_alias.yara
new file mode 100644
index 000000000..b7ad5b2fd
--- /dev/null
+++ b/rules/evasion/lib_alias.yara
@@ -0,0 +1,9 @@
+
+rule py_lib_alias_val : notable {
+	meta:
+		description = "aliases core python library to an alternate name"
+	strings:
+		$val = /from \w{2,16} import \w{2,16} as \w{1,32}/ fullword
+	condition:
+		$val
+}
\ No newline at end of file
diff --git a/rules/evasion/mask_exceptions.yara b/rules/evasion/mask_exceptions.yara
new file mode 100644
index 000000000..4a3b51b9b
--- /dev/null
+++ b/rules/evasion/mask_exceptions.yara
@@ -0,0 +1,30 @@
+
+import "math"
+
+rule setuptools_no_fail : suspicious {
+	meta:
+		description = "Python library installer that hides exceptions"
+	strings:
+		$setup = "setup(" fullword
+
+		$setuptools = "setuptools"
+		$distutils = "distutils"
+
+		$e_val = /except:.{0,4}pass/ fullword
+	condition:
+		$setup and ($setuptools or $distutils) and $e_val
+}
+
+rule setuptools_no_fail2 : suspicious {
+	meta:
+		description = "Python library installer that hides exceptions"
+	strings:
+		$setup = "setup(" fullword
+
+		$setuptools = "setuptools"
+		$distutils = "distutils"
+
+		$e_val = /except Exception as.{0,8}pass/ fullword
+	condition:
+		$setup and ($setuptools or $distutils) and $e_val
+}
\ No newline at end of file
diff --git a/rules/evasion/packer/elf.yara b/rules/evasion/packer/elf.yara
index aec0af310..069b9ed84 100644
--- a/rules/evasion/packer/elf.yara
+++ b/rules/evasion/packer/elf.yara
@@ -34,7 +34,7 @@ rule upx_elf: suspicious {
     $proc_self = "/proc/self/exe"
     $prot_exec = "PROT_EXEC|PROT_WRITE failed"
   condition:
-	$prot_exec and $proc_self
+	uint32(0) == 1179403647 and $prot_exec and $proc_self
 }
 
 rule upx_elf_tampered: critical {
@@ -45,7 +45,7 @@ rule upx_elf_tampered: critical {
     $prot_exec = "PROT_EXEC|PROT_WRITE failed"
 	$upx = "UPX!"
   condition:
-	$prot_exec and $proc_self and not $upx
+	uint32(0) == 1179403647 and $prot_exec and $proc_self and not $upx
 }
 
 
diff --git a/rules/evasion/packer/macho.yara b/rules/evasion/packer/macho.yara
index b34117675..83f3e547e 100644
--- a/rules/evasion/packer/macho.yara
+++ b/rules/evasion/packer/macho.yara
@@ -26,6 +26,8 @@ rule obfuscated_macho : suspicious {
     $common_swift_get = "swift_get"
     $common_swift = "_swift_"
 	$common_java = "java/lang"
+	$common_dladdr = "_dladdr" fullword
+	$common_environ = "__mh_execute_header" fullword
   condition:
     filesize < 52428800 and (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) and none of ($common*)
 }
\ No newline at end of file
diff --git a/rules/evasion/packer/upx.yara b/rules/evasion/packer/upx.yara
index 636115849..2b3482fb1 100644
--- a/rules/evasion/packer/upx.yara
+++ b/rules/evasion/packer/upx.yara
@@ -11,9 +11,11 @@ rule upx : suspicious {
     hash_2023_Linux_Malware_Samples_0a4b = "0a4b417193f63a3cce4550e363548384eb007f89e89eb831cf1b7f5ddf230a51"
     hash_2023_Linux_Malware_Samples_0b9d = "0b9d850ad22de9ed4951984456e77789793017e9df41271c58f45f411ef0c3d2"
   strings:
-    $upx_sig = "UPX!"
-    $packed = "executable packer"
-    $is_packed = "This file is packed"
+    $u_upx_sig = "UPX!"
+    $u_packed = "executable packer"
+    $u_is_packed = "This file is packed"
+
+	$not_upx = "UPX_DEBUG_DOCTEST_DISABLE"
   condition:
-    any of them in (0..1024)
+    any of ($u*) in (0..1024) and none of ($not*)
 }
diff --git a/rules/evasion/powershell_encoded.yara b/rules/evasion/powershell_encoded.yara
new file mode 100644
index 000000000..cc0009e5e
--- /dev/null
+++ b/rules/evasion/powershell_encoded.yara
@@ -0,0 +1,9 @@
+rule powershell_encoded_command_val : suspicious {
+  meta:
+	description = "Runs powershell with an encoded command"
+  strings:
+	$ps = "powershell"
+	$enc = /\-EncodedCommand [\w\=]{0,256}/
+  condition:
+	all of them
+}
diff --git a/rules/evasion/process-injection.yara b/rules/evasion/process-injection.yara
index 838848a04..738109b16 100644
--- a/rules/evasion/process-injection.yara
+++ b/rules/evasion/process-injection.yara
@@ -12,6 +12,8 @@ rule process_injector_value : critical {
 
 		$ptrace = "trace" fullword
 		$proc = "process" fullword
+
+		$not_qemu = "QEMU_IS_ALIGNED"
 	condition:
-		any of ($m*) and any of ($i*) and any of ($p*)
+		any of ($m*) and any of ($i*) and any of ($p*) and none of ($not*)
 }
diff --git a/rules/evasion/py_builtins.yara b/rules/evasion/py_builtins.yara
new file mode 100644
index 000000000..0fe5151c0
--- /dev/null
+++ b/rules/evasion/py_builtins.yara
@@ -0,0 +1,9 @@
+
+rule indirect_python_builtins : suspicious {
+  meta:
+	description = "Indirectly refers to Python builtins"
+  strings:
+	$val = /getattr\(__builtins__,[ \w\.\)\)]{0,64}/
+condition:
+	any of them
+}
diff --git a/rules/exec/program.yara b/rules/exec/program.yara
index 8f6cc6b0f..d3764ced8 100644
--- a/rules/exec/program.yara
+++ b/rules/exec/program.yara
@@ -60,9 +60,10 @@ rule subprocess : notable {
 		pledge = "exec"
 		description = "executes another program"
 	strings:
-		$ref = "subprocess"
+		$naked = "subprocess"
+		$val = /subprocess\.\w{1,16}[\(\"\/\w\'\.\- \,\[\]]{0,64}/
 	condition:
-		all of them
+		any of them
 }
 
 
diff --git a/rules/fs/file-delete-forcibly.yara b/rules/fs/file-delete-forcibly.yara
index 0d12c4c9d..3cdf9c373 100644
--- a/rules/fs/file-delete-forcibly.yara
+++ b/rules/fs/file-delete-forcibly.yara
@@ -9,9 +9,9 @@ rule rm_force {
 }
 
 
-rule rm_recursive_force : suspicious {
+rule rm_recursive_force : medium {
   meta:
-	description = "Forcibly deletes files using rm -R"
+	description = "Forcibly recursively deletes files using rm -R"
   strings:
 	$ref = /rm -[Rr]f [ \$\w\/\.]{0,32}/
 	$ref2 = /rm -f[Rr] [ \$\w\/\.]{0,32}/
diff --git a/rules/fs/file-make_executable.yara b/rules/fs/file-make_executable.yara
index 2560211d8..f9ea72238 100644
--- a/rules/fs/file-make_executable.yara
+++ b/rules/fs/file-make_executable.yara
@@ -1,4 +1,4 @@
-rule chmod_executable_plus : suspicious {
+rule chmod_executable_plus : notable {
   meta:
 	description = "makes file executable"
   strings:
diff --git a/rules/kernel/uname-get.yara b/rules/kernel/uname-get.yara
index f8b3977e7..e65902081 100644
--- a/rules/kernel/uname-get.yara
+++ b/rules/kernel/uname-get.yara
@@ -28,6 +28,7 @@ rule python_uname : notable {
 	strings:
 		$ref = "platform.dist()"
 		$ref2 = "platform.platform()"
+		$ref3 = "sys.platform"
 	condition:
 		any of them
 }
diff --git a/rules/net/vnc.yara b/rules/net/vnc.yara
index e319455e7..b03b0dc30 100644
--- a/rules/net/vnc.yara
+++ b/rules/net/vnc.yara
@@ -1,4 +1,4 @@
-rule vnc_user : suspicious {
+rule vnc_user : notable {
   meta:
     hash_2020_BirdMiner_arachnoidal = "904ad9bc506a09be0bb83079c07e9a93c99ba5d42ac89d444374d80efd7d8c11"
     hash_2023_Linux_Malware_Samples_1d28 = "1d2800352e15175ae5fa916b48a96b26f0199d9f8a9036648b3e44aa60ed2897"
diff --git a/rules/process/chdir-unusual.yara b/rules/process/chdir-unusual.yara
index 4647b122e..c5659d9ad 100644
--- a/rules/process/chdir-unusual.yara
+++ b/rules/process/chdir-unusual.yara
@@ -2,16 +2,25 @@ rule unusual_cd_val : suspicious {
 	meta:
 		description = "changes to an unusual system directory"
 	strings:
-		$dev = "cd /dev"
-		$dev_mqueue = "cd /dev/mqueue"
-		$dev_shm = "cd /dev/shm"
-		$mnt = "cd /mnt"
-		$root = "cd /root"
-		$tmp = "cd /tmp"
-		$usr = "cd /usr"
-		$var_log = "cd /var/log"
-		$var_run = "cd /var/run"
-		$var_tmp = "cd /var/tmp"
+		$d_dev_mqueue = "cd /dev/mqueue"
+		$d_dev_shm = "cd /dev/shm"
+		$d_mnt = "cd /mnt"
+		$d_root = "cd /root"
+		$d_tmp = "cd /tmp"
+		$d_usr = "cd /usr"
+		$d_var_log = "cd /var/log"
+		$d_var_run = "cd /var/run"
+		$d_var_tmp = "cd /var/tmp"
 	condition:
 		any of them
 }
+
+rule unusual_cd_dev_val : suspicious {
+	meta:
+		description = "changes to an unusual system directory"
+	strings:
+		$d_dev = /cd \/dev[\w\/\.]{0,64}/
+		$makedev = "MAKEDEV"
+	condition:
+		$d_dev and not $makedev
+}
diff --git a/rules/process/list.yara b/rules/process/list.yara
index bb85043f8..49e0afc64 100644
--- a/rules/process/list.yara
+++ b/rules/process/list.yara
@@ -3,6 +3,7 @@ rule proc_listallpids : notable {
 	meta:
 		pledge = "exec"
 		syscall = "vfork"
+		description = "calls proc_listallpid"
 	strings:
 		$ref = "proc_listallpid" fullword
 	condition:
@@ -36,7 +37,7 @@ rule procfs_listdir : notable {
 }
 
 
-rule proclist : high {
+rule proclist : medium {
 	meta:
 		description = "accesses process list"
 	strings:
diff --git a/rules/procfs/pid-inspector.yara b/rules/procfs/pid-inspector.yara
index 609b71f2b..7ad663945 100644
--- a/rules/procfs/pid-inspector.yara
+++ b/rules/procfs/pid-inspector.yara
@@ -1,5 +1,6 @@
-rule pid_inspector : suspicious {
+rule pid_inspector_val : suspicious {
   meta:
+	description = "accesses unusual process information"
     hash_2023_trojan_Mirai_ubzhp = "98e7808bd5bfd72c08429ffe0ffb52ae54bce7e6389f17ae523e8ae0099489ab"
     hash_2023_trojan_Mirai_thiwm = "abf0f87cc7eb6028add2e2bda31ede09709a948e8f7e56390a3f18d1eae58aa6"
     hash_2023_trojan_Mirai_ghwow = "c91c6dbfa746e3c49a6c93f92b4d6c925668e620d4effc5b2bf59cf9100fe87d"
diff --git a/rules/ref/ip_port.yara b/rules/ref/ip_port.yara
index 7ceac0afa..b52012d1d 100644
--- a/rules/ref/ip_port.yara
+++ b/rules/ref/ip_port.yara
@@ -1,6 +1,6 @@
 rule hardcoded_hostport2 : high {
   meta:
-	description = "Contains hardcoded IP:port address"
+	description = "hardcoded IP:port destination"
   strings:
     $ipv4 = /([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}:\d{2,5}/ fullword
 	$not_ssdp = "239.255.255.250:1900"
diff --git a/rules/ref/site/download.yara b/rules/ref/site/download.yara
index 8cedc2f26..c2145f9ad 100644
--- a/rules/ref/site/download.yara
+++ b/rules/ref/site/download.yara
@@ -9,8 +9,9 @@ rule download_sites : suspicious {
    // $d_paste_dot = /paste\.[\w\.]{2,3}/
     $d_pastecode_dot = /pastecode\.[\w\.]+/
     $d_discord = "cdn.discordapp.com"
+	$d_pastebinger = "paste.bingner.com"
     $d_transfer_sh = "transfer.sh"
-    $d_rentry = "rentry.co"
+    $d_rentry = "rentry.co" fullword
     $d_penyacom = "penyacom"
     $d_controlc = "controlc.com"
 	$d_anotepad = "anotepad.com"
diff --git a/rules/ref/site/http-ip.yara b/rules/ref/site/http-ip.yara
index 5342b74b5..8bc2a91fe 100644
--- a/rules/ref/site/http-ip.yara
+++ b/rules/ref/site/http-ip.yara
@@ -1,9 +1,9 @@
 
 rule http_hardcoded_ip : suspicious exfil {
   meta:
-	description = "URL pointing to an IP address rather than DNS name"
+	description = "hardcoded IP address within a URL"
   strings:
-    $ipv4 = /https*:\/\/([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}[:\/\w\?]{0,32}/
+    $ipv4 = /https*:\/\/([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}[:\/\w\-\?\.]{0,32}/
 	$not_metadata = "http://169.254.169.254"
 	$not_100 = "http://100.100.100"
 	$not_11 = "http://11.11.11"
diff --git a/rules/ref/words/c2.yara b/rules/ref/words/c2.yara
index 2f59194d0..c22824398 100644
--- a/rules/ref/words/c2.yara
+++ b/rules/ref/words/c2.yara
@@ -1,4 +1,4 @@
-rule command_and_control : suspicious {
+rule command_and_control : notable {
   meta:
 	description = "Uses terms that may reference a command and control server"
   strings:
diff --git a/rules/ref/words/rootkit.yara b/rules/ref/words/rootkit.yara
index 2c1075c1e..c34f99565 100644
--- a/rules/ref/words/rootkit.yara
+++ b/rules/ref/words/rootkit.yara
@@ -1,11 +1,19 @@
-rule rootkit : suspicious {
+rule rootkit_up : suspicious {
 	meta:
 		description = "references a 'rootkit'"
 	strings:
 		$s_Rootkit = "Rootkit"
 		$s_r00tkit = "r00tkit"
 		$s_r00tk1t = "r00tk1t"
-	    $s_rootkit = "rootkit"
+	condition:
+		any of them
+}
+
+rule rootkit : notable {
+	meta:
+		description = "references a 'rootkit'"
+	strings:
+	    $s_rootkit = "rootkit" fullword
 	condition:
 		any of them
 }
\ No newline at end of file
diff --git a/rules/ref/words/server_address.yara b/rules/ref/words/server_address.yara
index bac130353..3339bfe66 100644
--- a/rules/ref/words/server_address.yara
+++ b/rules/ref/words/server_address.yara
@@ -1,4 +1,4 @@
-rule server_address : suspicious {
+rule server_address : notable {
 	meta:
 		description = "references a 'server address', possible C2 client"
 	strings:
diff --git a/rules/secrets/cookies.yara b/rules/secrets/cookies.yara
index ea74a98ec..477f9a75c 100644
--- a/rules/secrets/cookies.yara
+++ b/rules/secrets/cookies.yara
@@ -1,4 +1,4 @@
-rule macos_cookies : suspicious {
+rule macos_cookies_val : suspicious {
   meta:
     ref = "https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/"
 	description = "Accesses macOS Cookie files"
diff --git a/rules/secrets/keychain.yara b/rules/secrets/keychain.yara
index 59c78f7d1..ac3ec5a36 100644
--- a/rules/secrets/keychain.yara
+++ b/rules/secrets/keychain.yara
@@ -8,7 +8,7 @@ rule keychain : notable macos {
 		any of them
 }
 
-rule macos_library_keychains : suspicious macos {
+rule macos_library_keychains : notable {
 	meta:
 		description = "Accesses the system keychain via files"
 	strings:
diff --git a/rules/secrets/shadow.yara b/rules/secrets/shadow.yara
index 4b5a566e3..dc10095d0 100644
--- a/rules/secrets/shadow.yara
+++ b/rules/secrets/shadow.yara
@@ -3,6 +3,7 @@ rule etc_shadow : suspicious {
 	description = "accesses /etc/shadow" 
   strings:
 	$ref = "etc/shadow"
+	$not_vim = "VIMRUNTIME"
   condition:
-    any of them
+    $ref and none of ($not*)
 }
diff --git a/rules/security_controls/linux/selinux_disable.yara b/rules/security_controls/linux/selinux_disable.yara
index 7783f20ba..ae3d6a94b 100644
--- a/rules/security_controls/linux/selinux_disable.yara
+++ b/rules/security_controls/linux/selinux_disable.yara
@@ -1,4 +1,6 @@
-rule selinux_disable : suspicious {
+rule selinux_disable_val : suspicious {
+  meta:
+	description = "disables SELinux security control"
   strings:
 	$ref1 = "SELINUX=disabled"
 	$ref2 = "setenforce 0"
diff --git a/rules/service/systemd.yara b/rules/service/systemd.yara
index af4d4b68d..e452ca6f7 100644
--- a/rules/service/systemd.yara
+++ b/rules/service/systemd.yara
@@ -1,4 +1,4 @@
-rule systemctl_calls : suspicious {
+rule systemctl_calls_val : suspicious {
   meta:
     hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b"
     hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7"
diff --git a/rules/shell/busybox-exec.yara b/rules/shell/busybox-exec.yara
index 8bd3b4c8f..d8ba4c2e9 100644
--- a/rules/shell/busybox-exec.yara
+++ b/rules/shell/busybox-exec.yara
@@ -9,7 +9,7 @@ rule busybox_runner : suspicious {
     hash_2023_Linux_Malware_Samples_bc5c = "bc5c2358e58876be7955fa0c8f5514f4d35e5353b93ba091216b2371470da988"
     hash_2021_trojan_Mirai_Tsunami = "c8aeb927cd1b897a9c31199f33a6df9f297707bed1aa0e66d167270f1fde6ff5"
   strings:
-    $b_busybox = /\/bin\/busybox \w{2,16}[ \/\w\.]{0,64}/
+    $b_busybox_val = /\/bin\/busybox \w{2,16}[ \/\w\.]{0,64}/
   condition:
     all of them
 }
diff --git a/rules/techniques/code_eval.yara b/rules/techniques/code_eval.yara
index 2dfd61cfa..94244e17d 100644
--- a/rules/techniques/code_eval.yara
+++ b/rules/techniques/code_eval.yara
@@ -2,9 +2,10 @@ rule eval : suspicious {
 	meta:
 		description = "evaluate code dynamically using eval()"
 	strings:
-		$ref = /eval\([\w\(\,\)]{0,32}/ fullword
+		$ref = /eval\([a-z\"\'\(\,\)]{1,32}/ fullword
+		$empty = "eval()"
 	condition:
-		any of them
+		$ref and not $empty
 }
 
 
@@ -12,7 +13,8 @@ rule python_exec : suspicious {
 	meta:
 		description = "evaluate code dynamically using exec()"
 	strings:
-		$ref = /exec\([\w\(\,\)]{0,32}/ fullword
+		$ref = /exec\([a-z\"\'\(\,\)]{1,32}/ fullword
+		$empty = "exec()"
 	condition:
-		any of them
+		$ref and not $empty
 }