Valhalla Logo
currently serving 20677 YARA rules and 3672 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
MAL_Guptiminer_Apr24
Detects malware from diffrent campaings related to GuptiMiner that distribute backdoors within big corporate networks
10.05.2024
MAL_Guptiminer_PDB_Apr24
Detects malware from diffrent campaings related to GuptiMiner that distribute backdoors within big corporate networks
10.05.2024
WEBSHELL_Hanshell_May24
Detects Hanshell, ASP.NET web shell to abuse leaked token handles.
10.05.2024
MAL_RANSOM_Nopyfy_May24
Detects Nopyfy ransomware
07.05.2024
MAL_Tomb_Packer_May24
Detects Tomb Packer, a modified version of UPX
07.05.2024
MAL_Serwent_Loader_May24
Detects Serwent loader
07.05.2024
MAL_Crypto_Miners_May24
Detects crypto miners that uses indirect syscalls for evasion
07.05.2024
MAL_Tiny_Utility_Module_May24
Detects HijackLoader Tiny utility module
07.05.2024
MAL_Tinycall_Proxy_May24
Detects HijackLoader Tinycall Proxy module
07.05.2024
MAL_IDAT_Injector_Loader_May24
Detects IDAT Injector loader
07.05.2024
SUSP_ASM_Trampoline_May24
Detects suspicious ASM code seen used as 'trampoline' to hook LogonUserWAddr
06.05.2024
HKTL_CloudInject_May24
Detects 'CloudInject' - third-party AD connector credentials stealer/harvester
06.05.2024
MAL_ASP_Webshell_ASPJinjaObfuscator_May24
Detects ASP webshell generated by ASPJinjaObfuscator
06.05.2024
EXPL_WIN_CVE_2023_36424_1
Detects CVE-2023-36424, an exploit for Windows kernel pool (clfs.sys) corruption privilege escalation
06.05.2024
HKTL_ShareFinder_May24
Detects Sharefinder.ps1, a hacktool to enumerate network shares
06.05.2024
MAL_LNX_Shell_Dropper_May24
Detects suspicious Linux shell script indicating dropper activities
03.05.2024
MAL_LNX_Go_Miner_May24
Detects malicious Linux malware/miner/stealer written in Go
03.05.2024
MAL_Hancitor_Loader_May24
Detects Hancitor loader
03.05.2024
MAL_VBS_May24
Detects VBScript code that download next stage payload
03.05.2024
MAL_PS1_TAMECAT_May24
Detects a PowerShell script that contains obfuscated and AES-encrypted TAMECAT backdoor. Downloads additional PowerShell script to AES decrypt the embedded TAMECAT backdoor.
03.05.2024
MAL_Goldoon_Botent_May24
Detects Goldoon botnet that targets D-Link devices
02.05.2024
APT_MAL_Blackwood_DLL_May24
Detects DLL related to Blackwood APT
02.05.2024
MAL_Cuckoo_Stealer_May24
Detects Cuckoo stealer
02.05.2024
MAL_SNOWLIGHT_Downloader_May24_1
Detects Linux and macOS version of a malware that looks like SNOWLIGHT from the Mandiant report on UNC5174
01.05.2024
SUSP_MAL_LNX_Downloader_May24_1
Detects unknown Linux malware (overlaps with SNOWLIGHT from the Mandiant report on UNC5174)
01.05.2024
SUSP_LNX_Binary_Characteristics_May24_1
Detects characteristics often found in malicious samples
01.05.2024
EXPL_Linux_CVE_2024_1086_Apr24
Detects exploit for CVE-2024-1086
29.04.2024
HKTL_Sqlmap_Output_Apr24
Detects output of the hacktool sqlmap: Automatic SQL injection and database takeover tool
29.04.2024
HKTL_KDMapper_Apr24
Detects KDMapper, a tool that exploits iqvw64e.sys Intel driver to manually map non-signed drivers in memory
29.04.2024
MAL_Carbanak_Loader_Apr24
Detects Anunak/Carbanak payload loader, related to Fin7 APT
22.04.2024

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_OBF_VMProtect_Jan24
2
ba678989a71eff017855bcc9ed7cd98ada2e274e17f0b0f165b039cc166bc48b
SUSP_Encoded_FromBase64String
10
6b500271af91685ab43e8926d6888fd759fa870924535a02683198e18f446463
SUSP_OBFUSC_Reversed_Encoded_PowerShell_Code_Mar22
10
6b500271af91685ab43e8926d6888fd759fa870924535a02683198e18f446463
SUSP_OBFUSC_JS_Sep20_1
1
84ed6cbf1e40fd859069e7156fae311195438b35d1b4723049cc384ba7c11a1e
PUA_ConnectWise_ScreenConnect_Mar23
3
80f26205cb707ed4df9333bb046d923ba6b928f00e91e90169530603cfb1007b
SUSP_Base64AtEndOfFile_Jul21
3
70ddaffe79164c1050723ec1271cffe9f8fd15c71d4d8a5dbd9290a057cde307
SUSP_PE_Themida_Packed_Nov22
10
f7e3e1f31a110c7f931f974b4e122396f60639a9af2558d7b8caf8467cd76a10
SUSP_Protector_Themida_Packed_Samples_Mar21_1
10
f7e3e1f31a110c7f931f974b4e122396f60639a9af2558d7b8caf8467cd76a10
SUSP_MSIL_NET_OBF_Dropper_Indicators_Oct23
2
6f6b74eb521064677105977115ec3156765a0d89ea29a2447477e92313d269c6
PUA_ConnectWise_ScreenConnect_Mar23
1
9f3bd28609500f3d0ad273bca6f3952633ff806f011e28cd6d4c010c7c9820ad
SUSP_Credential_Stealer_Indicators_Jul23_2
11
ba0266346e34780600453aaf2b2ba8e68e50ca561a5a3a2c0a56897f5e814143
SUSP_Encoded_GetProcAddress_Mar19
5
dbf668f1d79e4569d40c79fe4ff4ccab1aa710ba8051f142acf587a8ebae5531
SUSP_OBF_VMProtect_Jan24
5
b6a42f95f020ba62b1624cc87323d35179f7506ad1bc495e8f25045d6fd95ef5
SUSP_OBFUSC_JS_Oct23_4
1
a9f97ecf6867d9f13dbbc0751bb1b4cb338fd14ca7c751e8201d97445c128212
SUSP_HKTL_LNX_CheatSheet_Commands
2
638e3fe98873a0a1cf2de158cad6ca1a14af8a31c2b39a4064a4fa7d4379d389
SUSP_LMHash_Empty_Jul21_1
2
638e3fe98873a0a1cf2de158cad6ca1a14af8a31c2b39a4064a4fa7d4379d389
NTLM_Dump_Output
2
638e3fe98873a0a1cf2de158cad6ca1a14af8a31c2b39a4064a4fa7d4379d389
SUSP_Hack_Cmds_Comp_Nov17_1
2
638e3fe98873a0a1cf2de158cad6ca1a14af8a31c2b39a4064a4fa7d4379d389
SUSP_Registry_Export_SAM_Mar21_1
2
638e3fe98873a0a1cf2de158cad6ca1a14af8a31c2b39a4064a4fa7d4379d389
empty_LM_hash
2
638e3fe98873a0a1cf2de158cad6ca1a14af8a31c2b39a4064a4fa7d4379d389

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6053
Threat Hunting (not subscribable, only in THOR scanner)
4946
APT
4818
Hacktools
4465
Webshells
2310
Exploits
619

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Uncommon File System Load Attempt By Format.com - ImageLoad
Detects the load of uncommon file system DLLs by the "format.com" utility. An attacker can point "format.com" to load any DLL using the "/FS" flag.
13.05.2024
Keyboard Layout - Scancode Map Modification - Registry
Detects setting of the "Scancode Map" registry value. This value allow a user to customize and map keyboard keys to different values. Ransomware was seen using this technique in order to prevent user from interacting with the machine during the encryption process.
07.05.2024
Keyboard Layout - Scancode Map Modification - CommandLine
Detects setting of the "Scancode Map" registry value via command line. This value allow a user to customize and map keyboard keys to different values. Ransomware was seen using this technique in order to prevent user from interacting with the machine during the encryption process.
03.05.2024
Remote Access Tool - HopToDesk Silent Installation
Detects installtion of HopToDesk.EXE with the silent flag. HopToDesk is a free remote desktop tool allowing users to share their screen and allow remote control access to their computers and devices. It was seen being abused by ransomware threat actors in order deploy and execute malware remotely.
03.05.2024
Renamed HopToDesk.EXE Execution
Detects the execution of a renamed version of HopToDesk.EXE HopToDesk is a free remote desktop tool allowing users to share their screen and allow remote control access to their computers and devices. It was seen being abused by ransomware threat actors in order deploy and execute malware remotely.
03.05.2024
Local Command Proxy Execution Via Winrs.EXE
Detects the execution of local command via "winrs.exe" using the WinRM service. An attacker can enable the WinRM service locally and start to proxy commands on the system through "winrshost.exe". This form of execution can be used as a living of the land binary in order to potentially bypass application whitelisting.
03.05.2024
Potential Lateral Movement Via Windows Remote Management (WinRM)
Detects child process of "winrshost.exe". This indicate remote execution via Windows Remote Management (WinRM) and could be a sign of potential lateral movement activity.
03.05.2024
Remote Command Execution Via Winrs.EXE
Detects the execution of remote command via "winrs.exe" using the WinRM service.
03.05.2024
Potential Lateral Movement Via Windows Remote Management (WinRM) - Suspicious Process Tree
Detects suspicious process tree of "winrshost.exe". This indicate remote execution via Windows Remote Management (WinRM) and could be a sign of potential lateral movement activity.
03.05.2024
Setting Environment Variables Via Setx.EXE
Detects execution of the "setx.exe" utility. This utility allows for the creation or modification of environment variables in the user or system environment, without requiring programming or scripting. The Setx command also retrieves the values of registry keys and writes them to text files.
02.05.2024
Potential Suspicious Tampering With Built-In Environment Variables Via Setx.EXE
Detects execution of the "setx.exe" utility in order to modify the value of the built-in environment variables to uncommon values. Attackers were seen modifying environment variable to different values in order to trick programs leveraging them to load or execute different things. This utility allows for the creation or modification of environment variables in the user or system environment, without requiring programming or scripting. The Setx command also retrieves the values of registry keys and writes them to text files.
02.05.2024
Setting Environment Variables From Registry Data Via Setx.EXE
Detects execution of the "setx.exe" utility in order to set an environment variable with a value read from the registry. While this might be a common thing in certain environment, attackers might leverage this in order to read registry content in a sneaky way. This utility allows for the creation or modification of environment variables in the user or system environment, without requiring programming or scripting. The Setx command also retrieves the values of registry keys and writes them to text files.
02.05.2024
Suspicious Process Tree Execution Via PDQDeployRunner
Detects suspicious child processes executed via "PDQDeployRunner". PDQDeployRunner is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines. Threats such as Avos Locker were seen abusing RMM utilities in order to execute command remotely.
02.05.2024
Configure Potentially Suspicious Failure Command For Service Via Sc.EXE
Detects the execution of the "sc.exe" utility with the "failure" flag in order to configure a failure command to be executed. Attackers might configure a specific command or script to be executed service when a service fails to start in order to keep persistence on a machine.
29.04.2024
Configure Failure Action For Service Via Sc.EXE
Detects the execution of the "sc.exe" utility with the "failure" flag in order to configure failure action or command to be executed. Attackers might configure a specific service failure action or command in order to keep persistence on a machine.
29.04.2024
Lock Windows Service Control Manager Database Via Sc.EXE
Detects the execution of the "sc.exe" utility with the "lock" flag in order to lock the Service Control Manager database. Locking the Service Control Manager's database prevents any services from starting. This make sure that a service will not be started after it has been stopped. This can enable attackers to perform an action (for example, deleting the service) without interference.
29.04.2024
Pause Windows Service Via Sc.EXE
Detects the execution of the "sc.exe" utility with the "pause" flag. This flag would allow a user to send a PAUSE control request to the a service. While not not all services can be paused. Those that do, do not perform the same when paused. Some services continue to service existing clients but refuse to accept new clients. Others cease to service existing clients and also refuse to accept new clients.
29.04.2024
Potentially Suspicious Download From GoogleDrive Link Via CommandLine
Detects CommandLine strings referencing Google Drive links with download options and no antivirus scanning. Attackers might use Google Drive in order to host malicious payloads and then later download them via commandline utilities.
29.04.2024
Suspicious CMD Shell Output Redirect
Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
29.04.2024
Windows Default Shell Changed
Detects changes to the default windows shell.
29.04.2024
Creation of a New Firewall Rule Via New-NetFirewallRule Cmdlet - ScriptBLock
Detects the execution of "New-NetFirewallRule" to create a new inbound or outbound firewall rule.
29.04.2024
Creation of a New Firewall Rule Via New-NetFirewallRule Cmdlet
Detects the execution of "New-NetFirewallRule" to create a new inbound or outbound firewall rule.
29.04.2024
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
01.04.2024
Certificate-Based Authentication Enabled
Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
26.03.2024
New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
26.03.2024
Privileged Container Deployed
Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
26.03.2024
Deployment Deleted From Kubernetes Cluster
Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations.
26.03.2024
Potential Remote Command Execution In Pod Container
Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
26.03.2024
Kubernetes Events Deleted
Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.
26.03.2024
Container With A hostPath Mount Created
Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
26.03.2024

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2968
17709
Sigma
3204
468

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1206
windows / registry_set
187
windows / file_event
182
windows / ps_script
163
windows / security
153
linux / process_creation
108
windows / image_load
97
webserver
78
windows / system
72
macos / process_creation
56
proxy
51
linux / auditd
49
windows / network_connection
45
azure / activitylogs
43
windows / registry_event
38
aws / cloudtrail
35
azure / auditlogs
35
windows / ps_module
32
windows / application
28
azure / signinlogs
24
windows / process_access
23
okta / okta
22
windows / dns_query
20
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / create_remote_thread
12
cisco / aaa
12
windows / file_delete
12
windows / codeintegrity-operational
10
windows / ps_classic_start
10
kubernetes / application / audit
10
windows / driver_load
10
github / audit
10
linux / file_event
9
windows / create_stream_hash
9
windows / registry_add
9
windows / msexchange-management
8
dns
8
antivirus
7
windows / firewall-as
7
azure / pim
7
windows / appxdeployment-server
7
gcp / google_workspace.admin
7
windows / bits-client
7
zeek / smb_files
7
windows / file_access
6
windows / registry_delete
6
windows / dns-client
5
jvm / application
5
windows / sysmon
4
windows / taskscheduler
4
zeek / dce_rpc
4
zeek / dns
4
zeek / http
3
windows / wmi_event
3
linux / network_connection
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
windows / file_change
2
firewall
2
windows / security-mitigations
2
spring / application
2
m365 / audit
2
linux / syslog
2
velocity / application
1
zeek / x509
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_status
1
ruby_on_rails / application
1
m365 / exchange
1
linux / vsftpd
1
windows / diagnosis-scripted
1
sql / application
1
zeek / rdp
1
windows / sysmon_error
1
m365 / threat_detection
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / dns-server-analytic
1
database
1
windows / driver-framework
1
windows
1
windows / printservice-operational
1
nginx
1
windows / printservice-admin
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
fortios / sslvpnd
1
netflow
1
cisco / bgp
1
cisco / syslog
1
linux / auth
1
cisco / ldp
1
windows / ldap
1
windows / smbclient-connectivity
1
linux / cron
1
django / application
1
linux / guacamole
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
windows / process_tampering
1
juniper / bgp
1
windows / applocker
1
nodejs / application
1
linux / clamav
1
windows / appxpackaging-om
1
windows / shell-core
1
windows / raw_access_thread
1
python / application
1
linux / sudo
1
windows / capi2
1
windows / file_executable_detected
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
196
windows / ps_script
53
windows / registry_set
51
windows / wmi
29
windows / file_event
20
windows / image_load
15
proxy
11
windows / security
10
windows / system
10
windows / kernel-event-tracing
6
windows / network_connection
6
windows / ps_module
5
windows / ntfs
5
windows / create_remote_thread
4
windows / registry_event
4
linux / process_creation
3
windows / vhd
3
windows / registry_delete
3
webserver
3
windows / application-experience
3
windows / hyper-v-worker
3
windows / pipe_created
3
windows / ps_classic_script
3
windows / taskscheduler
2
windows / driver_load
2
windows / bits-client
2
windows / kernel-shimengine
2
windows / process_access
1
macos / process_creation
1
windows / amsi
1
windows / application
1
windows / dns_query
1
windows / registry-setinformation
1
windows / file_access
1
windows / audit-cve
1
windows / file_delete
1
windows / codeintegrity-operational
1
windows / file_rename
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022