Valhalla Logo
currently serving 21677 YARA rules and 3881 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
HKTL_ASRepCatcher_Nov24
Detects ASRepCatcher, a hacktool to Make everyone in the connected VLAN ASRep roastable
11.11.2024
MAL_ELF_Xlogin_Nov24_1
Detects xlogin backdoor samples
11.11.2024
PUA_ELF_MicroSocks_Socks5_Proxy_Nov24
Detects MicroSocks - a small and fast SOCKS5 proxy server
11.11.2024
PUA_LNX_Socks5_Proxy_Nov24
Detects possibly unwanted Socks5 proxy software
11.11.2024
HKTL_KrakenMask_Indicators_Nov24
Detects simple KrakenMask sleep obfuscation indicators
11.11.2024
WEBSHELL_JSOP_Godzilla_Nov24_1
Detects characteristics found in JSP Godzilla web shells
11.11.2024
HKTL_PY_Adidnsdump_Nov24
Detects adidnsdump, a hacktool for Active Directory Integrated DNS dumping by any authenticated user
11.11.2024
PUA_HKTL_SoftPerfect_Netscan_Nov24
Detects unsigned versions of SoftPerfect Netscan, a dual use network enumeration tool used by many ransomware gangs
11.11.2024
MAL_LNX_Unknown_Nov24_1
Detects characteristics found in unknown Linux malware
07.11.2024
MAL_LNX_ESX_Babuk_Nov24_1
Detects files Babuk ransomware group - ransomware and decryption tools
07.11.2024
MAL_LNX_Pygmy_Nov24_1
Detects Pygmy Goat - a native x86-32 ELF shared object that was discovered on Sophos XG firewall devices, providing backdoor access to the device
06.11.2024
SUSP_LNX_ESX_Ransomware_Indicator_Nov24
Detects indicators found in ransomware targeting ESX servers
05.11.2024
MAL_RANSOM_HellDown_Samples_Nov24
Detects HellDown ransomware - file 6ef9a0b6301d737763f6c59ae6d5b3be4cf38941a69517be0f069d0a35f394dd
05.11.2024
HKTL_RingQ_Nov24
Detects RingQ a post-penetration anti-killing tool
04.11.2024
HKTL_Fuso_Nov24
Detects Fuso a tunneling and reverse proxy tool
04.11.2024
MAL_ShellcodeRunner_Nov24
Detects shellcode runner
04.11.2024
MAL_ElizaRAT_Nov24
Detects ElizaRAT
04.11.2024
MAL_Backdoor_Nov24
Detects a Macos backdoor
04.11.2024
MAL_Winsos_Loader_Nov24
Detects Winsos C2 framwork loader
04.11.2024
SUSP_SMBLibrary_Nov24
Detects unsigned C# binaries using SMBLibrary a, free, Open Source, user-mode SMB 1.0/CIFS, SMB 2.0, SMB 2.1 and SMB 3.0 server and client library. It is used by legitimate software but also many hacktools
04.11.2024
SUSP_PY_Compiled_Impacket_Rust_Nov24
Detects a suspicious compiled Python script that uses impacket and Rust bindings
04.11.2024
PUA_RMM_Meshagent_Nov24
Detects Meshagent, a remote management tool sometimes abused by threat actors
04.11.2024
MAL_Steelfox_Dropper_Nov24
Detects steelfox trojan dropper
04.11.2024
MAL_Steelfox_Loader_Nov24
Detects steelfox trojan loader
04.11.2024
HKTL_CSHARP_SOAPHound_Nov24
Detects SOADHound, a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.
04.11.2024
MAL_C2_Implant_C2Comms_Nov24
Detects unknown C2 implant named C2Comms
01.11.2024
SUSP_PE_C2_Implant_Indicator_Nov24
Detects C2 implant indicators in PE files
01.11.2024
SUSP_HTML_HTMLSmuggling_Payload_Nov24
Detects characteristics found in HTML smuggling payloads
01.11.2024
SUSP_PE_Characteristics_Nov24
Detects suspicious characteristics in PE files
01.11.2024
HKTL_PS1_OutSteel_Stealer_Nov24
Detects OutSteel stealer PowerShell script
01.11.2024

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
MAL_LNX_Scripts_Oct19_
12
633df6576de6687991d1b47e7a8f1aa28c3c6ba310bd1f3cf6b63f0ce41a73f6
SUSP_JS_OBFUSC_Feb23_2
1
bf7c3153352e20dc0de42fbd481c629b0b320684d2af45af27b75838a66f3bd7
SUSP_CryptoMiner_Indicator_Dec21_1
12
633df6576de6687991d1b47e7a8f1aa28c3c6ba310bd1f3cf6b63f0ce41a73f6
SUSP_RootHelper_Indicators_Jun21_1
1
ad2236abf3c38e5622d5044deb0650d71f38268e456ea4fcb011f05e6704bfc5
SUSP_W32tm_StripChart_Cmdline_Oct22_1
12
7a08dc5cb8590c97d5494db3ae600bad6dc1044a802847febfc1d4ab0ce87898
SUSP_Encoded_FromBase64String
1
b787c15ce4d174e4c80721d7ab0c76b0231cc320eca8fb462cb3d41595886f34
SUSP_Encoded_PowerShell_Class
1
b787c15ce4d174e4c80721d7ab0c76b0231cc320eca8fb462cb3d41595886f34
SUSP_ShellCode_Variable_May19
1
e0098a736c6d788c7ee80748e5f86ea3ece1b15747a08e546aa0c1ac70986eb8
SUSP_B64_Atob_Aug23
4
59b6838d9bf189aa6cebe39455250ecff223b1ac6410bea5b1b8a4aa437ce9e1
SUSP_Download_Cradles_Oct22_1
1
e0098a736c6d788c7ee80748e5f86ea3ece1b15747a08e546aa0c1ac70986eb8
SUSP_Encoded_SystemReflection_Assemly_Load
1
b787c15ce4d174e4c80721d7ab0c76b0231cc320eca8fb462cb3d41595886f34
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
4
59b6838d9bf189aa6cebe39455250ecff223b1ac6410bea5b1b8a4aa437ce9e1
SUSP_Batch_File_Jul23
8
83fa1393c1facdd3cc103be13f25a289ef56b94fd2d3d4cadb83461d76745188
SUSP_OBF_VMProtect_Jan24
11
729a4bedd754c7b61cf84c5a13e373f794c03bf7b6d0455ca3ef86b0dd91e903
SUSP_Malformed_PE_Header_Dec17
13
f0f094929c6676471159f4d19e6330b06a304cd2847f5c4deb6644b86745232c
SUSP_PS1_Small_NetworkFunc_Jun22_1
6
9390494cc7ce46c730282052112184ba211d1f78d6e662437f80dc0b310be4c1
SUSP_PS1_Reverse_Shell_Jun22
6
9390494cc7ce46c730282052112184ba211d1f78d6e662437f80dc0b310be4c1
SUSP_PS1_Small_GetBytes_Jun22_1
6
9390494cc7ce46c730282052112184ba211d1f78d6e662437f80dc0b310be4c1
SUSP_OBFUSC_JS_Oct23_4
2
010adc79e5751c3fc103f9040d4e5a57a0bdefb8933f2672e648b4f635d8ce42
SUSP_Protector_Themida_Packed_Samples_Mar21_1
8
843748922815a6bd831f2256a2b3d77e0c003c4addbd87df0b977d233c59750a

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6463
Threat Hunting (not subscribable, only in THOR scanner)
5178
APT
4892
Hacktools
4584
Webshells
2340
Exploits
636

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
01.11.2024
.RDP File Created by Outlook Process
Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use RDP files as attachments.
01.11.2024
Disable Antivirus Autostart
Detects disable antivirus products autostart capability
28.10.2024
ValleyRAT Malware Registry Modification
Detects creation of registry keys used to store C2 seen used by the ValleyRAT malware
28.10.2024
Registry Modifications to Change Default Programs Handling Files
Detects change to the default program handling file extension, which could be used by threat actors to run there malware when a certain extension is opened.
28.10.2024
Hacktool Nifo Usage
Detects Nifo - a tool that disables Windows AV/EDR software by corrupting their files offline via physical access
27.10.2024
Registry Set for WinDefend Deletion
Detects the deletion of the WinDefend registry key in attempt to disable Windows Defender.
23.10.2024
Curl Variable Execution
Detecting curl execution with variable being passed as the domain to fetch data, could be used by threat actor to hide the actul malicious domain.
20.10.2024
Domain Obfuscation
Detecting domain obfuscation used by threat actor to hide the actual C2 used.
20.10.2024
MSC File Execution From Potential Suspicious Location
Detecting execution of Microsoft Management Console (MMC) files from potentially suspicious locations.
20.10.2024
IMEEX Framework Registry Modification Detected
Detects modifications to registry keys associated with the IMEEX malware framework, a tool used by attackers to gain extensive control over compromised Windows systems.
12.10.2024
Potential Conti Ransomware Activity
Detects a specific command line pattern based on flags used by the Conti ransomware
07.10.2024
Wazuh Agent Remote Execution
Detects enabling of remote commands in the Wazuh agent. By setting this value to 1, the agent is allowed to accept and execute remote commands from the Wazuh manager or other controlling systems. This could be used for legitimate remote administration, but it also opens up the potential for misuse if the Wazuh manager or server it's connecting to is malicious or compromised, as it grants significant control over the agent.
07.10.2024
ETW Logging/Processing Option Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
06.10.2024
HTTP Logging Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
06.10.2024
New Module Module Added To IIS Server
Detects the addition of a new module to an IIS server.
06.10.2024
Previously Installed IIS Module Was Removed
Detects the removal of a previously installed IIS module.
06.10.2024
Potential Python DLL SideLoading
Detects potential DLL sideloading of Python DLL files.
06.10.2024
Possible Windows Defender Exclusion Discovery
Detects a suspicious MpCmdRun.exe process command line that looks as if someone was trying to find Windows Defender exclusions
06.10.2024
Toneshell Registry Activity
Detects 'Demeter' registry key used to store a randomly generated victim identifier used by 'Toneshell' malware
05.10.2024
Renamed Python.exe Execution
Detects the execution of python.exe that has been renamed to a different name to avoid detection
01.10.2024
Blackcat Ransomware Execution
Detects the execution of Blackcat ransomware
01.10.2024
Detection of Renamed ADExplorer.exe
Detects instances of ADExplorer.exe that have been renamed, indicating potential malicious activity.
30.09.2024
Detection of Renamed PuTTY.exe
Detects instances of PuTTY.exe clients that have been renamed, indicating potential malicious activity utilizing legitimate remote access tools.
30.09.2024
Detection of Renamed WinRAR
Detects instances of WinRAR that have been renamed to fsutil.exe, indicating potential malicious packing of files.
30.09.2024
Registry Modifications to Disable Windows Security Center Features
Detects modifications to the Windows Registry intended to disable various Security Center features, these changes can indicate an attempt by malicious actors to evade security measures, suppress important security notifications, or establish persistence on the system by disabling critical security functionalities.
29.09.2024
Renamed RCLONE.EXE Execution
Detects the execution of a renamed "RCLONE.exe" binary based on the PE metadata fields
27.09.2024
Renamed SharpHound.EXE Execution
Detects the execution of a renamed "SharpHound.exe" binary based on the PE metadata fields
25.09.2024
Potential StarRailBase.dll Sideloading
Detects potential DLL sideloading of "StarRailBase.dll", which is part of the Honkai game.
23.09.2024
Remote Access Tool - MeshAgent Command Execution via MeshCentral
Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
22.09.2024

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
3198
18479
Sigma
3341
540

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1246
windows / registry_set
201
windows / file_event
190
windows / ps_script
165
windows / security
157
linux / process_creation
120
windows / image_load
105
webserver
78
windows / system
72
macos / process_creation
65
windows / network_connection
52
proxy
52
linux / auditd
48
azure / activitylogs
43
aws / cloudtrail
42
azure / auditlogs
38
windows / registry_event
38
windows / ps_module
33
windows / application
28
azure / signinlogs
24
okta / okta
22
windows / process_access
22
windows / dns_query
21
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / create_remote_thread
13
windows / file_delete
13
github / audit
13
cisco / aaa
12
windows / ps_classic_start
10
kubernetes / application / audit
10
windows / driver_load
10
windows / codeintegrity-operational
10
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / bits-client
7
gcp / google_workspace.admin
7
windows / registry_delete
7
zeek / smb_files
7
windows / dns-client
6
windows / file_access
6
linux / network_connection
5
kubernetes / audit
5
jvm / application
5
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
zeek / dns
4
zeek / http
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
windows / dns-server
2
apache
2
onelogin / onelogin.events
2
macos / file_event
2
qualys
2
firewall
2
windows / security-mitigations
2
windows / file_change
2
spring / application
2
linux / syslog
2
m365 / audit
2
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
sql / application
1
linux / vsftpd
1
windows / sysmon_status
1
m365 / threat_detection
1
zeek / rdp
1
windows / sysmon_error
1
database
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows
1
windows / dns-server-analytic
1
nginx
1
windows / driver-framework
1
windows / printservice-admin
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
netflow
1
cisco / ldp
1
fortios / sslvpnd
1
linux / auth
1
cisco / bgp
1
windows / ldap
1
django / application
1
cisco / syslog
1
linux / clamav
1
windows / appmodel-runtime
1
windows / smbclient-connectivity
1
linux / cron
1
huawei / bgp
1
windows / applocker
1
windows / openssh
1
windows / process_tampering
1
nodejs / application
1
paloalto / file_event / globalprotect
1
cisco / duo
1
linux / guacamole
1
juniper / bgp
1
windows / appxpackaging-om
1
python / application
1
paloalto / appliance / globalprotect
1
windows / raw_access_thread
1
windows / certificateservicesclient-lifecycle-system
1
windows / shell-core
1
zeek / x509
1
windows / capi2
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
velocity / application
1
ruby_on_rails / application
1
m365 / exchange
1
linux / sudo
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
231
windows / registry_set
62
windows / ps_script
56
windows / wmi
29
windows / file_event
23
windows / image_load
18
proxy
12
windows / security
11
linux / process_creation
11
windows / network_connection
7
windows / system
7
windows / kernel-event-tracing
6
windows / registry_event
6
windows / ntfs
5
windows / ps_module
5
windows / pipe_created
4
windows / sense
4
windows / create_remote_thread
4
windows / ps_classic_script
3
webserver
3
windows / vhd
3
windows / registry_delete
3
windows / application-experience
3
windows / hyper-v-worker
3
windows / kernel-shimengine
2
windows / taskscheduler
2
windows / bits-client
2
windows / driver_load
2
windows / audit-cve
1
windows / file_delete
1
windows / file_rename
1
macos / process_creation
1
windows / process_access
1
windows / amsi
1
windows / windefend
1
windows / codeintegrity-operational
1
windows / dns_query
1
windows / registry-setinformation
1
windows / firewall-as
1
windows / file_access
1
windows / application
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html