Valhalla Logo
currently serving 21464 YARA rules and 3852 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
MAL_Rust_Splinter_Implants_Sep24
Detects C2 implants of the Splinter post-exploitation framework
25.09.2024
PUA_LNX_TMate_Sep24_1
Detects PUA TMate terminal sharing utility. Tmate is a fork of tmux but allows for easier sharing of terminal sessions to remote users.
24.09.2024
SUSP_UPX_Inside_PE_Sep24
Detects a UPX packed PE binary inside a small PE, which makes it more probable, that UPX was used to obfuscate rather than for compression
23.09.2024
SUSP_Nim_UPX_Packed_Small_Sep24
Detects a suspicious unsigned executable written in Nim, which is packed with UPX despite already being quite small
23.09.2024
PUA_Mullvad_VPN_Sep24
Detects Mullvad VPN, a legitimate VPN tool sometimes abused by threat actors
23.09.2024
SUSP_Rust_UPX_Packed_Small_Sep24
Detects a suspicious unsigned executable written in Rust, which is packed with UPX despite already being quite small
23.09.2024
MAL_Packer_Sep24
Detects unknown packer used for malware
23.09.2024
SUSP_Rust_Implant_Indicators_Sep24_1
Detects suspicious indicators found in Rust based malware samples
20.09.2024
SUSP_PS1_LummaStealer_Pattern_Sep24_1
Detects suspicious patterns found in LummaStealer PowerShell scripts that users copy to the command line an execute
20.09.2024
SUSP_CronTab_Entries_Sep24_2
Detects suspicious crontab entries
19.09.2024
SUSP_PS1_Casing_Anomaly_Join
Detects suspicious casing in commands
19.09.2024
EXPL_HTKL_VeeamBackup_CVE_2024_40711_Sep24_1
Detects exploit code for Veeam Backup & Replication RCE CVE-2024-40711
17.09.2024
EXPL_HTKL_Exploit_Remoting_Service_Sep24_1
Detects exploit code for Remoting Service
17.09.2024
WEBSHELL_ASPX_Ghost_Sep24_1
Detects Ghost ASPX web shells
17.09.2024
WEBSHELL_PHP_Gen_Sep24_1
Detects PHP web shells based on certain patterns
17.09.2024
WEBSHELL_JSP_Pattern_Sep24_1
Detects obfuscated JSP web shells based on certain characteristics
17.09.2024
WEBSHELL_JSP_Pattern_Sep24_2
Detects obfuscated JSP web shells based on certain characteristics
17.09.2024
WEBSHELL_ASP_Pattern_Sep24_1
Detects obfuscated ASP web shells based on certain characteristics
17.09.2024
WEBSHELL_ASP_Pattern_Sep24_2
Detects obfuscated ASP web shells based on certain characteristics
17.09.2024
WEBSHELL_JSP_Pattern_Sep24_3
Detects obfuscated JSP web shells based on certain characteristics
17.09.2024
WEBSHELL_JSP_Tiny_Sep24_1
Detects tiny JSP web shells
17.09.2024
WEBSHELL_ASP_OBFUSC_Sep24_1
Detects obfuscated ASP web shells
17.09.2024
WEBSHELL_Tiny_Sep24_1
Detects tiny obfuscated web shells based on certain characteristics
17.09.2024
WEBSHELL_JSP_OBFUSC_Sep24_1
Detects obfuscated JSP web shells
17.09.2024
MAL_ShadowPad_Downloader_Sep24
Detects downloader, seen being used by ShadowPad APT group
16.09.2024
MAL_BruteRatel_Loader_Sep24
Detects Brute Ratel C4 loaders
13.09.2024
PUA_Tdskiller_Sep24
Detects Tdskiller a legitimate tool developed by Kaspersky to remove rootkits. It is also capable of disabling EDR software
13.09.2024
MAL_RANSOM_Beast_Sep24
Detects Beast ransomware
13.09.2024
MAL_Sambaspy_Dropper_Sep24
Detects Sambaspy RAT dropper
13.09.2024
MAL_VBS_Download_Payload_Sep24
Detects VBS script that downloads next stage payload
13.09.2024

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_JS_OBFUSC_Feb23_2
2
96f7f0fc9ad5a014648abf04104f7530cdabf8983ef3e1d8e6608d8db295359b
SUSP_OBFUSC_UPX_Oct20
6
3c612a3383e1b7f80f88dd1843bb71476c3e670b4e9c33e4dd277dd1d054c712
Unspecified_Dropper_Mar17_2
11
0694ed37c45d8fc009bc57c85ddec047f62f4774c1f639274c02cf41d0186d9f
MAL_Backdoor_Rifle_Feb19_1
11
0694ed37c45d8fc009bc57c85ddec047f62f4774c1f639274c02cf41d0186d9f
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
4
3057b0f4562dc98c473b80791995b890da4544d4e90adb015757657bef743b2c
SUSP_B64_Atob_Aug23
4
3057b0f4562dc98c473b80791995b890da4544d4e90adb015757657bef743b2c
SUSP_OBF_VMProtect_Jan24
5
da4ddaeaaff199ac9794514cf734aab50d3dd69caa0ee6510992684522150256
SUSP_OBF_VMProtect_Jan24
5
a92d4370d87fb1f6532c86482c8f6683993b88c2d9fc1a8a33490c43e394ba80
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
4
5ab81006f27642cfa68655a5558ce7b9ed0400fc08dd9b3644c38c893366b15f
SUSP_B64_Atob_Aug23
4
5ab81006f27642cfa68655a5558ce7b9ed0400fc08dd9b3644c38c893366b15f
SUSP_W32tm_StripChart_Cmdline_Oct22_1
13
7724b50bc06fc8d09e7f482ac430a63475efe28a137568efd1848ced232a5f34
SUSP_Dir_Ref_in_File_Public
12
03af2780ff8b902a6928f2241b1e53881bd954858d9cd3c26849e6f47eca7825
SUSP_Encoded_GetProcAddress_Mar19
12
03af2780ff8b902a6928f2241b1e53881bd954858d9cd3c26849e6f47eca7825
SUSP_Public_Program_Ref_May22_1
12
03af2780ff8b902a6928f2241b1e53881bd954858d9cd3c26849e6f47eca7825
SUSP_FromBase64_StartProcess_Combo_Mar21_1
12
03af2780ff8b902a6928f2241b1e53881bd954858d9cd3c26849e6f47eca7825
SUSP_OBFUSC_NET_MSIL_Base64_Indicators_Apr23
12
03af2780ff8b902a6928f2241b1e53881bd954858d9cd3c26849e6f47eca7825
SUSP_FilePath_Public_Oct21_1
12
03af2780ff8b902a6928f2241b1e53881bd954858d9cd3c26849e6f47eca7825
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
4
340bb0856b063ae9652dc5619016383a3285166147f3ddb7a53126b6e50dc499
SUSP_B64_Atob_Aug23
4
340bb0856b063ae9652dc5619016383a3285166147f3ddb7a53126b6e50dc499
SUSP_XORed_Mozilla_Oct19
5
32a1a5f20c28adad917dc79ecf8db6d674dca41f9469dc16e92047a99b58c5d7

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6354
Threat Hunting (not subscribable, only in THOR scanner)
5122
APT
4877
Hacktools
4545
Webshells
2333
Exploits
632

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Potential Lumma Stealer PowerShell Pattern
Detects process command line pattern of the Lumma Stealer malware family.
21.09.2024
Splinter Traffic Activity
Detects splinter pentest tool GET requests used to retrive data from the C2
20.09.2024
Java JAR Execution From Potentially Suspicious Location
Detects execution of Java application that has been packaged into a JAR from suspicious locations.
20.09.2024
Java JAR Execution With Uncommon JAR Extension
Detects execution of Java application that has been packaged into a JAR that doesn't contain a common extension.
20.09.2024
Suspicious Granting of Full Control to Everyone via Security Descriptor
Detects the usage of commands that modify security descriptors to grant full control (KA) permissions to the Everyone (WD) group. The presence of "D:(A;;KA;;;WD)" in a command line is unusual and may indicate an attempt to weaken security by allowing all users unrestricted access to critical system objects, potentially leading to privilege escalation or unauthorized system modifications.
19.09.2024
Suspicious Modification of Service Control Manager Permissions Via Sc.EXE
Detects changes to the Service Control Manager (SCManager) security descriptor that grant excessive permissions (e.g., Everyone group) to control system services. This behavior can indicate an attempt at local privilege escalation by allowing unauthorized users to manipulate critical services.
19.09.2024
Suspicious Veeam Backup Process Creation
Detects the execution of suspicious Veeam Backup sub processes and PowerShell commands that are often related to exploitation
17.09.2024
Network Connection Initiated To BTunnels Domains
Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
13.09.2024
Potential Iisreset Abuse
Detects iisreset usage to stop the IIS services to prevent users to access the webserver
10.09.2024
PowerShell Restart Windows Defender
Detects powershell restarting services related to Windows Defender
10.09.2024
Renamed SharpNBTScan.EXE Execution
Detects the execution of a renamed "SharpNBTScan.exe". Often used by the attackers to perform scanning in the environment/.
10.09.2024
Tasklist AV Software
Detects tasklist usage to detect security software presence
10.09.2024
Startup/Logon Script Added to Group Policy Object
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
06.09.2024
Group Policy Abuse for Privilege Addition
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
04.09.2024
Process Deletion of Its Own Executable
Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.
03.09.2024
PowerShell Web Access Feature Enabled Via DISM
Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
03.09.2024
PowerShell Web Access Installation - PsScript
Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
03.09.2024
Remote Access Tool - AnyDesk Incoming Connection
Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
02.09.2024
Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
02.09.2024
Suspicious Invocation of Shell via AWK - Linux
Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
02.09.2024
Capsh Shell Invocation - Linux
Detects the use of the "capsh" utility to invoke a shell.
02.09.2024
Shell Invocation via Env Command - Linux
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
02.09.2024
Shell Execution via Flock - Linux
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Execution via Find - Linux
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
02.09.2024
Shell Execution GCC - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Execution via Git - Linux
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Execution via Nice - Linux
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Inline Python Execution - Spawn Shell Via OS System Library
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
02.09.2024
Shell Execution via Rsync - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Invocation Via Ssh - Linux
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
29.08.2024

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
3197
18267
Sigma
3334
518

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1245
windows / registry_set
200
windows / file_event
189
windows / ps_script
166
windows / security
157
linux / process_creation
120
windows / image_load
104
webserver
78
windows / system
72
macos / process_creation
65
windows / network_connection
52
proxy
52
linux / auditd
48
azure / activitylogs
43
aws / cloudtrail
42
azure / auditlogs
38
windows / registry_event
38
windows / ps_module
33
windows / application
28
azure / signinlogs
24
okta / okta
22
windows / process_access
22
windows / dns_query
21
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / create_remote_thread
13
windows / file_delete
13
github / audit
13
cisco / aaa
12
windows / codeintegrity-operational
10
windows / ps_classic_start
10
kubernetes / application / audit
10
windows / driver_load
10
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
zeek / smb_files
7
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / registry_delete
7
windows / bits-client
7
gcp / google_workspace.admin
7
windows / dns-client
6
windows / file_access
6
linux / network_connection
5
kubernetes / audit
5
jvm / application
5
windows / sysmon
4
windows / taskscheduler
4
zeek / dns
4
zeek / dce_rpc
4
zeek / http
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
m365 / audit
2
linux / syslog
2
windows / dns-server
2
macos / file_event
2
onelogin / onelogin.events
2
apache
2
qualys
2
firewall
2
windows / file_change
2
windows / security-mitigations
2
spring / application
2
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
velocity / application
1
linux / sudo
1
zeek / x509
1
windows / smbclient-security
1
windows / file_rename
1
ruby_on_rails / application
1
m365 / exchange
1
sql / application
1
zeek / rdp
1
windows / diagnosis-scripted
1
windows / sysmon_status
1
m365 / threat_detection
1
linux / vsftpd
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
zeek / kerberos
1
windows
1
windows / dns-server-analytic
1
database
1
windows / driver-framework
1
windows / printservice-operational
1
nginx
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
cisco / bgp
1
windows / ldap
1
fortios / sslvpnd
1
netflow
1
cisco / ldp
1
cisco / syslog
1
linux / auth
1
django / application
1
windows / smbclient-connectivity
1
linux / cron
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
windows / process_tampering
1
paloalto / file_event / globalprotect
1
linux / guacamole
1
juniper / bgp
1
windows / applocker
1
nodejs / application
1
paloalto / appliance / globalprotect
1
cisco / duo
1
windows / appxpackaging-om
1
windows / shell-core
1
python / application
1
linux / clamav
1
windows / raw_access_thread
1
windows / capi2
1
windows / file_executable_detected
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
217
windows / registry_set
57
windows / ps_script
55
windows / wmi
29
windows / file_event
23
windows / image_load
17
proxy
12
windows / security
11
linux / process_creation
11
windows / network_connection
7
windows / system
7
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / registry_event
5
windows / sense
4
windows / pipe_created
4
windows / create_remote_thread
4
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / application-experience
3
windows / registry_delete
3
windows / kernel-shimengine
2
windows / taskscheduler
2
windows / bits-client
2
windows / driver_load
2
windows / dns_query
1
windows / firewall-as
1
windows / file_delete
1
windows / file_rename
1
macos / process_creation
1
windows / windefend
1
windows / amsi
1
windows / process_access
1
windows / codeintegrity-operational
1
windows / application
1
windows / audit-cve
1
windows / file_access
1
windows / registry-setinformation
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022