Valhalla Logo
currently serving 21464 YARA rules and 3852 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
MAL_Rust_Splinter_Implants_Sep24
Detects C2 implants of the Splinter post-exploitation framework
25.09.2024
PUA_LNX_TMate_Sep24_1
Detects PUA TMate terminal sharing utility. Tmate is a fork of tmux but allows for easier sharing of terminal sessions to remote users.
24.09.2024
SUSP_UPX_Inside_PE_Sep24
Detects a UPX packed PE binary inside a small PE, which makes it more probable, that UPX was used to obfuscate rather than for compression
23.09.2024
SUSP_Nim_UPX_Packed_Small_Sep24
Detects a suspicious unsigned executable written in Nim, which is packed with UPX despite already being quite small
23.09.2024
PUA_Mullvad_VPN_Sep24
Detects Mullvad VPN, a legitimate VPN tool sometimes abused by threat actors
23.09.2024
SUSP_Rust_UPX_Packed_Small_Sep24
Detects a suspicious unsigned executable written in Rust, which is packed with UPX despite already being quite small
23.09.2024
MAL_Packer_Sep24
Detects unknown packer used for malware
23.09.2024
SUSP_Rust_Implant_Indicators_Sep24_1
Detects suspicious indicators found in Rust based malware samples
20.09.2024
SUSP_PS1_LummaStealer_Pattern_Sep24_1
Detects suspicious patterns found in LummaStealer PowerShell scripts that users copy to the command line an execute
20.09.2024
SUSP_CronTab_Entries_Sep24_2
Detects suspicious crontab entries
19.09.2024
SUSP_PS1_Casing_Anomaly_Join
Detects suspicious casing in commands
19.09.2024
EXPL_HTKL_VeeamBackup_CVE_2024_40711_Sep24_1
Detects exploit code for Veeam Backup & Replication RCE CVE-2024-40711
17.09.2024
EXPL_HTKL_Exploit_Remoting_Service_Sep24_1
Detects exploit code for Remoting Service
17.09.2024
WEBSHELL_ASPX_Ghost_Sep24_1
Detects Ghost ASPX web shells
17.09.2024
WEBSHELL_PHP_Gen_Sep24_1
Detects PHP web shells based on certain patterns
17.09.2024
WEBSHELL_JSP_Pattern_Sep24_1
Detects obfuscated JSP web shells based on certain characteristics
17.09.2024
WEBSHELL_JSP_Pattern_Sep24_2
Detects obfuscated JSP web shells based on certain characteristics
17.09.2024
WEBSHELL_ASP_Pattern_Sep24_1
Detects obfuscated ASP web shells based on certain characteristics
17.09.2024
WEBSHELL_ASP_Pattern_Sep24_2
Detects obfuscated ASP web shells based on certain characteristics
17.09.2024
WEBSHELL_JSP_Pattern_Sep24_3
Detects obfuscated JSP web shells based on certain characteristics
17.09.2024
WEBSHELL_JSP_Tiny_Sep24_1
Detects tiny JSP web shells
17.09.2024
WEBSHELL_ASP_OBFUSC_Sep24_1
Detects obfuscated ASP web shells
17.09.2024
WEBSHELL_Tiny_Sep24_1
Detects tiny obfuscated web shells based on certain characteristics
17.09.2024
WEBSHELL_JSP_OBFUSC_Sep24_1
Detects obfuscated JSP web shells
17.09.2024
MAL_ShadowPad_Downloader_Sep24
Detects downloader, seen being used by ShadowPad APT group
16.09.2024
MAL_BruteRatel_Loader_Sep24
Detects Brute Ratel C4 loaders
13.09.2024
PUA_Tdskiller_Sep24
Detects Tdskiller a legitimate tool developed by Kaspersky to remove rootkits. It is also capable of disabling EDR software
13.09.2024
MAL_RANSOM_Beast_Sep24
Detects Beast ransomware
13.09.2024
MAL_Sambaspy_Dropper_Sep24
Detects Sambaspy RAT dropper
13.09.2024
MAL_VBS_Download_Payload_Sep24
Detects VBS script that downloads next stage payload
13.09.2024

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_MSIL_NET_ConfuserEx_Module_Encryption_Sep23
2
09737f2d417d25a8d5cbd5a12447851af849e8e72a28be71dd9d90f70c4ece9c
Suspicious_String_Ransomware
11
e88b5c134026a384b17d742e6c0aeda720e2d4ab7832e4f616961421be7b2849
Suspicious_Javascript_Running_Interpreter
11
e88b5c134026a384b17d742e6c0aeda720e2d4ab7832e4f616961421be7b2849
SUSP_Hack_Cmds_Comp_Nov17_1
11
e88b5c134026a384b17d742e6c0aeda720e2d4ab7832e4f616961421be7b2849
SUSP_VBA_Downloading_DLL_Mar23
11
e88b5c134026a384b17d742e6c0aeda720e2d4ab7832e4f616961421be7b2849
HTKL_BlackBone_DriverInjector
12
6a0d9b780f1f8cda66b17ea28a5a46ccb99710bf951f90a602b0c07d8fdbc14c
SUSP_BlackBone_Ref_Oct21_1
12
6a0d9b780f1f8cda66b17ea28a5a46ccb99710bf951f90a602b0c07d8fdbc14c
HTKL_Error_Kernel_BaseAddress
12
6a0d9b780f1f8cda66b17ea28a5a46ccb99710bf951f90a602b0c07d8fdbc14c
SUSP_PY_Stealer_Characteristics_Sep24
5
3d2d9f4e103b40740b0820732726a2b3292b31d6767a32f4c31cf2a9af7f2a2d
SUSP_WEvtUtil_ClearLogs_Sep22_1
5
1b0582b80103da6ffa70660082bf341015bbcf5615e4822add3b2ee30bc34c35
SUSP_Protector_Themida_Packed_Samples_Mar21_1
12
23309dd2cdb0a34997478189e6f44fa8e920e32517f88c4d5c25d5aff9de45d4
SUSP_PE_Themida_Packed_Nov22
12
23309dd2cdb0a34997478189e6f44fa8e920e32517f88c4d5c25d5aff9de45d4
MAL_Remcos_Rat_Jul22
9
9b100312739e9f463f97d8c2732363f2cc77235432d9ffe25fb98c7484890b24
SUSP_OBFUSC_JS_Oct23_4
2
81c539475f2c2e0eedb205788ccbc2b4e671bab152a0b6c425c7312501ad7917
SUSP_Go_Binary_Microsoft_Copyright
1
67c1c5ad17b0e7e9cca47700a434b44537c8fce3027fa5f891940160211aeb21
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
5
66aef1ab7d4c8c561ea1d8dd9b2b673814f5082f524b2dfef4530a315ad6c016
SUSP_B64_Atob_Aug23
5
66aef1ab7d4c8c561ea1d8dd9b2b673814f5082f524b2dfef4530a315ad6c016
APT_PlugX_SFX_Chinese_Chars_Jan14
9
d56d19a06e37f00bd76062a556506d0809d5d7fdb7b61716836b197e72bdabd6
SUSP_OBF_VMProtect_Jan24
7
50342468bafd1e949b262ac12026f5e7a0b8fdc1f438efa62a770ff74c044518
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
3
8204a71842d49f8c63888358666b64c1d498b7134b07f99fbf9faf838a522f80

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6354
Threat Hunting (not subscribable, only in THOR scanner)
5122
APT
4877
Hacktools
4545
Webshells
2333
Exploits
632

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Potential Lumma Stealer PowerShell Pattern
Detects process command line pattern of the Lumma Stealer malware family.
21.09.2024
Splinter Traffic Activity
Detects splinter pentest tool GET requests used to retrive data from the C2
20.09.2024
Java JAR Execution From Potentially Suspicious Location
Detects execution of Java application that has been packaged into a JAR from suspicious locations.
20.09.2024
Java JAR Execution With Uncommon JAR Extension
Detects execution of Java application that has been packaged into a JAR that doesn't contain a common extension.
20.09.2024
Suspicious Granting of Full Control to Everyone via Security Descriptor
Detects the usage of commands that modify security descriptors to grant full control (KA) permissions to the Everyone (WD) group. The presence of "D:(A;;KA;;;WD)" in a command line is unusual and may indicate an attempt to weaken security by allowing all users unrestricted access to critical system objects, potentially leading to privilege escalation or unauthorized system modifications.
19.09.2024
Suspicious Modification of Service Control Manager Permissions Via Sc.EXE
Detects changes to the Service Control Manager (SCManager) security descriptor that grant excessive permissions (e.g., Everyone group) to control system services. This behavior can indicate an attempt at local privilege escalation by allowing unauthorized users to manipulate critical services.
19.09.2024
Suspicious Veeam Backup Process Creation
Detects the execution of suspicious Veeam Backup sub processes and PowerShell commands that are often related to exploitation
17.09.2024
Network Connection Initiated To BTunnels Domains
Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
13.09.2024
Potential Iisreset Abuse
Detects iisreset usage to stop the IIS services to prevent users to access the webserver
10.09.2024
PowerShell Restart Windows Defender
Detects powershell restarting services related to Windows Defender
10.09.2024
Renamed SharpNBTScan.EXE Execution
Detects the execution of a renamed "SharpNBTScan.exe". Often used by the attackers to perform scanning in the environment/.
10.09.2024
Tasklist AV Software
Detects tasklist usage to detect security software presence
10.09.2024
Startup/Logon Script Added to Group Policy Object
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
06.09.2024
Group Policy Abuse for Privilege Addition
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
04.09.2024
Process Deletion of Its Own Executable
Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.
03.09.2024
PowerShell Web Access Feature Enabled Via DISM
Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
03.09.2024
PowerShell Web Access Installation - PsScript
Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
03.09.2024
Remote Access Tool - AnyDesk Incoming Connection
Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
02.09.2024
Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
02.09.2024
Suspicious Invocation of Shell via AWK - Linux
Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
02.09.2024
Capsh Shell Invocation - Linux
Detects the use of the "capsh" utility to invoke a shell.
02.09.2024
Shell Invocation via Env Command - Linux
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
02.09.2024
Shell Execution via Flock - Linux
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Execution via Find - Linux
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
02.09.2024
Shell Execution GCC - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Execution via Git - Linux
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Execution via Nice - Linux
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Inline Python Execution - Spawn Shell Via OS System Library
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
02.09.2024
Shell Execution via Rsync - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Invocation Via Ssh - Linux
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
29.08.2024

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
3197
18267
Sigma
3334
518

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1245
windows / registry_set
200
windows / file_event
189
windows / ps_script
166
windows / security
157
linux / process_creation
120
windows / image_load
104
webserver
78
windows / system
72
macos / process_creation
65
proxy
52
windows / network_connection
52
linux / auditd
48
azure / activitylogs
43
aws / cloudtrail
42
azure / auditlogs
38
windows / registry_event
38
windows / ps_module
33
windows / application
28
azure / signinlogs
24
okta / okta
22
windows / process_access
22
windows / dns_query
21
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
linux
17
rpc_firewall / application
17
gcp / gcp.audit
16
windows / windefend
16
bitbucket / audit
14
windows / create_remote_thread
13
windows / file_delete
13
github / audit
13
m365 / threat_management
13
cisco / aaa
12
windows / ps_classic_start
10
kubernetes / application / audit
10
windows / driver_load
10
windows / codeintegrity-operational
10
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
azure / pim
7
windows / appxdeployment-server
7
windows / registry_delete
7
gcp / google_workspace.admin
7
windows / bits-client
7
zeek / smb_files
7
antivirus
7
windows / file_access
6
windows / dns-client
6
kubernetes / audit
5
jvm / application
5
linux / network_connection
5
zeek / dns
4
zeek / dce_rpc
4
windows / sysmon
4
windows / taskscheduler
4
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
windows / wmi_event
3
zeek / http
3
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
windows / file_change
2
firewall
2
windows / security-mitigations
2
spring / application
2
m365 / audit
2
linux / syslog
2
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
windows
1
windows / dns-server-analytic
1
database
1
zeek / kerberos
1
windows / printservice-operational
1
windows / driver-framework
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
nginx
1
windows / ldap
1
fortios / sslvpnd
1
netflow
1
cisco / bgp
1
cisco / syslog
1
linux / auth
1
cisco / ldp
1
django / application
1
windows / smbclient-connectivity
1
linux / cron
1
windows / openssh
1
windows / process_tampering
1
paloalto / file_event / globalprotect
1
linux / guacamole
1
huawei / bgp
1
windows / appmodel-runtime
1
nodejs / application
1
paloalto / appliance / globalprotect
1
cisco / duo
1
juniper / bgp
1
windows / applocker
1
windows / shell-core
1
python / application
1
linux / clamav
1
windows / appxpackaging-om
1
windows / raw_access_thread
1
windows / file_executable_detected
1
windows / capi2
1
windows / microsoft-servicebus-client
1
velocity / application
1
linux / sudo
1
windows / certificateservicesclient-lifecycle-system
1
windows / smbclient-security
1
windows / file_rename
1
ruby_on_rails / application
1
m365 / exchange
1
zeek / x509
1
sql / application
1
windows / sysmon_status
1
m365 / threat_detection
1
linux / vsftpd
1
zeek / rdp
1
windows / diagnosis-scripted
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
217
windows / registry_set
57
windows / ps_script
55
windows / wmi
29
windows / file_event
23
windows / image_load
17
proxy
12
windows / security
11
linux / process_creation
11
windows / network_connection
7
windows / system
7
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / registry_event
5
windows / sense
4
windows / pipe_created
4
windows / create_remote_thread
4
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / application-experience
3
windows / registry_delete
3
windows / bits-client
2
windows / driver_load
2
windows / kernel-shimengine
2
windows / taskscheduler
2
windows / audit-cve
1
windows / file_access
1
windows / registry-setinformation
1
windows / dns_query
1
windows / firewall-as
1
windows / file_delete
1
windows / file_rename
1
macos / process_creation
1
windows / windefend
1
windows / amsi
1
windows / process_access
1
windows / codeintegrity-operational
1
windows / application
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html