Valhalla Logo
currently serving 21595 YARA rules and 3875 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
HKTL_PY_ADCSync_Oct24
Detects ADCSync, a hacktool to use ADCS-ESC1 to perform a makeshift DCSync and dump hashes
28.10.2024
HKTL_Go_Nifo_Oct24
Detects nifo - a tool that removes AVs / EDRs with physical access - files nifo-arm64.exe, nifo-x64.exe
27.10.2024
MAL_VBS_PUFFPASTRY_Backdoor_Oct24
Detects characteristics found in PUFFPASTRY samples mentioned in A LNK Between Browsers report by Mandiant
27.10.2024
SUSP_VBS_Characteristics_Oct24_1
Detects samples with similarity to PUFFPASTRY samples mentioned in A LNK Between Browsers report by Mandiant
27.10.2024
SUSP_VBS_Loader_Oct24_1
Detects characteristics found in malicious VBS code (probably a common loader)
27.10.2024
SUSP_LOL_ESXi_Commands_Oct24
Detects commands mentioned in Living Off The Land ESXi
27.10.2024
SUSP_RDP_File_Indicators_Oct24_1
Detects characteristics found in malicious RDP files used as email attachments in spear phishing campaigns
25.10.2024
SUSP_RDP_File_Indicators_Email_Attachment_Oct24_1
Detects characteristics found in malicious RDP files used as email attachments in spear phishing campaigns (this rule detects the base64 encoded attachment)
25.10.2024
SUSP_RDP_File_Indicators_Oct24_2
Detects suspicious contents in RDP files
25.10.2024
MAL_RustyClaw_Oct24
Detects RustyClaw a RUST-based downloader
24.10.2024
HKTL_Pwnlook_Oct24_1
Detects pwnlook - an offensive post exploitation tool that will give you complete control over the Outlook desktop application and therefore to the emails configured in it
22.10.2024
MAL_RANSOM_Ransomhub_Oct24
Detects Ransomhub ransomware
22.10.2024
HKTL_RequestAADRefreshToken_Oct24
Detects RequestAADRefreshToken, a hacktool that obtains a refresh token for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account). An attacker can then use the token to authenticate to Azure AD as that user.
21.10.2024
HKTL_PS1_Misconfiguration_Manager_Oct24
Detects Misconfiguration-Manager, an enumeration tool for Microsoft Configuration Manager aka SCCM
21.10.2024
HKTL_PY_WindowsDowndate_Oct24
Detects WindowsDowndate, a Python tool that takes over Windows Updates to craft custom downgrades and expose past fixed vulnerabilities
21.10.2024
HKTL_GPOZaurr_Oct24
Detects GPOZaurr, a PowerShell module that aims to gather information about Group Policies but also allows fixing issues that you may find in them.
21.10.2024
SUSP_PY_Obfuscated_Anubis_Oct24
Detects Python script obfuscated using Anubis, a Python script to obfuscate and protect your code through anti debuggers, junk code and custom encryption.
21.10.2024
HKTL_ROADtoken_Oct24
Detects ROADtoken, a tool that uses the BrowserCore.exe binary to obtain a cookie that can be used with SSO and Azure AD.
21.10.2024
MAL_Wiper_Dropper_Oct24
Detects a Wiper dropper targeting Israel
19.10.2024
MAL_Wiper_Oct24
Detects a Wiper targeting Israel
19.10.2024
MAL_Infector_Oct24
Detects an Infector related to wiper campagin targeting Israel
19.10.2024
MAL_Zloader_Oct24_2
Detects Zloader a modular trojan based on leaked ZeuS source code
18.10.2024
MAL_Backdoor_Oct24
Detects backdoor realted to Russian speaking group tracked as 'UAT-5647' by Cisco Talos
18.10.2024
SUSP_LNK_Downloader_Sep24
Detects LNK downloading next stage payload
17.10.2024
SUSP_VBS_Execute_Oct24
Detects VBScript that execute base64 encoded command via PowerShell
15.10.2024
MAL_CobaltStrike_Beacon_Loader_Oct24
Detects Cobalt Strike beacon loader
15.10.2024
MAL_PasswordFilter_Oct24
Detects a DLL that can capture and harvest every password from compromised machines, even after they have been modified
15.10.2024
MAL_Unkown_Hacktool_Oct24
Detects Unkown hacktool
15.10.2024
MAL_CVE_2024_30088_POC_Oct24
Detects CVE_2024_30088 POC
15.10.2024
MAL_Loader_Oct24
Detects a simple loader that takes the first argument as the input file, decodes it in one-byte-XOR operation, and executes it
15.10.2024

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_Defense_Evasion_Known_System_UUID_Jun23
7
bac01102fa25f7b14f710c82c0d253975653f0b6a0ce01c069da010f5428630c
Trojan_Win32_Plaplex
13
0844dd9f54dcc6ac2843bea15ee32ba801b22aa555222564aede58c13fe44194
SUSP_Credential_Stealer_Indicators_Jul23_2
7
bac01102fa25f7b14f710c82c0d253975653f0b6a0ce01c069da010f5428630c
MAL_RANSOM_HTA_Info_Oct20_1
14
2839fde15e8dfc01542226b1ce25abe6302a34279ffc37303a32a3d52e93a467
SUSP_ELF_LNX_UPX_Compressed_File_Dec18
1
48a44cd4ca3e28fc4035049d9d84b924ff182792ab98be242e8750e4daf8eb28
SUSP_PS1_InvokeExpression_Casing_Anomaly
7
bac01102fa25f7b14f710c82c0d253975653f0b6a0ce01c069da010f5428630c
SUSP_Script_IP_Info_Combo_Aug24
7
bac01102fa25f7b14f710c82c0d253975653f0b6a0ce01c069da010f5428630c
SUSP_B64_Atob_Aug23
4
b7b2b265da83729408a226eec4786153285d640de99f3469d586b3918cd88a7f
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
4
b7b2b265da83729408a226eec4786153285d640de99f3469d586b3918cd88a7f
SUSP_LNX_ReverseShell_Indicator_Jun22
14
3678d9930a5d80724af67d6084fa6d1cc67d5c888170e35ece5626decf3009cd
Trojan_Win32_Plaplex
12
e9b7a89265ffe4e2a84ef6c7212193532f2f8265989420f3d4bf9a827d059b43
HKTL_CobaltStrike_BOF_Indicators_Feb21_1
12
282cf2afa89a841b20c9988501cdbbbcad3716ba3619737f78d00ec6aff90d56
Casing_Anomaly_NewObject
7
bac01102fa25f7b14f710c82c0d253975653f0b6a0ce01c069da010f5428630c
Casing_Anomaly_Convert_PS
7
bac01102fa25f7b14f710c82c0d253975653f0b6a0ce01c069da010f5428630c
Casing_Anomaly_Invoke
7
bac01102fa25f7b14f710c82c0d253975653f0b6a0ce01c069da010f5428630c
Casing_Anomaly_IO_MemoryStream
7
bac01102fa25f7b14f710c82c0d253975653f0b6a0ce01c069da010f5428630c
Casing_Anomaly_PS_Convert
7
bac01102fa25f7b14f710c82c0d253975653f0b6a0ce01c069da010f5428630c
SUSP_LNX_ReverseShell_Indicator_Jun22
13
524186c5beb855b7765bba5ff7b15c2b0767864d5e4d50636925e7fc9294469f
Casing_Anomaly_FromBase64String
7
bac01102fa25f7b14f710c82c0d253975653f0b6a0ce01c069da010f5428630c
Casing_Anomaly_PS1_Invoke_Expression
7
bac01102fa25f7b14f710c82c0d253975653f0b6a0ce01c069da010f5428630c

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6417
Threat Hunting (not subscribable, only in THOR scanner)
5159
APT
4890
Hacktools
4572
Webshells
2338
Exploits
636

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Hacktool Nifo Usage
Detects Nifo - a tool that disables Windows AV/EDR software by corrupting their files offline via physical access
27.10.2024
Domain Obfuscation
Detecting domain obfuscation used by threat actor to hide the actual C2 used.
20.10.2024
MSC File Execution From Potential Suspicious Location
Detecting execution of Microsoft Management Console (MMC) files from potentially suspicious locations.
20.10.2024
Curl Variable Execution
Detecting curl execution with variable being passed as the domain to fetch data, could be used by threat actor to hide the actul malicious domain.
20.10.2024
Potential Conti Ransomware Activity
Detects a specific command line pattern based on flags used by the Conti ransomware
07.10.2024
Wazuh Agent Remote Execution
Detects enabling of remote commands in the Wazuh agent. By setting this value to 1, the agent is allowed to accept and execute remote commands from the Wazuh manager or other controlling systems. This could be used for legitimate remote administration, but it also opens up the potential for misuse if the Wazuh manager or server it's connecting to is malicious or compromised, as it grants significant control over the agent.
07.10.2024
ETW Logging/Processing Option Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
06.10.2024
HTTP Logging Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
06.10.2024
New Module Module Added To IIS Server
Detects the addition of a new module to an IIS server.
06.10.2024
Previously Installed IIS Module Was Removed
Detects the removal of a previously installed IIS module.
06.10.2024
Potential Python DLL SideLoading
Detects potential DLL sideloading of Python DLL files.
06.10.2024
Possible Windows Defender Exclusion Discovery
Detects a suspicious MpCmdRun.exe process command line that looks as if someone was trying to find Windows Defender exclusions
06.10.2024
Toneshell Registry Activity
Detects 'Demeter' registry key used to store a randomly generated victim identifier used by 'Toneshell' malware
05.10.2024
Renamed Python.exe Execution
Detects the execution of python.exe that has been renamed to a different name to avoid detection
01.10.2024
Blackcat Ransomware Execution
Detects the execution of Blackcat ransomware
01.10.2024
Detection of Renamed ADExplorer.exe
Detects instances of ADExplorer.exe that have been renamed, indicating potential malicious activity.
30.09.2024
Detection of Renamed PuTTY.exe
Detects instances of PuTTY.exe clients that have been renamed, indicating potential malicious activity utilizing legitimate remote access tools.
30.09.2024
Detection of Renamed WinRAR
Detects instances of WinRAR that have been renamed to fsutil.exe, indicating potential malicious packing of files.
30.09.2024
Registry Modifications to Disable Windows Security Center Features
Detects modifications to the Windows Registry intended to disable various Security Center features, these changes can indicate an attempt by malicious actors to evade security measures, suppress important security notifications, or establish persistence on the system by disabling critical security functionalities.
29.09.2024
Renamed RCLONE.EXE Execution
Detects the execution of a renamed "RCLONE.exe" binary based on the PE metadata fields
27.09.2024
Renamed SharpHound.EXE Execution
Detects the execution of a renamed "SharpHound.exe" binary based on the PE metadata fields
25.09.2024
Potential StarRailBase.dll Sideloading
Detects potential DLL sideloading of "StarRailBase.dll", which is part of the Honkai game.
23.09.2024
Remote Access Tool - MeshAgent Command Execution via MeshCentral
Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
22.09.2024
Potential Lumma Stealer PowerShell Pattern
Detects process command line pattern of the Lumma Stealer malware family.
21.09.2024
Splinter Traffic Activity
Detects splinter pentest tool GET requests used to retrive data from the C2
20.09.2024
Java JAR Execution From Potentially Suspicious Location
Detects execution of Java application that has been packaged into a JAR from suspicious locations.
20.09.2024
Java JAR Execution With Uncommon JAR Extension
Detects execution of Java application that has been packaged into a JAR that doesn't contain a common extension.
20.09.2024
Suspicious Granting of Full Control to Everyone via Security Descriptor
Detects the usage of commands that modify security descriptors to grant full control (KA) permissions to the Everyone (WD) group. The presence of "D:(A;;KA;;;WD)" in a command line is unusual and may indicate an attempt to weaken security by allowing all users unrestricted access to critical system objects, potentially leading to privilege escalation or unauthorized system modifications.
19.09.2024
Suspicious Modification of Service Control Manager Permissions Via Sc.EXE
Detects changes to the Service Control Manager (SCManager) security descriptor that grant excessive permissions (e.g., Everyone group) to control system services. This behavior can indicate an attempt at local privilege escalation by allowing unauthorized users to manipulate critical services.
19.09.2024
Suspicious Veeam Backup Process Creation
Detects the execution of suspicious Veeam Backup sub processes and PowerShell commands that are often related to exploitation
17.09.2024

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
3196
18399
Sigma
3340
535

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1246
windows / registry_set
200
windows / file_event
189
windows / ps_script
166
windows / security
157
linux / process_creation
120
windows / image_load
105
webserver
78
windows / system
72
macos / process_creation
65
windows / network_connection
52
proxy
52
linux / auditd
48
azure / activitylogs
43
aws / cloudtrail
42
windows / registry_event
38
azure / auditlogs
38
windows / ps_module
33
windows / application
28
azure / signinlogs
24
okta / okta
22
windows / process_access
22
windows / dns_query
21
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / create_remote_thread
13
windows / file_delete
13
github / audit
13
cisco / aaa
12
windows / codeintegrity-operational
10
windows / ps_classic_start
10
kubernetes / application / audit
10
windows / driver_load
10
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
zeek / smb_files
7
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / registry_delete
7
gcp / google_workspace.admin
7
windows / bits-client
7
windows / dns-client
6
windows / file_access
6
linux / network_connection
5
jvm / application
5
kubernetes / audit
5
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
zeek / dns
4
zeek / http
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
m365 / audit
2
linux / syslog
2
windows / security-mitigations
2
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
firewall
2
windows / file_change
2
spring / application
2
velocity / application
1
windows / capi2
1
windows / file_executable_detected
1
ruby_on_rails / application
1
m365 / exchange
1
linux / sudo
1
zeek / x509
1
windows / microsoft-servicebus-client
1
windows / file_rename
1
sql / application
1
windows / smbclient-security
1
windows / sysmon_status
1
m365 / threat_detection
1
linux / vsftpd
1
zeek / rdp
1
windows / diagnosis-scripted
1
zeek / kerberos
1
windows / sysmon_error
1
database
1
windows / terminalservices-localsessionmanager
1
windows / dns-server-analytic
1
windows
1
windows / printservice-admin
1
nginx
1
windows / driver-framework
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
netflow
1
cisco / bgp
1
windows / lsa-server
1
windows / wmi
1
fortios / sslvpnd
1
linux / auth
1
cisco / ldp
1
django / application
1
cisco / syslog
1
linux / cron
1
windows / appmodel-runtime
1
windows / smbclient-connectivity
1
linux / guacamole
1
huawei / bgp
1
windows / ldap
1
windows / process_tampering
1
nodejs / application
1
paloalto / file_event / globalprotect
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
python / application
1
paloalto / appliance / globalprotect
1
cisco / duo
1
linux / clamav
1
windows / appxpackaging-om
1
windows / shell-core
1
windows / raw_access_thread
1
windows / certificateservicesclient-lifecycle-system
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
230
windows / registry_set
58
windows / ps_script
56
windows / wmi
29
windows / file_event
23
windows / image_load
18
proxy
12
windows / security
11
linux / process_creation
11
windows / network_connection
7
windows / system
7
windows / kernel-event-tracing
6
windows / registry_event
6
windows / ps_module
5
windows / ntfs
5
windows / sense
4
windows / pipe_created
4
windows / create_remote_thread
4
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / registry_delete
3
windows / application-experience
3
windows / hyper-v-worker
3
windows / kernel-shimengine
2
windows / taskscheduler
2
windows / driver_load
2
windows / bits-client
2
macos / process_creation
1
windows / windefend
1
windows / process_access
1
windows / amsi
1
windows / application
1
windows / audit-cve
1
windows / file_access
1
windows / registry-setinformation
1
windows / codeintegrity-operational
1
windows / dns_query
1
windows / firewall-as
1
windows / file_delete
1
windows / file_rename
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022