Valhalla Logo
currently serving 21823 YARA rules and 3891 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
MAL_ConvoC2_Dec24
Detects ConvoC2 agent, C2 infrastructure that allows Red Teamers to execute system commands on compromised hosts through Microsoft Teams.
16.12.2024
HKTL_CSHARP_SharpSQL_Dec24
Detects SharpSQL, a C# implementation of PowerUpSQL
16.12.2024
HKTL_CSHARP_SharpMad
Detects Sharpmad, a C# implementation of Powermad
16.12.2024
HKTL_CSHARP_SharpGPO_Dec24
Detects SharpGPO, a Red Team tool for remotely manipulating Group Policy Object(GPO), Organizational Unit(OU), GPLink and Security Filtering
16.12.2024
HKTL_CSHARP_PassTheCert_Dec24
Detects SharpSQL, a C# implementation of PowerUpSQL
16.12.2024
SUSP_LNK_Dec24
Detects LNK files that have suspucious script contents
14.12.2024
MAL_Yokai_Backdoor_Dec24
Detects Yokai backdoor
14.12.2024
APT_MAL_APT_C_48_Backdoor_Dec24
Detects a backdoor related to APT-C-48
14.12.2024
SUSP_JS_OBFUSC_Dec24
Detects characteristics found in obfuscated JavaScripts
13.12.2024
MAL_APT_Trojan_Dec24
Detects a trojan ensuring single-instance execution via an event object, communicating with C&C servers, encrypting exfiltrated data using AES, and performing modular plugin management and file operations, the AES key and plugin distribution URLs are embedded in the configuration, seen being used by APT-C-60 APT group
13.12.2024
MAL_Camodoor_Backdoor_Dec24
Detects Camodoor backdoor used for C2 communication and data manipulation, downloading, plugin loading, screen monitoring, file stealing, and shell commands, seen being used by APT-C-60 APT group
13.12.2024
MAL_Obfuscated_MacOS_Stealer_Dec24
Detects obfuscated macOS stealer
12.12.2024
MAL_Loader_Dec24
Detects a loader, seen being used by APT-C-60 APT group
11.12.2024
MAL_SpyGrace_Backdoor_Dec24
Detects SpyGrace backdoor which is designed for persistence, stealth, and command execution, seen being used by APT-C-60 APT group
11.12.2024
MAL_Rootkit_Dec24
Detects fk-undead rootkit
11.12.2024
MAL_APT_Patchwork_RAT_Dec24
Detects Patchwork RAT, seen being used by Patchwork APT
10.12.2024
MAL_DLL_Shellcode_Loader_Dec24
Detects Dll shellcoder loader, seen being used by Patchwork APT
10.12.2024
MAL_Sheloader_Downloader_Dec24
Detects Sheloader downloader, seen being used by Patchwork APT
10.12.2024
WEBSHELL_PHP_Insert_Dec24
Detects PHPsert web shells leveraging assert function for code execution
10.12.2024
MAL_MacOS_Stealer_Dec24
Detects macOS stealer
10.12.2024
EXPL_Cleo_Exploitation_Log_Indicators_Dec24
Detects indicators found in logs during and after Cleo software exploitation (as reported by Huntress in December 2024)
10.12.2024
SUSP_EXPL_Cleo_Exploitation_Log_Indicators_Dec24_1
Detects indicators found in logs during and after Cleo software exploitation (as reported by Huntress in December 2024)
10.12.2024
SUSP_EXPL_Cleo_Exploitation_Log_Indicators_Dec24_2
Detects indicators found in logs during and after Cleo software exploitation (as reported by Huntress in December 2024)
10.12.2024
EXPL_Cleo_Exploitation_XML_Indicators_Dec24
Detects XML used during and after Cleo software exploitation (as reported by Huntress in December 2024)
10.12.2024
SUSP_EXPL_Cleo_Exploitation_XML_Indicators_Dec24_1
Detects XML used during and after Cleo software exploitation (as reported by Huntress in December 2024)
10.12.2024
SUSP_EXPL_Cleo_Exploitation_XML_Indicators_Dec24_2
Detects XML used during and after Cleo software exploitation (as reported by Huntress in December 2024)
10.12.2024
EXPL_Cleo_Exploitation_PS1_Indicators_Dec24
Detects encoded and decoded PowerShell loader used during Cleo software exploitation (as reported by Huntress in December 2024)
10.12.2024
SUSP_EXPL_JAR_Indicators_Dec24
Detects characteristics of JAR files used during Cleo software exploitation (as reported by Huntress in December 2024)
10.12.2024
EXPL_Cleo_Exploitation_JAVA_Payloads_Dec24_1_1
Detects characteristics of JAVA files used during Cleo software exploitation (as reported by Huntress in December 2024) - files Cli, ScSlot, Slot, SrvSlot
10.12.2024
EXPL_Cleo_Exploitation_JAVA_Payloads_Dec24_2
Detects characteristics of JAVA files used during Cleo software exploitation (as reported by Huntress in December 2024) - file Proc
10.12.2024

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_OBF_VMProtect_Jan24
10
547c819d65b64f4eeac18e3827a5d028fb5c2347f936275f5e205f32d9ef4df0
SUSP_PS1_FromBase64String_Content_Indicator
14
380529f0659d099049b6a009f455bccbe74d904df962a68d85ffcdf8fc3e9cf6
SUSP_OBFUSC_NET_MSIL_Base64_Indicators_Apr23
14
380529f0659d099049b6a009f455bccbe74d904df962a68d85ffcdf8fc3e9cf6
SUSP_Small_Loader_Indicator_Feb22_2
2
72068992cfe63bbc4a62beba7a97dfc460402b776f9ec28285fc28019cef5711
WEBSHELL_PHP_OBFUSC_Encoded_Mixed_Dec_And_Hex
3
92c8ebdef28bfd74a78442ac7ceed90d8e568c580dbe04e043bb3ba5217ce117
WEBSHELL_PHP_Generic_Eval
3
92c8ebdef28bfd74a78442ac7ceed90d8e568c580dbe04e043bb3ba5217ce117
Webshell_like_System_Shell_Exec
3
92c8ebdef28bfd74a78442ac7ceed90d8e568c580dbe04e043bb3ba5217ce117
WEBSHELL_PHP_OBFUSC
3
92c8ebdef28bfd74a78442ac7ceed90d8e568c580dbe04e043bb3ba5217ce117
WEBSHELL_PHP_OBFUSC_Str_Replace
3
92c8ebdef28bfd74a78442ac7ceed90d8e568c580dbe04e043bb3ba5217ce117
SUSP_OBFUSC_JS_Indicators_Jul24_1
5
f08712ee4fc4141fbaada423711004f7155584d0b25d08df0ba8227e3fe92024
SUSP_MSIL_NET_ConfuserEx_Module_Encryption_Sep23
8
5da7891e3619070083faf275543b27365b33e61ddcfc0d68c55b386e5eb0b1da
SUSP_OBF_VMProtect_Jan24
7
5b52f22cf4c2bd3374f3d3f464495ec21fff60139ae0e4367fdcd8bcbb31c2d6
SUSP_OBF_VMProtect_Jan24
2
46397aec2e068582357fd7ece30a83f84fd505fa5ac30559ad7cd667e284ff37
SUSP_OBF_VMProtect_Jan24
5
8cc1f8a4aef85f4ccf828813393a48d8f0c9964ca7a52a89946785c5c35f8288
SUSP_Eval_Base64_Indicators_Feb22_1
1
b96709c5aa82ab3cea72d9566d8157f8b49fc4ad7dc6f7c8a2c0af3ab137231f
WEBSHELL_PHP_OBFUSC
1
b96709c5aa82ab3cea72d9566d8157f8b49fc4ad7dc6f7c8a2c0af3ab137231f
WEBSHELL_PHP_OBFUSC_Encoded_Mixed_Dec_And_Hex
1
b96709c5aa82ab3cea72d9566d8157f8b49fc4ad7dc6f7c8a2c0af3ab137231f
WEBSHELL_PHP_Gzinflated
1
b96709c5aa82ab3cea72d9566d8157f8b49fc4ad7dc6f7c8a2c0af3ab137231f
SUSP_Eval_Base64_Indicators_Feb22_1
2
23702576d1ec68f6d93f8210ad26c39d95c3fb2601c9a750a4d774c42fce3607
WEBSHELL_PHP_Jul22_4
2
23702576d1ec68f6d93f8210ad26c39d95c3fb2601c9a750a4d774c42fce3607

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6542
Threat Hunting (not subscribable, only in THOR scanner)
5212
APT
4915
Hacktools
4608
Webshells
2341
Exploits
650

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
CVE-2024-50623 Exploitation Attempt - Cleo
Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
09.12.2024
Modification or Deletion of an AWS RDS Cluster
Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
06.12.2024
Suspicious ShellExec_RunDLL Call Via Ordinal
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
01.12.2024
Setup16.EXE Execution With Custom .Lst File
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.
01.12.2024
Potential File Extension Spoofing Using Right-to-Left Override
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
17.11.2024
Disable Application Bound Encryption for Chrome and Edge
Detects disabling of Application Bound Encryption for Google Chrome and Microsoft Edge by setting registry keys to 0.
14.11.2024
Remote Execution Using PsExec
Detects suspicious use of PsExec to remotely execute a batch file located in unusual directories. This could indicate lateral movement or malicious activity, as seen in some cyberattack scenarios.
10.11.2024
Suspicious Use of RAR for File Archiving
Detects the use of `rar.exe` to create archives, which may indicate file compression for exfiltration or malicious purposes.
10.11.2024
Suspicious File Copy To Admin Share
Detects suspicious file copy operations to administrative shares, which may indicate lateral movement or malicious staging.
10.11.2024
Expand File Over Admin Share
Detects the use of expand command to extract files from located on an administrative share, potentially used for lateral movement or staging files.
10.11.2024
Execution via Serviceui.exe
Detects potential abuse of ServiceUI.exe for privilege escalation using specific flags that allow running applications in a system context within a user session.
06.11.2024
Execution of ServiceUI.exe in Suspicious Location
Detects execution of ServiceUI.exe, a legitimate binary from the Microsoft Deployment Toolkit, potentially used for privilege escalation by running it outside of its expected directory.
06.11.2024
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
01.11.2024
.RDP File Created by Outlook Process
Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use RDP files as attachments.
01.11.2024
Registry Modifications to Change Default Programs Handling Files
Detects change to the default program handling file extension, which could be used by threat actors to run there malware when a certain extension is opened.
28.10.2024
Disable Antivirus Autostart
Detects disable antivirus products autostart capability
28.10.2024
ValleyRAT Malware Registry Modification
Detects creation of registry keys used to store C2 seen used by the ValleyRAT malware
28.10.2024
Hacktool Nifo Usage
Detects Nifo - a tool that disables Windows AV/EDR software by corrupting their files offline via physical access
27.10.2024
Registry Set for WinDefend Deletion
Detects the deletion of the WinDefend registry key in attempt to disable Windows Defender.
23.10.2024
Potential DLL Sideloading Via taskhost.exe
Detects potential DLL sideloading of "SbieDll.dll".
21.10.2024
Curl Variable Execution
Detecting curl execution with variable being passed as the domain to fetch data, could be used by threat actor to hide the actul malicious domain.
20.10.2024
Domain Obfuscation
Detecting domain obfuscation used by threat actor to hide the actual C2 used.
20.10.2024
MSC File Execution From Potential Suspicious Location
Detecting execution of Microsoft Management Console (MMC) files from potentially suspicious locations.
20.10.2024
IMEEX Framework Registry Modification Detected
Detects modifications to registry keys associated with the IMEEX malware framework, a tool used by attackers to gain extensive control over compromised Windows systems.
12.10.2024
Potential Conti Ransomware Activity
Detects a specific command line pattern based on flags used by the Conti ransomware
07.10.2024
Wazuh Agent Remote Execution
Detects enabling of remote commands in the Wazuh agent. By setting this value to 1, the agent is allowed to accept and execute remote commands from the Wazuh manager or other controlling systems. This could be used for legitimate remote administration, but it also opens up the potential for misuse if the Wazuh manager or server it's connecting to is malicious or compromised, as it grants significant control over the agent.
07.10.2024
ETW Logging/Processing Option Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
06.10.2024
HTTP Logging Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
06.10.2024
New Module Module Added To IIS Server
Detects the addition of a new module to an IIS server.
06.10.2024
Previously Installed IIS Module Was Removed
Detects the removal of a previously installed IIS module.
06.10.2024

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
3209
18614
Sigma
3343
548

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1249
windows / registry_set
201
windows / file_event
191
windows / ps_script
165
windows / security
157
linux / process_creation
118
windows / image_load
105
webserver
78
windows / system
72
macos / process_creation
65
windows / network_connection
52
proxy
52
linux / auditd
48
aws / cloudtrail
43
azure / activitylogs
43
windows / registry_event
38
azure / auditlogs
38
windows / ps_module
33
windows / application
28
azure / signinlogs
24
okta / okta
22
windows / process_access
22
windows / dns_query
21
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
linux
17
rpc_firewall / application
17
gcp / gcp.audit
16
windows / windefend
16
bitbucket / audit
14
windows / file_delete
13
github / audit
13
m365 / threat_management
13
windows / create_remote_thread
13
cisco / aaa
12
windows / driver_load
10
windows / codeintegrity-operational
10
kubernetes / application / audit
10
windows / registry_add
9
linux / file_event
9
windows / ps_classic_start
9
windows / create_stream_hash
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
windows / bits-client
7
gcp / google_workspace.admin
7
windows / registry_delete
7
zeek / smb_files
7
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / file_access
6
windows / dns-client
6
linux / network_connection
5
kubernetes / audit
5
jvm / application
5
zeek / dce_rpc
4
zeek / dns
4
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
windows / ntlm
3
linux / sshd
3
zeek / http
3
windows / wmi_event
3
windows / powershell-classic
3
windows / file_change
2
firewall
2
windows / security-mitigations
2
spring / application
2
m365 / audit
2
linux / syslog
2
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
qualys
2
apache
2
windows / appmodel-runtime
1
windows / smbclient-connectivity
1
linux / clamav
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
windows / process_tampering
1
nodejs / application
1
paloalto / file_event / globalprotect
1
cisco / duo
1
linux / guacamole
1
huawei / bgp
1
windows / appxpackaging-om
1
python / application
1
paloalto / appliance / globalprotect
1
windows / shell-core
1
windows / raw_access_thread
1
windows / capi2
1
windows / certificateservicesclient-lifecycle-system
1
windows / file_executable_detected
1
ruby_on_rails / application
1
zeek / x509
1
windows / microsoft-servicebus-client
1
velocity / application
1
m365 / exchange
1
linux / sudo
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
sql / application
1
linux / vsftpd
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_status
1
m365 / threat_detection
1
zeek / rdp
1
zeek / kerberos
1
windows / sysmon_error
1
database
1
windows / driver-framework
1
windows
1
windows / dns-server-analytic
1
windows / printservice-operational
1
nginx
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
netflow
1
cisco / bgp
1
fortios / sslvpnd
1
linux / auth
1
cisco / ldp
1
windows / ldap
1
django / application
1
cisco / syslog
1
linux / cron
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
237
windows / registry_set
63
windows / ps_script
56
windows / wmi
29
windows / file_event
23
windows / image_load
19
proxy
12
windows / security
11
linux / process_creation
11
windows / network_connection
7
windows / system
7
windows / registry_event
6
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / create_remote_thread
4
windows / pipe_created
4
windows / sense
4
windows / application-experience
3
windows / registry_delete
3
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / taskscheduler
2
windows / driver_load
2
windows / bits-client
2
windows / kernel-shimengine
2
windows / amsi
1
windows / firewall-as
1
windows / file_access
1
windows / application
1
windows / registry-setinformation
1
windows / audit-cve
1
windows / file_delete
1
windows / dns_query
1
windows / codeintegrity-operational
1
windows / file_rename
1
macos / process_creation
1
windows / windefend
1
windows / process_access
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022