Valhalla Logo
currently serving 18178 YARA rules and 2968 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
HKTL_MacOS_Loader_Mar23_1
Detects indicators found in custom loader for macOS
23.03.2023
APT_MAL_MSI_BadMagic_PowerMagic_Mar23_1
Detects PowerMagic samples mentioned in Bad Magic report
23.03.2023
APT_MAL_PS1_BadMagic_PowerMagic_Mar23_1
Detects encoded PowerMagic samples mentioned in Bad Magic report
23.03.2023
HKTL_SecretsDump_Mar23_1
Detects unknown hack tool named SecretsDump 4
23.03.2023
HKTL_EXPL_POC_Veeam_Backup_CVE_2023_27532_Mar23_1
Detects POC to Veeam backup vulnerability CVE-2023-27532
23.03.2023
HKTL_EXE_Runner_Mar23_1
Detects unknown loader named Exe-Runner
23.03.2023
HKTL_XorArgon_Injector_Mar23_1
Detects xorargon process injector
23.03.2023
HKTL_ProcessInjector_Mar23_1
Detects various process injectors
23.03.2023
SUSP_HKTL_Indicators_Mar23_1
Detects suspicious files based on imports and other characteristics
23.03.2023
SUSP_HKTL_Indicators_Mar23_2
Detects suspicious files based on imports and other characteristics
23.03.2023
SUSP_RDP_RemoteIcon_UNC_Mar23
Detects suspicious RDP files, which use remote icons on SMB shares to leak NTLM hashes
23.03.2023
HKTL_EXPL_LPE_AFD_SYS_CVE_2023_21768_Mar23_1
Detects local privilege escalation exploits for CVE-2023-21768 in afd.sys
22.03.2023
SUSP_EXPL_LPE_AFD_SYS_CVE_2023_21768_Mar23_1
Detects samples with similarities to local privilege escalation exploits for CVE-2023-21768 in afd.sys
22.03.2023
SUSP_EXPL_LPE_AFD_SYS_CVE_2023_21768_Mar23_2
Detects indicators as described to be found in an in-the-wild sample exploiting CVE-2023-21768 in afd.sys for LPE
22.03.2023
APT_BadMagic_ForensicArtifacts_Mar23_1
Detects forensic artifacts found in attacks by Bad Magic TA
22.03.2023
APT_PS1_BadMagic_PowerMagic_Mar23_1
Detects PowerShell script as used by Bad Magic TA
22.03.2023
SUSP_LNK_MsiExec_Internet_Mar23_
Detects suspicious link files that contain msiexec invocations that install an MSI package from the Internet
22.03.2023
SUSP_EXPL_Indicators_Mar23_1
Detects indicators found in hacktools and privilege escalation exploits
22.03.2023
SUSP_Exploit_Indicators_Mar23_1
Detects binaries with indicators found in POCs for common exploits
22.03.2023
SUSP_PE_Nim_Based_Mar23_1
Detects suspicious Nim based executables (doesn't have to be a hack tool or malware - it's just very likely)
22.03.2023
HKTL_PUA_FireKylin_Agent_Mar23_1
Detects FireKylin agents - incident response tool, but also used by threat actors
21.03.2023
SUSP_HKTL_Shell_Mar23_1
Detects unknown shell found in open dir with other hack tools
21.03.2023
SUSP_PUA_Tor_Cmdline_Flags_Mar23_1
Detects suspicious indicators that point to the use of Tor (The Onion Router)
21.03.2023
SUSP_LockDownProtectProcessById_Function_Mar23_1
Detects
21.03.2023
WEBSHELL_ASP_Unknown_Mar23_1
Detects an ASP webshell
21.03.2023
WEBSHELL_ASP_Unknown_Mar23_2
Detects an ASP webshell
21.03.2023
SUSP_PY_OBFUSC_Base64_RevShell_Indicators_Mar23_1
Detects Python reverse shell indicators in encoded form
20.03.2023
SUSP_PY_OBFUSC_RevShell_Indicators_Mar23_1
Detects Python reverse shell indicators
20.03.2023
SUSP_PY_OBFUSC_RevShell_Indicators_Mar23_2
Detects Python reverse shell indicators
20.03.2023
LOG_SUSP_LNX_Commands_AuditD_Mar23_1
Detects a command to print /etc/shadow in the auditd log format
20.03.2023

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
SUSP_AppData_PathTraversal_Nov22_1
0.64
14
WEBSHELL_PHP_Jul22_4
0.72
18
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.72
47
SUSP_OBFUSC_BAT_Mar23_1
0.82
38
SUSP_PY_Exec_Import_Aug22_1
1.0
18
SUSP_PS1_Invoke_Expression_May22_1
1.0
13
HKTL_Clash_Tunneling_Tool_Aug22_2
1.03
29
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
1.18
17
SUSP_PUA_Outlook_Redemtpion_Mar23_1
1.26
19
SUSP_JS_Redirector_Mar23
1.35
218
SUSP_OBFUSC_JS_Execute_Base64_Mar23
1.47
133
SUSP_RAR_With_File_MacroEnabled_MsOffice_Content_Jun22
1.86
29
HKTL_PUA_SystemInformer_Nov22_1
2.24
17
SUSP_ISO_PhishAttachment_Password_In_Body_Jun22_1
2.4
147
EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23
2.69
54
SUSP_JS_OBFUSC_Feb23_2
2.78
1936
SUSP_VBA_Kernel32_Imports_Jun22_1
2.83
58
SUSP_WEvtUtil_ClearLogs_Sep22_1
2.86
73
HKTL_PS1_HoaxShell_Pattern_Aug22_1
3.11
18
MAL_Hoaxshell_PS1_Encoded_Payload_Oct22
3.15
20
HKTL_PS1_HoaxShell_Payloads_Nov22_1
3.25
20
SUSP_Start_Min_Temp_Jan23_1
3.47
17
SUSP_PS1_Loader_Indicators_Dec22_2
3.5
30
SUSP_ISO_In_ZIP_Small_May22_1
3.51
92
SUSP_PS1_PowerShell_Recon_Mar23_1
3.56
27
SUSP_PY_OBFUSC_Hyperion_Aug22_1
3.88
17
SUSP_VBS_DownloadCradles_Jul22_1
3.89
19
SUSP_OBFUSC_obfs4_May22
4.06
68
SUSP_MSF_MSFVenom_Indicator_Jan23_1
4.32
22
SUSP_ZIP_LNK_PhishAttachment_Pattern_Jun22_1
4.41
111

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_PE_Themida_Packed_Nov22
12
fb2f6956a883c8f15064cca018973734e343c6b4ee61ba62cd77c2493fa6739d
SUSP_Protector_Themida_Packed_Samples_Mar21_1
12
fb2f6956a883c8f15064cca018973734e343c6b4ee61ba62cd77c2493fa6739d
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
1
4bc1487ac187cc72b55d24d36182cd23d3d19bc0148d87dec570b2df4f02e696
SUSP_PY_RevShell_Indicators
1
4bc1487ac187cc72b55d24d36182cd23d3d19bc0148d87dec570b2df4f02e696
SUSP_Protector_Themida_Packed_Samples_Mar21_1
5
0492a7c9d9ba4ed1c14acacd96f6044881a8bd8314b061c3d676b2b05b0b87f7
HKTL_PELoad_Jan23_7
10
3f50a944262c677f047f3f956db5665b8805b7890fddbdaeb66af2dd230457e0
SUSP_ProcessInjection_Indicators_Aug22_1
11
0866ad4252b3814058e3bf64562b9460cea4ca4f2683d8b9817262e32a034bc2
SUSP_HKTL_Donut_Loader_Mar23_5
11
63a2bc5ccab5feca32558088c3c466f123a8988cace61224a59297d4c5ea3c41
HKTL_Donut_ShellCode_Mar23_1
11
63a2bc5ccab5feca32558088c3c466f123a8988cace61224a59297d4c5ea3c41
SUSP_OBFUSC_JS_Base64_Encoded_Var_Feb23
9
7e85723e0eca5ac102baafba1e9186a5ba33063fdab07963f57886eb8c049d78
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
9
7e85723e0eca5ac102baafba1e9186a5ba33063fdab07963f57886eb8c049d78
PUA_Crypto_Mining_CommandLine_Indicators_Oct21
3
944eab4808c680555c2e89751ef01c085e9376d3de5de550bffd7e4175b11273
SUSP_Svchost_Variation
4
a3bb2825312082cb0a4b34d1df981be255ae1e6279692f088d80ba47a17ce72e
SUSP_Ncat_Like_Cmd
4
a3bb2825312082cb0a4b34d1df981be255ae1e6279692f088d80ba47a17ce72e
SUSP_OBFUSC_JS_Base64_Encoded_Var_Feb23
6
e8cad447bc31791d0a21c94698f942fda1fbe25fee19b0b8221940bc5b0d956f
SUSP_OBFUSC_JS_Base64_Encoded_Var_Feb23
12
9c38be68e98faaa9ad19bb13ea8bd8979a2227ea0b56ae3635d5ffd908110575
SUSP_ShellCode_Loader_Indicators_Nov22_1
12
f14e3b7e637ce893bd425aa2a7c24386073e6f2e4bdad52268bf74b93abdc823
SUSP_ZIP_LNK_PhishAttachment_Pattern_Jun22_1
1
675ac830d7c8c13dd52236c0b707b71d63c1eb7cfc1436c78cfad8d6cdb5b68f
SUSP_ZIP_LNK_PhishAttachment_Pattern_Jun22_1
1
69c29a4787202c30970bf647bc96b6cf2fcf66984cd207a881702ec57d8a9344
SUSP_XORed_Mozilla
4
304e204ca9f46b0ab51a34567e8607ff04a2591bbbc975cc59b804142c2510ad

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
4956
APT
4522
Threat Hunting (not subscribable, only in THOR scanner)
4246
Hacktools
4142
Webshells
2213
Exploits
554

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
CVE POC Execution Pattern
Detects the execution of a file or script that matches a filename pattern often used in Proof-of-Concept code
22.03.2023
Potential Iviewers.DLL Sideloading
Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
21.03.2023
Potential MFA Bypass Using Legacy Client Authentication
Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
20.03.2023
User Added To Admin Group - MacOS
Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
19.03.2023
Potential Binary Or Script Dropper Via PowerShell.EXE
Detects PowerShell creating a binary executable or script file.
17.03.2023
Terminate Linux Process Via Kill
Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.
16.03.2023
Suspicious WebDav Client Execution
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
16.03.2023
CVE-2023-23397 Exploitation Attempt
Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.
16.03.2023
Hypervisor Enforced Code Integrity Disabled
Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
14.03.2023
Active Directory Structure Export Via Csvde.EXE
Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
14.03.2023
Disable Key Protectors Via WMI
Detects calls to the "DisableKeyProtectors" method that's part of the "Win32_EncryptableVolume" class in order to disable or suspends all key protectors associated with a volume. Often used to disable Bitlocker
14.03.2023
Query Protection Status Via WMI
Detects potential protection status reconnaissance via calls to "GetProtectionStatus" method that's part of the "Win32_EncryptableVolume" class. Often use to get Bitlocker status.
14.03.2023
Active Directory Database Snapshot Via ADExplorer
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database.
14.03.2023
Suspicious Active Directory Database Snapshot Via ADExplorer
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.
14.03.2023
Active Directory Structure Export Via Ldifde.EXE
Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
14.03.2023
Process Memory Dump Via Dotnet-Dump
Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS
14.03.2023
Credential Guard Disabled
Detects changes to the CredentialGuard registry key and the "Enabled" value being set to 0 in order to disable the Credential Guard feature. This allows an attacker to access secrets such as credentials stored in LSASS
14.03.2023
Potential Rcdll.DLL Sideloading
Detects potential DLL sideloading of rcdll.dll
13.03.2023
Potential Wazuh Security Platform DLL Sideloading
Detects potential DLL sideloading of DLLs that are part of the Wazuh security platform
13.03.2023
Suspicious Rundll32 Execution With Image Extension
Detects the execution of Rundll32.exe with DLL files masquerading as image files
13.03.2023
Gzip Archive Decode Via PowerShell
Detects attempts of decoding encoded Gzip archives via PowerShell.
13.03.2023
Potential DLL File Download Via PowerShell Invoke-WebRequest
Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet
13.03.2023
Potential Qakbot Registry Activity
Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
13.03.2023
Amsi.DLL Load By Uncommon Process
Detects loading of Amsi.dll by uncommon processes
12.03.2023
Password Protected Compressed File Extraction Via 7Zip
Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.
10.03.2023
Potential MuddyWater APT Activity
Detects potential Muddywater APT activity
10.03.2023
Sysmon Configuration Update
Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
09.03.2023
Griffon Malware Attack Pattern
Detects process execution patterns related to Griffon malware as reported by Kaspersky
09.03.2023
Linux Package Uninstall
Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
09.03.2023
HackTool - Wmiexec Default Powershell Command
Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
08.03.2023

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2587
15591
Sigma
2694
274

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1032
windows / ps_script
156
windows / registry_set
153
windows / security
139
windows / file_event
134
linux / process_creation
69
windows / image_load
65
webserver
64
windows / system
62
linux / auditd
52
macos / process_creation
41
azure / activitylogs
38
windows / network_connection
37
aws / cloudtrail
37
proxy
37
windows / registry_event
36
azure / auditlogs
33
windows / ps_module
32
windows / process_access
27
azure / signinlogs
25
windows / application
21
linux
18
rpc_firewall / application
17
windows / pipe_created
17
windows / driver_load
15
gcp / gcp.audit
14
m365 / threat_management
13
okta / okta
13
windows / create_remote_thread
13
windows / dns_query
13
dns
12
windows / file_delete
11
windows / ps_classic_start
11
windows / windefend
11
cisco / aaa
11
windows / registry_add
9
windows / firewall-as
8
windows / msexchange-management
8
windows / appxdeployment-server
7
windows / bits-client
7
github / audit
7
zeek / smb_files
7
antivirus
7
windows / create_stream_hash
7
firewall
6
windows / registry_delete
6
google_workspace / google_workspace.admin
6
jvm / application
5
zeek / dce_rpc
5
linux / file_event
5
windows / dns-client
5
azure / azureactivity
5
windows / file_access
4
zeek / dns
4
linux / network_connection
3
windows / codeintegrity-operational
3
zeek / http
3
windows / taskscheduler
3
windows / powershell-classic
3
windows / wmi_event
3
apache
3
windows / ntlm
3
linux / sshd
2
windows / file_change
2
linux / syslog
2
windows / security-mitigations
2
spring / application
2
windows / file_rename
2
onelogin / onelogin.events
2
macos / file_event
2
qualys
2
linux / auth
2
windows / powershell
2
azure / microsoft365portal
1
linux / clamav
1
windows / applocker
1
windows / printservice-operational
1
windows / raw_access_thread
1
nodejs / application
1
huawei / bgp
1
windows / printservice-admin
1
python / application
1
windows / appxpackaging-om
1
django / application
1
windows / shell-core
1
windows / diagnosis-scripted
1
windows / microsoft-servicebus-client
1
m365 / exchange
1
linux / sudo
1
zeek / x509
1
windows / file_block
1
velocity / application
1
m365 / threat_detection
1
linux / vsftpd
1
windows / smbclient-security
1
windows / sysmon
1
ruby_on_rails / application
1
zeek / rdp
1
windows / driver-framework
1
windows / sysmon_status
1
database
1
zeek / kerberos
1
windows / dns-server
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
sql / application
1
modsecurity
1
windows / dns-server-analytic
1
windows / lsa-server
1
windows
1
windows / process_tampering
1
netflow
1
cisco / accounting / aaa
1
windows / ps_classic_provider_start
1
cisco / bgp
1
windows / ldap_debug
1
windows / wmi
1
linux / cron
1
cisco / ldp
1
windows / iis
1
windows / appmodel-runtime
1
windows / openssh
1
linux / guacamole
1
juniper / bgp
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
130
windows / ps_script
31
windows / wmi
29
windows / registry_set
17
proxy
11
windows / file_event
10
windows / system
8
windows / security
5
windows / create_remote_thread
4
linux / process_creation
3
windows / registry_event
3
windows / image_load
3
windows / pipe_created
3
webserver
2
windows / vhd
2
windows / driver_load
2
windows / taskscheduler
2
windows / network_connection
1
macos / process_creation
1
windows / application
1
windows / dns_query
1
windows / process_access
1
windows / registry_delete
1
windows / file_access
1
windows / registry-setinformation
1
windows / file_delete
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022