Valhalla Logo
currently serving 12614 YARA rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
MAL_PurpleFox_ExploitKit_JS_Shellcode_Apr21
Detects shellcode injection methods as used in PurpleFox exploit kits
16.04.2021
MAL_PurpleFox_ExploitKit_PS1_Loader_Apr21
Detects PowerShell samples as mentioned in PurpleFox report
16.04.2021
MAL_MalDoc_Qbot_Apr21_1
Detects Maldocs used in QakBot campaign
16.04.2021
EXPL_PulseSecure_Codes_Apr21_1
Detects strings used in exploit code for PulseSecure gateways - some used in malware samples (Mirai)
16.04.2021
EXPL_CVE_2021_1732_Apr21_1
Detects exploit code for CVE-2021-1732
16.04.2021
EXPL_CVE_2018_8120_Apr21_1
Detects exploit code for CVE-2018-8120
16.04.2021
EXPL_CVE_2019_0808_Apr21_1
Detects exploit code for CVE-2019-0808
16.04.2021
EXPL_CVE_2019_1458_Apr21_1
Detects exploit code for CVE-2019-1458
16.04.2021
EXPL_CVE_2021_26411_Apr21_1
Detects CVE-2021-26411 exploit codes
16.04.2021
SUSP_CobaltStrike_Beacons_ClearText_Gen_Apr21_1
Detects CobaltStrike beacons based on cleartext beacon configs
16.04.2021
SUSP_EXPL_GenericStrings_Apr21_1
Detects strings often found in exploit codes
16.04.2021
SUSP_OBFUSC_JavaScript_Apr21_1
Detects suspicious obfuscated JavaScript codes
16.04.2021
SUSP_OBFUSC_JavaScript_Apr21_2
Detects suspicious obfuscated JavaScript codes
16.04.2021
SUSP_OBFUSC_JavaScript_Apr21_3
Detects suspicious charcteristics found in obfuscated JavaScript codes
16.04.2021
APT_SH_CodeCov_Hack_Apr21_1
Detects manipulated Codecov bash uploader tool that has been manipulated by an unknown actor during March / April 2021
16.04.2021
APT_RU_UNC2452_MAL_VBS_SUNSHUTTLER_Script_Helper_Apr21_1
Detects samples used by UNC2452 together with SUNSHUTTLE malware
16.04.2021
APT_RU_UNC2452_VBS_SUNSHUTTLE_Apr21_1
Detects VBS samples used by UNC2452 together with SUNSHUTTLE malware
16.04.2021
APT_RU_UNC2452_WEBSHELL_JScript_SUNSHUTTLE_Apr21_1
Detects webshell samples used by UNC2452 together with SUNSHUTTLE malware
16.04.2021
APT_RU_MAL_UNC2452_SUNSHUTTLE_Finder_Apr21_1
Detects samples used by UNC2452 together with SUNSHUTTLE malware
16.04.2021
MAL_Agent_Generic_Apr21_1
Detects malware based on ML opcode selection
15.04.2021
PUA_RemotelyAnywhere_Apr21
Detects
15.04.2021
HKTL_NetSess_Apr21_1
Detects NetBIOS session enumeration tool NetSess
15.04.2021
APT_MAL_A41APT_SigLoader_Malware_Apr21_1
Detects A41APT samples
15.04.2021
APT_MAL_A41APT_SigLoader_Malware_Apr21_2
Detects A41APT samples
15.04.2021
APT_A41APT_ScheduledTask_Pattern_Apr21_1
Detects task patterns as used by A41APT
15.04.2021
EXPL_CVE_2021_1647_WindowsDefender_Apr21_1
Detects CVE-2021-1647 exploit codes - Windows Defender mpengine remote code execution
14.04.2021
EXPL_Google_Chrome_0Day_Apr21_1
Detects Chrome 0day exploit codes
14.04.2021
EXPL_Generic_JS_Shellcode_Apr21_1
Detects JavaScript that contains shellcode
14.04.2021
SUSP_127_C_Output_Artefacts_Apr21
Detects artefacts used in different attacks using __output on drive C for temporary storage
13.04.2021
SUSP_CobaltStrike_4_Beacons_XOR_Marker_Reversed_Apr21_2
Detects CobaltStrike beacons based on XORed beacon configs in reversed order
13.04.2021
SUSP_CobaltStrike_Beacons_XOR_Marker_Base64_Apr21_1
Detects base64 encoded CobaltStrike beacons based on XORed beacon configs
13.04.2021
SUSP_CobaltStrike_4_Beacons_XOR_UA_Marker_Apr21_1
Detects CobaltStrike beacons based on XORed beacon configs
13.04.2021
SUSP_CobaltStrike_3_Beacons_Gen_XOR_Marker_Apr21_1
Detects CobaltStrike beacons based on XORed beacon configs
13.04.2021
SUSP_CobaltStrike_4_Beacons_Gen_XOR_Marker_Apr21_1
Detects CobaltStrike beacons based on XORed beacon configs
13.04.2021
SUSP_CobaltStrike_Custom_Beacons_Gen_XOR_Marker_Apr21_1
Detects CobaltStrike beacons based on XORed beacon configs
13.04.2021
HKTL_CobaltStrike_4_Beacons_XOR_Marker_Apr21_1
Detects CobaltStrike beacons based on XORed beacon configs
13.04.2021
HKTL_CobaltStrike_4_Custom_Beacons_XOR_Marker_Apr21_2
Detects CobaltStrike beacons based on XORed beacon configs
13.04.2021
APT_MAL_BlackTech_TSCookie_Characteristics_Apr21_1
Detects BlackTech's TSCookie malware
13.04.2021
MAL_Unknown_DLL_Loader_Apr21_1
Detects suspicious DLL files - x64.dll analysis
12.04.2021
MAL_LNX_SH_Downloader_Apr21_1
Detects suspicious downloader files
12.04.2021

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_TaurusStealer_AutotIt_Obfuscation_Mar21_1
0.07
42
MAL_Script_Autoit_Taurus_Dropper_Sep20_1
1.1
41
SUSP_OBFUSC_VBA_Mar21_1
1.73
30
HKTL_PY_Loader_Feb21_2
2.77
13
MAL_JS_Gootkit_Loader_Feb21_1
3.51
41
SUSP_PS1_Keywords_Mar21_1
5.74
19
APT_MAL_PS1_SilverFish_Mar21_1
7.5
20
HKTL_PS1_PowerShell_Loader_Dec20_1
7.73
11
MAL_MalDoc_CS_Loader_Nov20_1
8.08
12
WEBSHELL_OBFUSC_Chopper_Encoded
8.45
205
HKTL_PS1_PowerCat_Mar21
8.63
41
WEBSHELL_PHP_mini_Jul20
8.91
11
MAL_MalDoc_Qbot_Apr21_1
9.13
32
SUSP_Encoded_Impersonate_Nov20
9.94
17
Casing_Anomaly_CreateObject
10.21
24
HKTL_PUA_Chisel_TCP_Tunneling_Oct20_1
10.36
11
MAL_HTML_Phishing_Dec20_1
11.7
20
HKTL_PS1_CobaltStrike_PowerShell_Loader_Dec20_1
11.73
75
HKTL_ScareCrow_LoaderCharacteristics_Feb21_1
12.07
15
HKTL_Go_Encoded_Payloads_Generic_Mar21_1
14.64
14
HKTL_Empire_Agent_inMemory_Jul20_1
14.7
53
HKTL_PY_RevShell_Feb21_1
14.94
16
MAL_IMG_Small_Exe_Content_Apr21
15.93
28
SUSP_Script_PS1_PE_Injection_Indicators_Jun20_1
16.0
36
HKTL_Empire_Stager_Jul20_1
16.29
49
MAL_PyDomer_Gen_Mar21_1
16.42
78
HKTL_Go_Shellcode_Loader_Apr20_1
16.46
24
SUSP_Script_PS1_Indicators_Mar21_2
17.09
93
WEBSHELL_ASP_Gen_Mar21_1
17.17
12
HKTL_LNX_Metasploit_Shell_May20_1
17.53
15

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
APT_DarkHydrus_Jul18_4
9
d395260ac15abeb492a629f92b3aa2505c5324a94df6409749cd1be924901a97
mimikatz_ru_May17
5
45e5b59a056ffa06b4376a275b66ceb075ee8aba90d28713928bebe69edc4fd7
SUSP_NET_NAME_ConfuserEx
3
c4644d11d40ed81009e057174457bd11a79ce9bf8459f3d3c9de5a6d01414e41
MAL_Unknown_PWDumper_Apr18_3
14
405c5b6364feec0ba9b580f8fe83c38a0ad4599be5ee7365eb70de86c75fc5ab
MAL_Unknown_Loader_Mar20_1
14
405c5b6364feec0ba9b580f8fe83c38a0ad4599be5ee7365eb70de86c75fc5ab
WEBSHELL_CloakedAsPic_Feb20
6
9b56f47ef5421e3402790ea0f54d27d362c4a1e7ddb0459edcc0eeed20d864b6
webshell_php_generic_eval
6
9b56f47ef5421e3402790ea0f54d27d362c4a1e7ddb0459edcc0eeed20d864b6
webshell_in_image
6
9b56f47ef5421e3402790ea0f54d27d362c4a1e7ddb0459edcc0eeed20d864b6
SUSP_NET_NAME_ConfuserEx
4
3f22ff94ceda99f62fad8a80e57149d907e74bd9f27a7e4decff2d0fd13243b7
SUSP_Go_Binary_UPX_Packed_Small
14
8d81930d787fc980573e8ee9a263b28f87ecfcd38e7d54e3c95b476163dbe6a4
MAL_NET_DTLoader_Apr21_1
10
efc552efbfa97636e568094192f5ac037cca1408ed19006c041a80c6e1fca627
MAL_NET_DTLoader_Apr21_1
10
76972162e0f2d15ffd8dd8ca4d735e7e3d4b4ffc675380d3f6b054ad8db6bd89
LOADER_String_Malware_Indicator
14
47365536b89a07ea100929238464c28cfd291a958beeef97590a1a8b03ae984b
SUSP_Go_Binary_UPX_Packed_Small
12
77ab0d95ee98d125e310d89dda44af23a601367798d96b3661b1fbfac32df415
Unspecified_Dropper_Mar17_2
14
f682ff35a4636443be4458e1b1ae204f11012ae00beb60de14ba77522e91d3a9
MAL_Unknown_PWDumper_Apr18_3
14
f682ff35a4636443be4458e1b1ae204f11012ae00beb60de14ba77522e91d3a9
MAL_LNX_ELF_Mirai_Malware
12
ae4eff69e9bb2e82f88eb405eeba1bf7491e46c6e7f5e8c8634e10cd9a7c897c
Impacket_Tools_tracer
11
eecfddaee6676448458e8fc2593911e5fa8e7309a9de4f89a839d67672e3acf2
HKTL_Empire_Stagers_Gen_Dec19_1
14
f587681d496b4e33ff89a9fd4c5a5dd101f9311c48d0a9a90fabc5a3cfaa754f
webshell_php_gzinflated
14
f587681d496b4e33ff89a9fd4c5a5dd101f9311c48d0a9a90fabc5a3cfaa754f

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
APT
3593
Malware
3058
Hacktools
2902
Webshells
2008
Threat Hunting
1982
Exploits
234

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2020