currently serving 14198 YARA rules

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule

Description

Date

Ref

SUSP_LIGHTS_BOMB_Indicator_Oct21_1

Detects a string found in HVNC samples used by Kimsuky group

20.10.2021

HKTL_SBD_Netcat_Clone_Oct21_1

Detects SBD netcat clone

20.10.2021

HKTL_SBD_Packed_Netcat_Clone_Oct21_1

Detects SBD netcat clone

20.10.2021

MAL_LNX_Backdoor_TinyShell_Oct21_1

Detects Linux TinyShell backdoors

20.10.2021

APT_LightBasin_Artefacts_Oct21_1

Detects artefacts of LightBasin / UNC1945 activity

20.10.2021

APT_MAL_Kimsuky_TinyNuke_Oct21_1

Detects TinyNuke malware used by Kimsuky group

20.10.2021

PUA_Go_CPU_Miner_Oct21_1

Detects a Go CPU miner

20.10.2021

PUA_TightVNC_Server_Oct21

Detects PUA TightVNC server

20.10.2021

SUSP_TVNServer_Oct21_1

Detects modified TightVNC server versions noticed in October 2021

20.10.2021

SUSP_APT_LightBasin_Pingg_Oct21_1

Detects samples possibly related to LightBasin / UNC1945

20.10.2021

SUSP_LNX_Hacktool_Indicator_Oct21_1

Detects an opcode sequence often found in Linux hacktools

20.10.2021

SUSP_Rundll32_By_Ordinal_Oct21_1

Detects a suspicious rundll32 invocation using an ordinal

20.10.2021

SUSP_AVE_MARIA_Indicator_Oct21_1

Detects a string found in HVNC samples used by Kimsuky group

20.10.2021

SUSP_WIN_Go_Binary_Obfuscated_Oct21_1

Detects suspicious Windows Go PE files that look as if certain common strings have been removed for obfuscation purposes

19.10.2021

HKTL_LSARelay_Oct21_1

Detects LSARelayX hacktool used to deploy a system wide NTLM relay

18.10.2021

MAL_CN_Vampire_Oct21_1

Detects Vampire malware samples

18.10.2021

APT_IR_MAL_Lyceum_Kevin_Oct21_1

Detects strings used by Lyceum malware

18.10.2021

APT_IR_Lyceum_INI_File_Indicators_Oct21_1

Detects characteristics of .ini fules used by Lyceum malware

18.10.2021

EXPL_Apache_ModProxy_CVE_2021_40438_Oct21_1

Detects PoC for Apache mod_proxy vulnerability CVE-2021-40438 or log entries that show the successful exploitation

18.10.2021

SUSP_BlackBone_Ref_Oct21_1

Detects executabkles with suspicious reference to BlackBone memory hacking library

18.10.2021

SUSP_CertOc_LoadDLL_Combo_Oct21_1

Detects suspicious certoc.exe use with -LoadDLL parameter

18.10.2021

SUSP_Hacktool_PoC_Strings_Oct21_1

Detects suspicious strings often found in hacktools, malware or PoC code

18.10.2021

LOG_SUSP_PS1_RDP_History_Removal_Oct21

Detects the removal of terminal server client history via powershell registry manipulation

15.10.2021

APT_TA505_MalDoc_Oct21_1

Detects TA505 malicious document samples

15.10.2021

APT_TA505_MAL_MSI_Oct21_1

Detects TA505 malicious MSI samples

15.10.2021

SUSP_NOP_Sled_Before_MZ_Oct21

Detects files with MZ header that are prefixed with NOP sleds

15.10.2021

HKTL_PUA_FRP_FastReverseProxy_Oct21_1

Detects fast reverse proxy PUA tool often used by threat groups

14.10.2021

WEBSHELL_ASP_CeCe_Oct21_1

Detects web shells found in an open directory in October 2021

14.10.2021

WEBSHELL_ASP_ProcStart_Oct21_1

Detects web shells found in an open directory in October 2021

14.10.2021

WEBSHELL_ASPX_Popup_Oct21_1

Detects web shells found in an open directory in October 2021

14.10.2021

WEBSHELL_ASPX_FileUpload_Oct21_1

Detects web shells found in an open directory in October 2021

14.10.2021

WEBSHELL_PHP_B64_Decoder_Oct21_1

Detects web shells found in an open directory in October 2021

14.10.2021

WEBSHELL_PHP_PhpWaf2_Oct21_1

Detects web shells found in an open directory in October 2021 - file phpwaf2.php

14.10.2021

HKTL_EXPL_PoC_CVE_2016_3309_Oct21_1

Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)

13.10.2021

HKTL_StandIn_Oct21_1

Detects StandIn post exploitation tool

13.10.2021

LOG_PUA_SysInternals_Live_Usage_Oct21_1

Detects access to online SysInternals tools using live.sysinternals.com

13.10.2021

LOG_SUSP_Suspicious_Service_Image_Loc_Oct21_1

Detects a suspicious location of a newly installed servers, very similar to PsExec

13.10.2021

SUSP_HKTL_Encoded_Oct21_1

Detects encoded strings often found in hacktools

13.10.2021

SUSP_HKTL_Hacktool_Strings_Oct21_1

Detects strings often used in exploit codes

13.10.2021

SUSP_HKTL_Encoded_Hacktool_Strings_Oct21_1

Detects encoded strings often found in exploit codes and hack tools

13.10.2021

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule

Average AV Detection Rate

Sample Count

Info

VT

SUSP_CobaltStrike_XOR_Encrypted_Beacon_Marker_Apr21_1

0.0

417

HKTL_RMM_Client_Aug21_1

1.27

37

SUSP_Tiny_RAR_Mar21_1

1.58

228

HKTL_PY_Loader_Feb21_2

2.43

28

SUSP_MalDoc_Indicator_VBA_Nov20_1

2.5

12

HKTL_AMSIBypass_Tool_OpCode_Indicators_May21_1

2.76

42

SUSP_OBFUSC_JS_Sep21_1

3.16

31

HKTL_LNX_GenShell_Feb21_1

3.36

11

SUSP_BAT_to_EXE_Converter_Jul21_1

3.45

22

HKTL_BAT_BypassTamperProtection_Aug21_1

4.07

42

SUSP_PY_OBFUSC_RevShell_Feb21_1

4.32

25

WEBSHELL_PHP_BeginsWith_eval_Sep21

4.49

193

HKTL_PY_Bypass_Tool_Aug21_2

4.93

15

PUA_SUSP_ScreenConnect_Feb21

5.39

59

HKTL_PowerCat_Use_Oct21_1

5.6

15

SUSP_Encoded_PowerShell_Policies_Sep21_1

5.66

41

SUSP_String_Base64_Jun21

6.19

27

SUSP_BAT_Defender_Exclusion_Path

6.25

12

SUSP_PS1_Loader_Generic_Feb21

6.47

15

WEBSHELL_ReGeorg_Variant_Jul21_1

6.56

27

WEBSHELL_Gen_NeoRegeorg_Tunnel_Feb21

6.74

19

SUSP_PHP_Base64Encoded_Nov20

7.88

17

HKTL_PS1_PowerCat_Mar21

8.18

11

WEBSHELL_ASPX_ProxyShell_Aug21_2

8.72

18

SUSP_Small_ISO_Includes_Rundll32_Apr21_1

9.04

49

SUSP_BAT_PS1_AMSI_Bypass_Aug21_1

9.21

38

HKTL_ShellCode_Loaders_Oct21_3

9.27

15

SUSP_PS1_IEX_Pattern_Oct21_1

9.36

14

SUSP_LNX_RevShell_Payloads_Jun21_1

9.57

30

SUSP_SCRIPT_PowerShell_Param_Abbrev_Jul21

9.76

17

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule

AVs

Hash

VT

JSFuck_Obfuscation

8

d2c4f8bd0400459594df892c3856a86b8df1d7212aacb2b6324f4e93f2e27886

EXP_MicrosoftEdge_WSHFILE_CVE_2018_8495

8

1df9c10e8abb33935631bc7455636691b7c6b78edef79f2554169a1c6a8e72ef

Hacktool_Strings_p0wnedShell

8

1df9c10e8abb33935631bc7455636691b7c6b78edef79f2554169a1c6a8e72ef

APT_MAL_Mask_Campaign_Certificate_String

8

1df9c10e8abb33935631bc7455636691b7c6b78edef79f2554169a1c6a8e72ef

InceptionCloudMe

8

1df9c10e8abb33935631bc7455636691b7c6b78edef79f2554169a1c6a8e72ef

Suspicious_PS_JS_Indicators

11

63612a89d642a26d2ed1a141ed52af834162afdbe8d459f3391a3f100c332b80

CustomerCase_A4_APT_maliciousSystems

8

1df9c10e8abb33935631bc7455636691b7c6b78edef79f2554169a1c6a8e72ef

JSFuck_Obfuscation

8

44a825e1a3dccff620bb691b7dc4795a2ef9f91d26920de5a1f67ddea64bdfe5

JSFuck_Obfuscation

8

7d50c6687656e39e0c08d04776a1a872bf36d4e754f9fe7015362cfc15e59f0a

JSFuck_Obfuscation

10

f2029df90597b66d34ddc37a460dc0e37f3be019c0d8a711c246de264a313bdb

CoinMiner_Strings

5

4921059aebd12443745623d734b84c38c92b44b0cde7cedd850dbbb27d9e6c7e

PowerShell_JAB_B64

9

d320002be4a26b80da18be9bf358f70982d0c76ec596ff0bf934cc389505af6e

MAL_GreenBug_Apr18_1

6

c3f49cb1ddcf3679b96c47398e0039387e35b4029dc63bbdacdb9ddef48f2ee3

JS_Run_Users_Folder

3

9a2ab73a0b38063376c57f521512f192e3e42a2532fd000db887216da833c958

Obfuscated_Malware_Jan18_1

7

eb03ca44628ac78702c84a77c73b6df4cbd718a8aefc62c89c9a118c6cbfc6da

JSFuck_Obfuscation

6

9c95d6ca133998a45af542920d0b8bf98fe7c6d48100c7ef3b083c557e1f7699

JSFuck_Obfuscation

3

e4a3d7fa2993ac7009392e99f7fe570356d6b93b05f7c26dc4790ae73ba86eb6

HKTL_LNX_Metasploit_Shell_May20_1

12

982fbe9c1177296c9df2a07a4fa26b60be05714cba69003c8e669b392c35a3e1

HKTL_LNX_Metasploit_Shell_May20_2

12

982fbe9c1177296c9df2a07a4fa26b60be05714cba69003c8e669b392c35a3e1

HKTL_LNX_Metasploit_Agents_Aug21_1

12

982fbe9c1177296c9df2a07a4fa26b60be05714cba69003c8e669b392c35a3e1

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag

Count

Malware

4436

APT

3902

Hacktools

3342

Threat Hunting

2587

Webshells

2080

Exploits

357

Tenable Nessus

Requirement: Privileged Scan

YARA Scanning with Nessus works only when scanning with credentials (privileged scan)

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

You can only upload a single .yar file
Filesystem scan has to be activated
You have to define the target locations
The Nessus plugin ID will be 91990
Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html