Valhalla Logo
currently serving 13572 YARA rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
EXPL_HKTL_PS1_CVE_2021_34470_msExchStorageGroup_Jul21_1
Detects POC code exploiting CVE-2021-34470 msExchStorageGroup PrivEsc vulnerability
30.07.2021
SUSP_PSExec_Run_As_System_Jul21_1
Detects code that uses PsExec to escalate to LOCAL_SYSTEM privileges
30.07.2021
SUSP_BAT_to_EXE_Converter_Jul21_1
Detects suspicious Batch file to Executable indicators
30.07.2021
HKTL_PS1_Mimikatz_LocalPrinter_Jul21_1
Detects suspicious patterns in VBS scripts
30.07.2021
HKTL_AntiAV_Indicators_Jul21_1
Detects suspicious patterns in VBS scripts
30.07.2021
SUSP_PS1_SeriousSAM_PoCs_Jul21_1
Detects PowerShell scripts that seem to make use of the SeriousSAM vulnerability
29.07.2021
SUSP_VBS_Patterns_Jul21_1
Detects suspicious patterns in VBS scripts
29.07.2021
SUSP_Net_User_Domain_Recon_Jul21_1
Detects a net user command exporting information to a local file - often used in recon actvity
29.07.2021
SUSP_PS1_FIN8_Patterns_Jul21_1
Detects suspicious patterns in VBS scripts
29.07.2021
APT_TA456_VBS_LEMPO_Recon_Tool_Jul21_1
Detects TA456 LEMPO Recon tools
29.07.2021
APT_FIN8_Patterns_Jul21_1
Detects suspicious patterns in VBS scripts
29.07.2021
MAL_PlugX_Loaders_THOR_Payloads_Jul21_1
Detects PlugX loaders loading THOR payloads
28.07.2021
MAL_PlugX_Loaders_THOR_Payloads_Jul21_2
Detects PlugX THOR loaders
28.07.2021
MAL_PlugX_Loaders_PLUG_Payloads_Jul21_1
Detects PlugX PLUG loaders
28.07.2021
MAL_PlugX_Delivery_Pattern_Jul21_1
Detects patterns found in delivery method used in PlugX campaign
28.07.2021
MAL_PlugX_THOR_Encoded_Payload
Detects files with characteristics of encrypted payloads used by THOR PlugX malware
28.07.2021
SUSP_Filename_Combo_Hex_AdobeUpdate_Jul21_1
Detects suspicious filename combination often found in PlugX loaders
28.07.2021
SUSP_BitsAdmin_Github_Pattern_Jul21_1
Detects patterns found in delivery method using bitsadmin and raw.githubusercontent
28.07.2021
SUSP_ZIP_PlugX_Pattern_Jul21_1
Detects patterns found in delivery ZIP archives (could be false positives)
28.07.2021
SUSP_PS1_ProcessMemory_Mods_Jul21_1
Detects PowerShell scripts that modifies and create processes
26.07.2021
SUSP_PS1_ProcessMemory_ShellCode_Jul21_1
Detects PowerShell scripts that include shellcode
26.07.2021
SUSP_PS1_ProcessMemory_Mods_Jul21_3
Detects PowerShell scripts that modifies and create processes
26.07.2021
HKLT_PortBender_Jul21_1
Detects PortBender tool that allows to redirect TCP connections on Windows systems
26.07.2021
HKLT_StreamDivert_Jul21_1
Detects StreamDivert TCP port redirection tool
26.07.2021
HKLT_SharpRDPHijack_Jul21_1
Detects Sharp RDP Hijack proof-of-concept .NET/C Sharp Remote Desktop Protocol (RDP) session hijack utility for disconnected sessions
26.07.2021
HKLT_PS1_ProcessMemory_Mods_Jul21_1
Detects PowerShell scripts that modifies processes, load and execute payloads
26.07.2021
MAL_APK_LNX_Archive_Android_NSO_Pegasus_Jul21_1
Detects NSO Pegasus samples
22.07.2021
MAL_APK_LNX_Archive_Android_NSO_Pegasus_Jul21_2
Detects NSO Pegasus samples
22.07.2021
MAL_APK_LNX_Android_NSO_Pegasus_Jul21_1
Detects NSO Pegasus samples - file inject
22.07.2021
MAL_Unknown_Injector_JapanCampaign_Olympics_Jul21_1
Detects samples used in Wiper attack against Japanese PCs (similarities with Nitro Injector)
22.07.2021
MAL_CS_Loader_Jul21_1
Detects CobaltStrike sample loader
22.07.2021
HKTL_SpoolSample_Jul21_1
Detects PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface
22.07.2021
WEBSHELL_Perl_PulseSecure_Jul21_1
Detects indicators found in Webshells placed on PulseSecure devices (these strings could also appear in other malware or benign software)
22.07.2021
HKTL_SpoolSample_Jul21_2
Detects PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface
22.07.2021
WEBSHELL_Perl_Jul21_1
Detects Perl Webshell related to the ones found on PulseSecure devices
22.07.2021
HKTL_SpoolSample_Jul21_3
Detects PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface
22.07.2021
HKTL_PS1_PingCastle_Namespace_Jul21_1
Detects suspicious PowerShell scripts that use the PingCastle namespace
22.07.2021
HKTL_PY_Dementor_Jul21_1
Detects Dementor - PoC to connect to spoolss to elicit machine account authentication
22.07.2021
HKTL_LNX_ClearLog_PulseSecure_Jul21_1
Detects hacktool dsclslog that clears log files on Linux systems
22.07.2021
HKTL_LNX_SH_ClearLog_PulseSecure_Jul21_1
Detects shell script that clears log files on Linux systems
22.07.2021

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
SUSP_ELF_ShellCode_May21
0.0
18
HKTL_Amsi_DLL_AMSI_Bypass_May21_1
0.09
11
SUSP_Tiny_RAR_Mar21_1
0.63
266
SUSP_MalDoc_Indicator_VBA_Nov20_1
1.11
18
HKTL_PUA_SharpPcap_DLL_Library_May21
1.13
16
HKTL_TFRM_Scanner_Portscanner_May21_1
2.27
11
HKTL_Invoke_Inveigh_Oct20
2.96
79
HKTL_AMSIBypass_Tool_OpCode_Indicators_May21_1
3.11
37
HKTL_PUA_ShadowSocks_Simplified_Chinese_Jul21
3.26
38
SUSP_OBFUSC_JavaScript_Apr21_2
3.4
15
SUSP_Encoded_Metasploit_Shellcode_Dec20_1
3.67
15
SUSP_LNX_ShellCode_Loader_Jun21_1
3.76
21
SUSP_Small_EXE_Drive_Ref_May21_1
4.19
16
SUSP_Encoded_Kernel32_Functions
4.37
54
HKTL_PY_Loader_Feb21_2
4.74
23
HKTL_PY_ShellCode_Loader_Feb21_1
5.31
13
SUSP_SAM_Hive_Loc_EXE_Jul21_1
5.5
28
MAL_PyDomer_Gen_Mar21_1
6.03
40
SUSP_SAM_Hive_Loc_Script_Jul21_1
6.32
25
SUPS_MAL_Packer_Oct20_1
6.34
158
PUA_SUSP_ScreenConnect_Feb21
7.36
146
SUSP_BAT_to_EXE_Converter_Jul21_1
7.54
13
SUSP_PS1_PowerShell_Loader_May21_1
7.78
18
HKTL_PUA_Procdump
7.9
21
SUSP_LNX_RevShell_Payloads_Jun21_1
8.34
41
SUSP_PS1_Kernel32_User32_Imports_May21_1
8.44
32
SUSP_Encoded_SystemReflection_Assemly_Load
8.52
25
SUSP_Modified_PEFile_Header_Anomaly
8.54
46
HKTL_PUA_Chisel_TCP_Tunneling_Oct20_1
8.71
21
APT_WEBSHELL_BEHINDER_JSP_Webshell_May21_1
8.77
13

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
HKTL_MAL_Loader_Aug20_4
4
270a3161eb3c2fba68896b78c92fcf40872d91a513be339a494879f36e969928
SUSP_MAL_Indicators_May21_1
14
57d94140d45399cd29442bb97e89ac3d6a6fc3872061b5437626da106e3fde98
SUSP_Image_JavaScript_Shell_Apr21
7
5455465d2da4d90df02c28d8aa7d67451434f15ab8b4383c63ee4da5f15dd10e
SUSP_Image_JavaScript_Shell_Apr21
7
c2c03ac619d98d62714e4d7d8051da00991dfeb84c677e2ea25742ac3f88c3ef
SUSP_Encoded_GetCurrentThreadId_FileOnly
1
8fc4e6fb552083f302b106e718180b25f8cbe48e5e18840ad95ae2b982d8a81e
SUSP_Encoded_WriteProcessMemory_FileOnly
1
8fc4e6fb552083f302b106e718180b25f8cbe48e5e18840ad95ae2b982d8a81e
SUSP_Encoded_RegistryKey
1
8fc4e6fb552083f302b106e718180b25f8cbe48e5e18840ad95ae2b982d8a81e
SUSP_RootHelper_Indicators_Jun21_1
3
3584ce88a29ee809ef95896deb6b63f7dacea22ef78f16176ed628a4f80051a2
SUSP_RootHelper_Indicators_Jun21_1
3
48ac437773f15f2729c9a21b72a44ab7f5150d6acce4f1319bfcdf176a674f63
SUSP_RootHelper_Indicators_Jun21_1
3
01427722f6f8a8de7de43b47adf74f2669d92d19acbbf3fd24b0673c47af4c29
SUSP_RootHelper_Indicators_Jun21_1
3
932a4f0d7a5e138fdd33007fb0d89f1301c652f1d94cd773f6f6c9a451ac256e
SUSP_RootHelper_Indicators_Jun21_1
3
e8645bd2a99e38bdd7b7da34904a9c57b80a34a0446081364eef78e81ae0f12e
SUSP_RootHelper_Indicators_Jun21_1
3
ac2fc930eec0dcb14b9b0ac43234ab4d8cd85340e33ba4e09e4743daab76c4ce
APT_NK_Methodology_Artificial_UserAgent_IE_Win7
4
7a0154197f95ab2d5a3e27b3e732e55b789a214c1e1c14aecb4a3d8d9b844195
APT_NK_Methodology_Artificial_UserAgent_IE_Win7
6
7ab5670bc8e3e772c01e7f8ce3cc12dc468a41e3ea639c3c3ccddfa7680b24da
SUSP_RootHelper_Indicators_Jun21_1
3
d7a8c5e9a66b8a89e81e672096353e0ef281bf45a3e5a6e56e95f9975b45a512
SUSP_ShellCode_Launcher_Indicators_May21_1
8
ea8b3aa11e997510903d5ef7ce95e8d4f089e8efba33f780eba75cb399925abe
PassCV_Sabre_Malware_Signing_Cert
12
4cbc091616d9b559fcbaedc7b27034ecaaf80cda82960cdd4f68aa07ff839d4b
APT_DarkHydrus_Jul18_4
7
bb7a95b7d2bff9226c83051377a2ae8715713f0b512c977604a53c16a517475e
APT_DarkHydrus_Jul18_4
6
62d35e9e6f972ac04baac2dd048af3ecefba3e798bb085344128986ee2fd5df7

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
APT
3804
Malware
3214
Hacktools
3141
Threat Hunting
2358
Webshells
2039
Exploits
291

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2020