Valhalla Logo
currently serving 16693 YARA rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
WEBSHELL_ASPX_Sep22_1
Detects ASPX Webshells
29.09.2022
WEBSHELL_ASPX_Sep22_2
Detects ASPX Webshells
29.09.2022
WEBSHELL_ASPX_RCE_Sep22_1
Detects ASPX Webshells
29.09.2022
WEBSHELL_ASPX_Sep22_3
Detects ASPX Webshells
29.09.2022
WEBSHELL_ASPX_Sep22_4
Detects ASPX Webshells
29.09.2022
MAL_OBFUSC_LNK_Contents_Sep22_1
Detects suspicious contents in link files indicating obfuscation of powershell code
29.09.2022
MAL_Viking_Sep22_1
Detects indicators found in unknown malware samples often detected as Viking
29.09.2022
APT_Camp_Mil_ForensicArtifacts_Sep22_1
Detects forensic artifacts found in campaigns against military targets
29.09.2022
APT_VN_MAL_Sep22_1
Detects strings found in malware samples mentioned in reports in September 2022
29.09.2022
SUSP_PS1_LNK_Contents_Sep22_1
Detects suspicious contents in link files indicating powershell code
29.09.2022
SUSP_PS1_OBFUSC_Sep22_2
Detects suspicious strings found in obfuscated PowerShell code
29.09.2022
SUSP_PS1_AMSI_Evasion_Indicators_Sep22_1
Detects suspicious strings found in obfuscated PowerShell code
29.09.2022
SUSP_Monitoring_Procs_List_Sep22_1
Detects strings used in malware to detect several monitoring processes of security tools
29.09.2022
SUSP_PS1_Remove_EwtTraceProvider_Sep22_1
Detects suspicious code that contains references to PowerShell functions to remove an ETW provider
29.09.2022
SUSP_PS1_OBFUSC_Sep22_3
Detects suspicious methods to obfuscate the execution of powershell
29.09.2022
SUSP_WEBSHELL_Indicators_Sep22_1
Detects indicators often found in ASPX webshells
29.09.2022
HKTL_MiniDump_Sep22_2
Detects LSASS dumper named MiniDump - like DumpThatLSASS
28.09.2022
HKTL_ProcessDumper_Indicators_Sep22_1
Detects LSASS dumper indicators found in many process dumpers
28.09.2022
HKTL_PUA_Gmer_Sep22_1Gmer_Tool_Sep22_1
Detects Gmer tool that can be used to detect rootkits or to deactive antimalware and monitoring solutions
28.09.2022
SUSP_PS1_OBFUSC_FormatString_Sep22_1
Detects
28.09.2022
SUSP_PS1_OBFUSC_FormatString_Sep22_2
Detects
28.09.2022
SUSP_SFX_HidCon_PowerShell_Combo_Sep22
Detects suspicious SFX files that run powershell after extraction
28.09.2022
SUSP_SFX_HidCon_WScript_Combo_Sep22
Detects suspicious SFX files that run wscript after extraction
28.09.2022
HKTL_DumpThatLSASS_Sep22_1
Detects DumpThatLSASS - a tool to dump LSASS by Unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk
27.09.2022
APT_MAL_Metador_Mafalda_Sep22_1
Detects indicators found in Mafalda Clear mentioned in Metador report
27.09.2022
APT_MAL_Metador_MetaMain_Sep22_1
Detects indicators found in metaMain malware mentioned in Metador report
27.09.2022
APT_MAL_Metador_MetaMain_Sep22_2
Detects indicators found in metaMain malware mentioned in Metador report
27.09.2022
HKTL_PUA_DrvLoader_YDArk_Sep22
Detects possibly unwanted driver, which is sometimes misused by threat groups - file YDArk.exe
20.09.2022
HKTL_PUA_Driver_YDArk_Sep22
Detects possibly unwanted driver, which is sometimes misused by threat groups - file YDArkDrv.sys
20.09.2022
MAL_RANSOM_BumbleBee_DLL_Sep22_1
Detects BumbleBee DLLs
20.09.2022
MAL_RANSOM_BumbleBee_BAT_Sep22_1
Detects BumbleBee batch files used to executa adfind.exe commands
20.09.2022
SUSP_PS1_Download_From_FileSharing_Service_Sep22
Detects command lines that download files from file sharing services
20.09.2022
SUSP_Enabled_RDP_Registry_Sep22
Detects command lines that enable RDP via Registry
20.09.2022
SUSP_Enabled_PTH_RDP_Registry_Sep22
Detects command lines that enable RDP via Registry
20.09.2022
SUSP_Ngrok_Cmdline_Sep22
Detects forensic artefacts as mentioned in CrowdStrikes Over Watch report
20.09.2022
SUSP_PS1_Download_AnyDesk_Sep22
Detects PowerShell download cradles downloading AnyDesk remote admin software
20.09.2022
APT_ForensicArtefacts_CrowdStrike_Report_Sep22_1
Detects forensic artefacts as mentioned in CrowdStrikes Over Watch report
20.09.2022
SUSP_PS1_Download_TeamViewer_Sep22
Detects PowerShell download cradles downloading TeamViewer remote admin software
20.09.2022
APT_CN_AquaticPanda_ForensicArtefacts_Sep22_1
Detects forensic artefacts as mentioned in CrowdStrikes Over Watch report
20.09.2022
SUSP_Encoded_Download_URL_AnyDesk_Sep22
Detects encoded download links for AnyDesk remote admin software
20.09.2022

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
SUSP_PUA_LNX_macOS_AnyDesk_Feb22_1
0.0
29
MAL_ChromeLoader_Var2_BAT_Jul22
0.13
16
SUSP_PUA_Rclone_Oct21
0.18
17
SUSP_MAL_PY_Python_Pattern_Aug22_1
0.27
15
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.27
289
SUSP_BAT_Rundll32_May22_1
0.3
23
SUSP_JS_OBFUSC_Base64_Combo_Jul22_1
0.35
426
SUSP_MAL_PY_Python_Pattern_Aug22_2
0.84
19
SUSP_PY_OBFUSC_Hyperion_Aug22_1
1.08
13
HKTL_BAT_Loader_Jul22_1
1.16
25
SUSP_PY_Exec_Import_Aug22_1
1.17
24
PUA_NetSupport_Apr22
1.53
355
SUSP_ISO_In_ZIP_Small_May22_1
1.65
13441
SUSP_ZIP_PasswordProtected_Content_Phishing_Sep22
1.66
11915
SUSP_ISO_PhishAttachment_Password_In_Body_Jun22_1
2.01
78
SUSP_ZIP_LNK_PhishAttachment_Pattern_Jun22_1
2.53
291
SUSP_GlitchMe_URL_Executable_Aug22
2.63
24
SUSP_Tiny_RAR_Suspicious_NestedArchive_Mar21_1
2.69
62
SUSP_PS1_OBFUSC_Pattern_Aug22_1
2.84
86
SUSP_OBFUSC_obfs4_May22
3.0
33
SUSP_LNX_SH_Code_Indicator_Payload_Nov21_1
3.13
15
SUSP_SFX_RAR_RunProgram_CMD_2
3.99
105
SUSP_LNX_Reverse_Shell_Indicators_Jul22
4.0
12
SUSP_VBA_Kernel32_Imports_Jun22_1
4.06
66
SUSP_Tiny_RAR_Suspicious_Extensions_Mar21_1
4.07
57
SUSP_OBFUSC_JS_May22_1
4.14
440
SUSP_PS1_OBFUSC_Pattern_Feb22_1
4.25
28
HKTL_PS1_Invoke_ConPtyShell_Jan22
4.33
12
SUSP_OBFUSC_LUA_Mar22_1
4.36
14
SUSP_Compromised_Cert_DarkUtilities_Aug22
4.67
84

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_Administrator_Desktop_Reference
14
05bcddfe51c28abb7178439393fdcc8864fb86da677a2927f7d7731c876e083b
SUSP_WIN_Go_Binary_Obfuscated_Oct21_1
13
721eecfcb9fe76bc87a43f05366c2283854d7eb829381f418349a3d2e7aa19a8
SUSP_UPX_Compressed_Go_Binary_Dec21_1
13
721eecfcb9fe76bc87a43f05366c2283854d7eb829381f418349a3d2e7aa19a8
SUSP_JS_Document_Write_Unescape_Indicators_Mar22_1
1
6a070eced13a87c297d5fcd433015fedfd57af44428b260ff6834482dd6182c8
APT_MAL_RU_UNC2589_Backdoor_Mar22_2
4
21d579035bbb831134c20094dd6d5719a965500503e6f8d560e674b7b4c00f38
SUSP_PS1_PowerShell_Loader_May21_1
10
e00ab73ddaceae53f970dd4264028b928ab80b57c987c12ca69cd415af4ac634
SUSP_PS1_Small_Base64Decode_Jun22_1
10
e00ab73ddaceae53f970dd4264028b928ab80b57c987c12ca69cd415af4ac634
SUSP_ISO_In_ZIP_Small_May22_1
2
32d3329f857b7e5afd06a8d7990f5aace94e9feffdca4e5d53aab1615b7cbfc3
SUSP_ZIP_PasswordProtected_Content_Phishing_Sep22
2
32d3329f857b7e5afd06a8d7990f5aace94e9feffdca4e5d53aab1615b7cbfc3
SUSP_Base64_Encoded_WhomAmI
3
87c8b79d094501b4bd9b6211b8c2cb061a59bb3acdebc15905aab807553125b5
APT_PlugX_SFX_with_Chinese_Chars
10
d27d244b90a779089acf3eb628e5fcbbf536039570324998c369efcce11132ba
SUSP_Encoded_GetProcAddress
1
4106b720c2fa15825e25e7dc9a6e88051638e36cd8c88036d5a575b28f298c75
SUSP_OBFUSC_GO_Binary_Jul22
9
0eb63dd94d2c62b636c033e80399683e3492c95a45239bb5a81a21bef17ba1fe
SUSP_OBFUSC_Go_Garbled_Apr22_1
9
0eb63dd94d2c62b636c033e80399683e3492c95a45239bb5a81a21bef17ba1fe
MAL_GOLANG_Sliver_Implant
9
0eb63dd94d2c62b636c033e80399683e3492c95a45239bb5a81a21bef17ba1fe
SUSP_VB6CHS_Indicator_Dec19_1
6
025d7d363a51c768d54da4287865fa15be58556374e338cd406a6265b36621bb
MAL_IceID_Loader_Mar21_1
4
a2faa7e5cf09c66933e812892e86db44b832537b83bc25bfd5ad3c3f51ef0fb6
MAL_IcedID_GZIP_Loaders_May21_2
4
a2faa7e5cf09c66933e812892e86db44b832537b83bc25bfd5ad3c3f51ef0fb6
SUSP_ShellCode_Injector_Indicators_Jun22_1
10
6d1685c440a6a080aa3914cc779c38b4a1c00d8ffcebd4114c49d75aee608940
SUSP_ShellCode_Loader_OpCodes_Jun22_1
10
6d1685c440a6a080aa3914cc779c38b4a1c00d8ffcebd4114c49d75aee608940

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
5102
APT
4346
Hacktools
3902
Threat Hunting
3686
Webshells
2163
Exploits
490

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html