currently serving 14859 YARA rules

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule

Description

Date

Ref

SUPS_PS1_Tiny_Loader_Characteristics_Jan22

Detects indicators often found in suspicious small PowerShell downloaders

21.01.2022

SUPS_PS1_Backdoor_Jan22_1

Detects indicators found in suspicious small PowerShell backdoor

21.01.2022

SUPS_PS1_AES_Managed_Jan22_1

Detects suspicious use of System.Security.Cryptography.AesManaged in PowerShell scripts

21.01.2022

SUPS_PS1_Encryption_Jan22_2

Detects suspicious indicators found in malicious scripts that use encryption

21.01.2022

SUSP_OBFUSC_Base64_String_Split_Jan22

Detects split base64 string often found in obfuscated scripts

21.01.2022

WEBSHELL_PHP_Wordpress_Backdoors_Jan22_1

Detects PHP webshell implants used in Wordpress supply chain attacks

21.01.2022

MAL_RANSOM_LockBit_Jan22_1

Detects LockBit ransomware samples

21.01.2022

LOG_CodeIntegrity_Blocked_Driver_Load

Detects events in the CodeIntegrity event log that indicate driver loads that were blocked due to unmet signing level requirements

20.01.2022

HKTL_EXPL_LNX_Indicators_Jan22_1

Detects strings often found in Linux exploit code

20.01.2022

HKTL_EXPL_LNX_Indicators_Jan22_2

Detects strings often found in Linux exploit code

20.01.2022

HKTL_EXPL_LNX_Indicators_Jan22_3

Detects strings often found in Linux exploit code

20.01.2022

HKTL_EXPL_LNX_Indicators_Jan22_4

Detects strings often found in Linux exploit code

20.01.2022

WEBSHELL_EXPL_VMWare_Horizon_JS_Shells_Jan22_1

Detects VMWare Horizon JS shells planted after successful Log4Shell exploitation

20.01.2022

APT_MAL_RU_Turla_ComLook_Jan22_1

Detects ComLook backdoor used by Turla group

20.01.2022

SUSP_IAppIdPolicyHandler_GUID_EXE_Jan22

Detects suspicious IAppIdPolicyHandler GUID in executable files

19.01.2022

SUSP_PS1_OBFUSC_Jan22_1

Detects suspicious PowerShell obfuscation noticed in malicious scripts

19.01.2022

SUSP_VBS_OBFUSC_Jan22_1

Detects suspicious PowerShell obfuscation noticed in malicious scripts

19.01.2022

SUSP_VBS_WScript_IPC_Combo_Jan22_2

Detects suspicious VBS scripts that comine WScript.Shell directives with the IPC$ keyword

19.01.2022

SUSP_PS1_OBFUSC_Base64String_Jan22_1

Detects suspicious split up and obfuscated Base64String value

19.01.2022

SUSP_Bitsadmin_Pattern_Jan22_1

Detects suspicious bitsadmin pattern often found in malicious dropper scripts

19.01.2022

SUPS_HKTL_WinPEAS_Output_Jan22

Detects output generated by WinPEAS which is a tool that searchs for possible paths to escalate privileges on Windows hosts

19.01.2022

HKTL_WinPEAS_Jan22

Detects WinPEAS which is a script that searchs for possible paths to escalate privileges on Windows hosts

19.01.2022

HKTL_LinPEAS_Jan22

Detects LinPEAS which is a tool that searchs for possible paths to escalate privileges on Linux/MacOS hosts

19.01.2022

MAL_RANSOM_Wiper_Jan22_1

Detects Ransomware or Wiper malware related to campaign against Ukrainian targets

19.01.2022

MAL_Unknown_Loader_Jan22_1

Detects suspicious samples that contain indicators as found in ransomware samples noticed in January 2022

19.01.2022

APT_WEBSHELL_PHP_Prometheus_Jan22_1

Detects suspicious samples that contain indicators as found in ransomware samples noticed in January 2022

19.01.2022

APT_CampoLoader_Jan22_1

Detects suspicious samples that contain indicators as found in ransomware samples noticed in January 2022

19.01.2022

SUSP_HKTL_SharpAppLocker_JSON_Output_Jan22

Detects output files of SharpAppLocker which is a C# port of the Get-AppLockerPolicy PS cmdlet with extended features

18.01.2022

HKTL_SHARPFILES_Jan22

Detects Sharpfiles which is a tool to search for files based on SharpShares

18.01.2022

HKTL_SHARPLAPS_Jan22

Detects SharpLAPS which is a tool to retrieve LAPS passwords from LDAP

18.01.2022

HKTL_WMIREG_Jan22

Detects WMIReg which is a tool used to read and write to local and remote registry keys

18.01.2022

HKTL_SEARCH_OUTLOOK_Jan22

Detects SearchOutlook which is a tool used to search through a running instance of Outlook for keywords

18.01.2022

HKTL_SharpAppLocker_Jan22

Detects SharpAppLocker which is a C# port of the Get-AppLockerPolicy PS cmdlet with extended features

18.01.2022

APT_HKTL_FRP_ME_Indicators_Jan22_1

Detects indicators found in Go based samples used by Charming Kitten

18.01.2022

APT_ME_Artefacts_Jan22_1

Detects artefacts found in Charming Kitten intrusions

18.01.2022

SUSP_PS1_CReplace_Casing_Anomaly

Detects suspicious casing in -creplace command used in PowerShell scripts

17.01.2022

SUSP_PS1_PowerShell_Uncommon_Flags_Jan22_1

Detects an uncommon PowerShell flag combination often found in malicious samples

17.01.2022

SUSP_PUA_CommandPatterns_Jan22_1

Detects command patterns found in bash_history of compromised systems

17.01.2022

SUSP_HKTL_CommandPatterns_Jan22_1

Detects command patterns found in bash_history of compromised systems

17.01.2022

SUSP_HKTL_JAVA_MarshalSec_Jan22_1

Detects MarshalSec JAVA deserialization toolkit indicators

17.01.2022

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule

Average AV Detection Rate

Sample Count

Info

HKTL_PUA_SharpPcap_DLL_Library_May21

0.0

SUSP_PUA_SoftEther_VPNGate_Sftware_Dec21_1

0.03

HKTL_RMM_Client_Aug21_1

0.18

SUSP_PUA_Splashtop_RemoteControl_Oct21

0.24

SUSP_OBFUSC_JS_Sep21_1

0.6

SUSP_Tiny_RAR_Mar21_1

0.83

738

SUSP_LMHash_Empty_Jul21_1

0.91

HKTL_PY_Loader_Feb21_2

1.2

WEBSHELL_PHP_Obfuscation_Functions_Sep21

1.91

140

WEBSHELL_PHP_BeginsWith_eval_Sep21

2.03

165

SUSP_Download_Githubcontent_Shell

2.08

SUSP_PS1_Indicators_Loader_Gen_Dec21_2

2.39

EXPL_Log4j_CVE_2021_44228_Pattern_Dec21_1

2.63

HKTL_PY_Bypass_Tool_Aug21_2

2.66

SUSP_CryptoCoin_Miner_Keywords_Dec21_1

3.15

SUSP_LNX_Back_Connect_Shell_Indicator_Jun21_1

3.55

SUSP_Small_Compiled_Nim_Executable_Jun21_1

3.75

SUSP_PS1_OBFUSC_Jan22_1

3.93

SUSP_OBFUSC_VBS_Dec21

4.08

SUSP_BAT_OBFUSC_ENV_Obfuscation_Apr21_1

4.4

SUSP_PS1_Loader_Jan22_4

4.46

EXPL_Log4j_CVE_2021_44228_Dec21_Soft

4.68

HKTL_PUA_FRP_FastReverseProxy_Oct21_1

4.71

HKTL_AMSIBypass_Tool_OpCode_Indicators_May21_1

4.83

SUSP_MSHTA_Invocation_Dec21_1

5.18

SUSP_PS1_PowerShell_Loader_May21_1

5.59

SUSP_PUA_ScreenConnect_Client_Setup_Oct21_1

5.66

109

SUSP_PS1_Kernel32_User32_Imports_May21_1

5.67

SUSP_PS1_Loader_Generic_Feb21

5.79

PUA_SUSP_ScreenConnect_Feb21

5.9

196

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule

AVs

Hash

SUSP_LNX_Small_UPX_File_Jun21

e5065a5ae8b0fa5220d09db24e5c6b18c96ea7be6d1607e45ec11593f2213429

SUSP_LNX_Small_UPX_File_Jun21

8758f3ed2b56ae7bd4e5254672e57e72d167437ba9eac26edff1111741b00c3b

MAL_MSI_PurpleFox_Mar21

ff1f1c9952b627b8e1c16f4b095b366151a682f6cb370fa0a8de3b68d33e34c1

SUSP_PowerShell_Agent_Characteristics_Jun21_1

3e72d82987b88609b5ede57d334865973225ada3cf0351f8d1a3683a1a806adb

SUSP_Enigma_Protector

9221321fe0ea7e24a872c14917fec6c6b1296268fae38838b5106f56ece618d5

apt_CN_Tetrisplugins_JS

984e2c0e254b52849a5de0eeeffabe2b059fa9cc0043122d2e8918d9ccbfcc61

apt_CN_Tetrisplugins_JS

9494f44dd1e51a3e2dacd86570c99848183f88369b8c9f60e714396b57362bfe

apt_CN_Tetrisplugins_JS

527f4893bcb01414015bb6f27f7df201120d1c2ea0ea69332a75e59fc6ba3be7

apt_CN_Tetrisplugins_JS

a63e0f955a3f9b201ce8bdcab56425e42664720d2e22b0e01908ba5ecd399ca8

apt_CN_Tetrisplugins_JS

7fe2e2db25fde07b029af31cc68e13b73e5e3565c4d5cb6bd37205c27f1f04aa

apt_CN_Tetrisplugins_JS

42c5952050980f8a0e9c8e1a65e11b24a0f52b406314b6f34c75152b918a2bf0

SUSP_UPX_Compressed_Go_Binary_Dec21_1

7960721ebc18c60510ebcc6dfd27766560174588952d67f1699175bf89a9337c

SUSP_PE_Discord_Attachment_Oct21_1

1101244026b613dcc52185943c02f51727784bd7631c4da7d3cdf2ee0ce9e896

SUSP_PUA_ScreenConnect_Client_Setup_Oct21_1

048127e1f8dcaa183bb9895208d283692d38dd5a1fc0400adee639de8b9f810b

ProcessInjector_Gen

a1c5b8bee139f68db8750714e0363302544359a69d89b598e03d47accb7f2be7

SUSP_Enigma_Protector

82de76d32bfa81e1ed62f91a3612a055aa10005ab9d2bd0778ab232cd09e8b24

SPEC_COVID19_Phish_Hunting

c0e722663ccba5b1ca3d4612f9389b0099f3eec7aea64039c2d425832112f848

Suspicious_AutoIt_by_Microsoft

d5017f72448afa8957ebe06f07c8e06d12475b50e437c957615f49702bbc7a11

HackTool_Samples

771e6eda69e9c105eb3dcdcef3a56b592fcf743111e07e33e248a79d64ea86bf

Suspicious_Strings_Hacktool_Output

771e6eda69e9c105eb3dcdcef3a56b592fcf743111e07e33e248a79d64ea86bf

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag

Count

Malware

4601

APT

4022

Hacktools

3478

Threat Hunting

2907

Webshells

2097

Exploits

402

Tenable Nessus

Requirement: Privileged Scan

YARA Scanning with Nessus works only when scanning with credentials (privileged scan)

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

You can only upload a single .yar file
Filesystem scan has to be activated
You have to define the target locations
The Nessus plugin ID will be 91990
Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html