Valhalla Logo
currently serving 17241 YARA rules and 2668 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
HKTL_laZzy_Loader_Nov22_1
Detects lazZy loaders
23.11.2022
HKTL_CyUpdate_Loader_Nov22_1
Detects samples that could be loaders for NightHawk C2 implants
23.11.2022
HKTL_SMBScan_PingCastle_Scanner_Nov22_1
Detects PingCastle SMB Scanner
23.11.2022
MAL_NET_Loader_Nov22_1
Detects unknown .NET loader
23.11.2022
MAL_ISO_VBS_Payload_Nov22_1
Detects components of malicious ISO dropper
23.11.2022
SUSP_Signed_VBS_Payload_Nov22_1
Detects characteristics as found in suspicious VBS scripts found in campaigns using ISO images
23.11.2022
HKTL_ReverseShell_Loaders_Nov22_1
Detects reverse shell loaders (mostly Metasploit)
23.11.2022
HKTL_ShellCode_Loaders_Nov22_1
Detects reverse shell loaders
23.11.2022
HKTL_C2_FSociety_Nov22_1
Detects post-exploitation tool FSociety (used by Hagga)
23.11.2022
SUSP_ShellCode_Indicator_Nov22_1
Detects simple shell codes
23.11.2022
SUSP_ShellCode_Indicator_Nov22_2
Detects simple reverse shell codes
23.11.2022
SUSP_ShellCode_Indicator_Nov22_3
Detects simple reverse shell codes
23.11.2022
SUSP_Unknown_Loader_Nov22_1
Detects samples with characteristics as found in unknown loaders
22.11.2022
SUSP_NightHawk_Characteristics_Nov22_2
Detects characteristics found in NightHawk C2 loaders
22.11.2022
SUSP_OpCode_Indicator_Nov22_1
Detects samples with opcode sequences found in malicious samples
22.11.2022
SUSP_NightHawk_Characteristics_Nov22_3
Detects characteristics found in NightHawk C2 loaders
22.11.2022
SUSP_Nop_Export_Nov22
Detects suspicous DLL files with an export often found in malicious samples
22.11.2022
MAL_ShellCode_Loader_Nov22_1
Detects shell code loaders as used by Mustang Panda
22.11.2022
MAL_ShellCode_Indicator_Nov22_1
Detects shell codes as used by Mustang Panda
22.11.2022
HKTL_NightHawk_Characteristics_Nov22_1
Detects characteristics found in NightHawk C2 loaders
22.11.2022
HKTL_NH_Loaders_Nov22_1
Detects samples with characteristics found in NightHawk loaders
22.11.2022
HKTL_NightHawk_Indicators_Nov22_1
Detects samples with characteristics as found in NightHawk loaders
22.11.2022
HKTL_DarkLoadLibrary_Indicators_Nov22_1
Detects samples with characteristics as found in DarkLoadLibrary
22.11.2022
SUSP_LNX_Indicators_Nov22_1
Detects indicators found in unknown malicious crond
21.11.2022
SUSP_LNK_Characteristics_Nov22
Detects suspicious commands and strings inside LNK files
21.11.2022
SUSP_TASK_Users_Public_Nov22
Detects commands in scheduled task definitions that point to the Users/Public folder
21.11.2022
SUSP_OBFUSC_JS_Nov22
Detects obfuscated JavaScript code
21.11.2022
SUSP_PS1_Indicators_Nov22
Detects indicators found in malicious PowerShell loaders
21.11.2022
SUSP_AppData_PathTraversal_Nov22_1
Detects suspicious path traversal from AppData folder to get into the User folder
21.11.2022
MAL_LNX_Mirai_Nov22_1
Detects Mirai malware
21.11.2022

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.01
469
SUSP_RAR_With_File_MacroEnabled_MsOffice_Content_Jun22
0.12
17
SUSP_PS1_Loader_Indicators_Jul22_6
0.39
23
EXPL_Exchange_ProxyNoShell_Patterns_CVE_2022_41040_Oct22_1
0.73
11
SUSP_GlitchMe_URL_Executable_Aug22
0.78
68
WEBSHELL_PHP_Jul22_3
0.8
20
HKTL_PUA_WinTun_Jan22
0.87
15
SUSP_Base64_Encoded_Exploit_Indicators_Dec21
1.0
11
SUSP_PY_OBFUSC_Hyperion_Aug22_1
1.06
32
PUA_NetSupport_Apr22
1.09
413
WEBSHELL_PHP_Jul22_4
1.13
15
SUSP_MkFifo_Tmp_Jul22
1.18
11
MAL_ChromeLoader_Var2_BAT_Jul22
1.18
17
SUSP_ZIP_PhishAttachment_Password_In_Body_Jun22_1
1.26
19
EXPL_JNDI_Exploit_Patterns_Dec21_1
1.31
13
SUSP_BAT_Start_Background_EmptyTitle_Sep22_1
1.41
17
SUSP_Office_Doc_Encrypted_Aug22
1.41
581
SUSP_Characteristics_ProcessDump_Nov22_2
1.46
13
SUSP_Comsvcs_DLL_MiniDump_Dec21_1
1.61
18
SUSP_AdvancedRun_RunAs_Privileged_User_Jan22
1.82
11
SUSP_ZIP_PasswordProtected_Content_Phishing_Sep22
1.84
2625
SUSP_ISO_In_ZIP_Small_May22_1
1.94
2505
SUSP_JS_OBFUSC_Base64_Combo_Jul22_1
2.02
204
SUSP_AppData_PathTraversal_Nov22_1
2.05
19
SUSP_PY_Exec_Import_Aug22_1
2.11
19
SUSP_JDNIExploit_Indicators_Dec21
2.16
19
HKTL_PUA_SystemInformer_Nov22_1
2.23
13
MAL_QBot_HTML_Smuggling_Indicators_Oct22_1
2.62
248
HKTL_PUA_SystemInformer_Nov22_2
2.63
40
SUSP_ISO_PhishAttachment_Password_In_Body_Jun22_1
2.64
66

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_JDNIExploit_Indicators_Dec21
6
7d26c10c14d10cc8831b98c842c08ca19a50f6224005c9ce42824ea32166e639
Casing_Anomaly_Windowstyle
11
0bbceaa5615f5c0880c84474167425291e93fc44b1d48345a135983b1e8db294
SUSP_Casing_Anomaly_Env_Computername_Nov21
11
0bbceaa5615f5c0880c84474167425291e93fc44b1d48345a135983b1e8db294
Casing_Anomaly_Join
11
0bbceaa5615f5c0880c84474167425291e93fc44b1d48345a135983b1e8db294
SUSP_JS_Document_Write_Unescape_Indicators_Mar22_1
1
579c144e4079ddb2f90daa0bae3ec6bcf87fcbb6f13ec0910fb767b03b7de566
SUSP_OBFUSC_JS_DocWriteUnescape_Aug19_2
1
579c144e4079ddb2f90daa0bae3ec6bcf87fcbb6f13ec0910fb767b03b7de566
CN_Hacktools_tools_srvany
1
ec722a45effa9afd8fa2afd2544dc1cdcf9dccf26249f42d7f208b552c3df967
webshell_php_generic
2
157453add47ae32929ce958bd19bba4467ea3fffda4840ca4657f72f3271a0d3
SUSP_CryptoObfuscator
2
42efe432cac5207051d755df31c6bd2701943d0aaa7eefb19fa7a73499fb0cd7
SUSP_Process_Dumper_Nov22_1
1
8bd4ea33438130e305968e4d4c692751651ad19dc960e35a1b9cfcf503efe1f2
webshell_php_generic
4
f7d442194ad954444b2cb3fc85a691be9130f3675e42c367314eb4abc4cd67f4
SUSP_RAR_Single_Exe_File
2
518f300d24ddaba7cf998e9ee335c9ab607226d44161323968645520f76fa825
SUSP_Administrator_Desktop_Reference
3
83d65210d041d8fc29b5105ad4377fe2b5c622f223ba7bca7d75e76ba98d446f
webshell_php_generic
4
a3229faa6797e3324a54f5bf0e46ac183ba9ecc82417a992a736428420930117
MAL_Unknown_PWDumper_Apr18_3
13
50a966ffa0efb86405401f69e96c1fd998bae61e62d6f9880aeabda263346239
MAL_Loaderx86_Feb18_1
13
50a966ffa0efb86405401f69e96c1fd998bae61e62d6f9880aeabda263346239
Unspecified_Dropper_Mar17_2
13
50a966ffa0efb86405401f69e96c1fd998bae61e62d6f9880aeabda263346239
MAL_Backdoor_Rifle_Feb19_1
13
50a966ffa0efb86405401f69e96c1fd998bae61e62d6f9880aeabda263346239
MAL_Unknown_Loader_Mar20_1
13
50a966ffa0efb86405401f69e96c1fd998bae61e62d6f9880aeabda263346239
Hacktool_URLs_Github
5
3bfc040a7da651d810ed65a2902c6f0c9523c2d208056c59cd5fe78846b9e01d

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6611
APT
4525
Hacktools
4407
Threat Hunting (not subscribable, only in THOR scanner)
3926
Webshells
2203
Exploits
731

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
UAC Bypass Using Event Viewer RecentViews
Detects the pattern of UAC Bypass using Event Viewer RecentViews
22.11.2022
Microsoft Exchange ProxyNotShell Exploit Traffic
Detects Microsoft Exchange exploit traffic for CVE-2022-41040 and CVE-2022-41082 (A.K.A ProxyNotShell)
21.11.2022
Microsoft Exchange ProxyNotShell Exploit Traffic
Detects Microsoft Exchange exploit traffic for CVE-2022-41040 and CVE-2022-41082 (A.K.A ProxyNotShell)
21.11.2022
NET NGenAssemblyUsageLog Registry Key Tamper
Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
18.11.2022
Cmd.Exe Execution With Uncommon Flag
Detect use of "/R" flag which is the same as "/C". This flag is often used for obfsucation and should be investigated
18.11.2022
NET CLR Binary Execution Usage Log Artifact
Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context
18.11.2022
Suspicious Powercfg Execution To Change Lock Screen Timeout
Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout
18.11.2022
Suspicious Windows Defender Exclusions Added - PowerShell
Detects execution of the PowerShell "Add-MpPreference" or "Set-MpPreference" cmdlets to add dangerous exclusions to Windows Defender
17.11.2022
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
17.11.2022
Microsoft Exchange ProxyNotShell Exploit
Detects Microsoft Exchange exploit for CVE-2022-41040 and CVE-2022-41082 (A.K.A ProxyNotShell)
17.11.2022
Microsoft Exchange Pool Exploit
Detects Microsoft Exchange exploit abusing Exchange pools
17.11.2022
PST Export Alert Using New-ComplianceSearchAction
Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
17.11.2022
Suspicious Msbuild Execution By Uncommon Parent Process
Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process
17.11.2022
Suspicious Windows Defender Exclusions Added
Detects execution of the PowerShell "Add-MpPreference" or "Set-MpPreference" cmdlets to add dangerous exclusions to Windows Defender
17.11.2022
Suspicious Tasks Running System Processes
Detects suspicious execution of scheduled tasks with processes masquerading as system processes
17.11.2022
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
17.11.2022
Process Hacker and System Informer Driver Load
Detects the load of drivers used by Process Hacker and System Informer
16.11.2022
Suspicious Creation Of Rnasom Note Files
Detects the creation of files with a known ransom note name
16.11.2022
Suspicious Creation Of File With Ransomware Extensions
Detects the creation of files with an extension known to be used by ransomware
14.11.2022
Possible Process Injection Into System Processes
Detects cmd or powershell processes with suspicious arguments being children of system processes. This could be a sign of process injection
14.11.2022
Suspicious RunAs-Like Flag Combination
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
11.11.2022
CN Hacktool AllInOne
Detects hacktool named AllinOne used by Chinese threat actors
11.11.2022
Use Of The SFTP.EXE Binary As A LOLBIN
Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
10.11.2022
Vulnerable Lenovo Driver Load
Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges
10.11.2022
Computer Discovery And Export Via Get-ADComputer Cmdlet
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
10.11.2022
Suspicious Sysmon as Execution Parent
Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
10.11.2022
PuTTY Secure Copy Execution
Detects execution of PuTTY Secure Copy (PSCP)
10.11.2022
Renamed PuTTY Secure Copy Execution
Detects execution of a renamed PuTTY Secure Copy (PSCP)
10.11.2022
PuTTY Secure Copy Suspicious Usage
Detects suspicious usage of PuTTY Secure Copy (PSCP) to exilftrate file
10.11.2022
Suspicious Sc Query Execution
Detects suspicious execution of "sc.exe" to query information about all registered services on a system or specific important services
10.11.2022

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
970
windows / security
148
windows / ps_script
146
windows / registry_set
141
windows / file_event
121
windows / system
59
webserver
56
linux / process_creation
51
windows / image_load
51
linux / auditd
50
azure / activitylogs
38
windows / network_connection
36
proxy
35
windows / registry_event
35
azure / auditlogs
33
macos / process_creation
32
aws / cloudtrail
31
windows / ps_module
30
windows / process_access
25
azure / signinlogs
22
windows / application
19
rpc_firewall / application
17
windows / pipe_created
17
linux
16
windows / driver_load
15
gcp / gcp.audit
14
m365 / threat_management
13
windows / dns_query
13
okta / okta
12
cisco / accounting / aaa
12
dns
12
windows / create_remote_thread
12
windows / registry_add
10
windows / ps_classic_start
10
windows / windefend
9
windows / file_delete
8
windows / msexchange-management
8
antivirus
7
zeek / smb_files
7
windows / create_stream_hash
7
windows / registry_delete
6
windows / bits-client
6
firewall
6
windows / firewall-as
6
google_workspace / google_workspace.admin
6
azure / azureactivity
5
zeek / dce_rpc
5
linux / file_create
5
windows / file_access
4
zeek / dns
4
apache
3
windows / sysmon
3
windows / codeintegrity-operational
3
windows / wmi_event
3
windows / powershell-classic
3
zeek / http
3
linux / network_connection
3
windows / ntlm
3
linux / sshd
2
linux / syslog
2
onelogin / onelogin.events
2
windows / security-mitigations
2
windows / file_change
2
qualys
2
windows / file_rename
2
macos / file_event
2
windows / smbclient-security
2
linux / auth
2
windows / dns-server
2
windows / openssh
1
m365 / threat_detection
1
zeek / kerberos
1
windows / printservice-operational
1
linux / clamav
1
windows / printservice-admin
1
windows / raw_access_thread
1
python / application
1
linux / guacamole
1
django / application
1
windows / webserver
1
windows / microsoft-servicebus-client
1
ruby_on_rails / application
1
linux / vsftpd
1
windows / shell-core
1
spring / application
1
windows / applocker
1
windows / file_block
1
sql / application
1
netflow
1
windows / terminalservices-localsessionmanager
1
windows / diagnosis-scripted
1
windows / process_tampering
1
linux / cron
1
windows / taskscheduler
1
windows / sysmon_status
1
windows
1
windows / ps_classic_provider_start
1
windows / sysmon_error
1
microsoft365portal / auditlogs
1
windows / driver-framework
1
linux / sudo
1
zeek / x509
1
windows / wmi
1
linux / modsecurity
1
windows / ldap_debug
1
windows / powershell
1
m365 / exchange
1
zeek / rdp
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
98
windows / ps_script
26
windows / registry_set
13
windows / file_event
9
windows / system
6
windows / security
4
windows / registry_event
3
windows / create_remote_thread
3
windows / image_load
3
proxy
2
webserver
2
windows / vhd
2
windows / pipe_created
2
windows / process_access
1
windows / registry_delete
1
windows / application
1
windows / registry-setinformation
1
windows / dns_query
1
windows / file_access
1
windows / file_delete
1
windows / driver_load
1
windows / network_connection
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022