New YARA Rules per Day
Newest YARA Rules
This table shows the newest additions to the rule set
Rule
Description
Date
Ref
HKTL_Empire_Payload_Gen_Dec19_1
Detects Empire payloads - from files x64_slim.dll, x86_slim.dll
09.12.2019
>
APT_MAL_JS_Code_Dec19_1
Detects Berserk Bear watering hole JS content in HTML
05.12.2019
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Casing_Anomaly_ExecuteRequest
0.04
24
SUSP_PS_Base64_CWB_String
0.06
36
SUSP_LNX_Base64_Decode_CommandLine
1.44
18
SUSP_SwearWord_in_Code
1.89
83
SUSP_Netsh_PortProxy_Command
2.75
12
SUSP_Linux_Hacktool_Keywords_SCTEST
4.74
19
SUSP_Base64_Encoded_C_Powershell
5.89
44
MAL_NET_MeterPreter_Payload_1
6.36
11
SUSP_Embedded_Decoy_Doc_Sep19
7.44
25
SUSP_PS2EXE_PowerShell2Exe_2
9.41
27
SUSP_JS_StartupFolder_Ref
9.41
17
SUSP_Encoded_StartSleep
9.55
11
SUSP_PHP_Obfuscation_GZ_Base64
9.82
11
SUSP_Base64_Encoded_Hex_Encoded_Code
9.86
14
SUSP_JS_ChrW_Obfuscation
11.06
18
SUSP_CryptoObfuscator
11.42
24
SUSP_JS_Run_Chr_Code
11.86
21
SUSP_Encoded_VBE
12.14
37
SUSP_Base64_Encoded_AppData
12.52
23
MAL_macOS_PY_Agent_Jul19_1
12.68
38
SUSP_JS_Obfuscation_Oct19_1
12.73
1421
SUSP_JS_Window_MoveTo_NegativeValue
12.87
15
SUSP_Go_ShellCode_Indicator
13.0
11
SUSP_ANOMALY_Calc_Strings
13.02
54
SUSP_Encoded_IO_Decompress
13.92
38
SUSP_PS1_Obfuscated_Payload_Feb19_1
14.58
24
SUSP_PDB_Path_Keywords
14.62
21
SUSP_Encoded_IEX_1
14.74
34
SUSP_Base64_Encoded_W_Hidden
14.75
85
SUSP_RAR_with_PDF_Script_Obfuscation
14.77
53
Latest Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_AutoIt_CompScript_NET_Combo
7
825530f094186924b2d607b910ce1d5e3d207b4eb73d6bcdc15c23ad5c3c7877
>
SUSP_AutoIt_Malware_Indicator_1
7
825530f094186924b2d607b910ce1d5e3d207b4eb73d6bcdc15c23ad5c3c7877
>
SUSP_Base64_Encoded_AppDataLocal
10
bd2b00425cf42c6b76df71992d70cb0960f8ccde87acf245b279d2c3262d6ac5
>
SUSP_AutoIt_Malware_Indicator_1
8
bf28faec4212d794a822465a02bf01a5fd20f643aae0acfbdf01d3dc8e3d80aa
>
SUSP_Base64_Encoded_AppDataLocal
10
c65e6180402a48f93b7521e20190705f562b55da2b2791d48f6f47ed95e9733d
>
SUSP_AutoIt_CompScript_NET_Combo
10
311c360f00f642a4b184c9067fd3debb5ebc593bb93fd43410738d947e9f21ca
>
SUSP_AutoIt_Malware_Indicator_1
10
311c360f00f642a4b184c9067fd3debb5ebc593bb93fd43410738d947e9f21ca
>
SUSP_VBA_Project_Keyword_Feb19_1
9
564594b78d061705b840edc6419bf24cce9f9f6ac3912369d64cecca2fba6182
>
SUSP_Base64_Encoded_PowerShellCommand
9
564594b78d061705b840edc6419bf24cce9f9f6ac3912369d64cecca2fba6182
>
Top Tags in YARA Rule Set
This list shows the top tags used in our database, which are used for the subscribable categories
Tag
Count
FILE
6337
EXE
4564
APT
2717
MAL
2700
DEMO
2442
HKTL
2418
T1100
1814
WEBSHELL
1790
SUSP
1256
CHINA
1012
SCRIPT
648
RUSSIA
408
T1086
349
MIDDLE_EAST
343
T1064
308
T1027
308
GEN
305
T1003
271
T1193
250
T1203
250
T1075
197
T1132
158
OBFUS
157
T1085
150
EXPLOIT
148
LINUX
144
T1178
134
T1097
134
METASPLOIT
112
T1050
110
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls