Valhalla Logo
currently serving 12318 YARA rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
APT_LNK_Lazarus_Mar21_1
Detects malicious LNK files as used by Lazarus group
04.03.2021
SUSP_LNX_LOG_ForensicArtefacts_Activity_Gen_Mar21_
Detects suspicious commands used by malware or threat groups to overwrite existing data (logs/passwords)
04.03.2021
SUSP_INNUENDO_Python_Code_Executor_Mar21_1
Detects suspicious commands used by malware or threat groups to overwrite existing data (logs/passwords)
04.03.2021
LOG_APT_HAFNIUM_Exchange_Log_Traces_Mar21_
Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity
04.03.2021
MAL_Unknown_Implant_Mar21_2
Detects samples found in an implant analysis
04.03.2021
MAL_Unknown_Implant_Mar21_3
Detects samples found in an implant analysis
04.03.2021
MAL_AnitAV_Loader_Mar21_3
Detects samples found in an implant analysis
04.03.2021
MAL_Antiaris_Dropper_Mar21_1
Detects Antiaris dropper
04.03.2021
WEBSHELL_ASP_Tiny_Mar21_2
Detects ASP Webshells
03.03.2021
WEBSHELL_ASP_Tiny_Mar21_3
Detects ASP Webshells
03.03.2021
WEBSHELL_ASP_Small_Mar21_1
Detects ASP Webshells
03.03.2021
WEBSHELL_ASP_Small_Mar21_2
Detects ASP Webshells - file 91d1720c0f1901e243da4c1ba989c372cc35c930e7b17f2ec52da6c875d96cd8
03.03.2021
WEBSHELL_NET_SpawnShell_Mar21_1
Detects an ASPX Webshell
03.03.2021
WEBSHELL_OBFUSC_JScript_Mar21_1
Detects an obfuscated JScript Webshell
03.03.2021
APT_MAL_HAFNIUM_MemoryDumper_Mar21_1
Detects MemoryDumpers likely used by HAFNIUM group
03.03.2021
APT_MAL_HAFNIUM_MemoryDumper_Mar21_2
Detects MemoryDumpers likely used by HAFNIUM group
03.03.2021
APT_MAL_HAFNIUM_MemoryDumper_Mar21_3
Detects MemoryDumpers likely used by HAFNIUM group
03.03.2021
APT_MAL_HAFNIUM_MemoryDumper_Mar21_4
Detects MemoryDumpers likely used by HAFNIUM group
03.03.2021
APT_MAL_HAFNIUM_MemoryDumper_Mar21_5
Detects MemoryDumpers likely used by HAFNIUM group
03.03.2021
HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine
Detects PowerShell Oneliner in Nishang's repository
03.03.2021
WEBSHELL_ASP_Tiny_Mar21_1
Detects ASP Webshells
03.03.2021
APT_HAFNIUM_Forensic_Artefacts_Mar21_1
Detects forensic artefacts found in HAFNIUM intrusions
02.03.2021
SUSP_Tiny_RAR_Mar21_1
Detects suspicious tiny RAR file
02.03.2021
SUSP_Script_PS1_Indicators_Mar21_2
Detects suspicious PowerShell script characteristics
02.03.2021
SUSP_HtmlDecode_Keyword_Casing_Anomaly
Detects obfuscated HtmlDecode by casing anomalies
02.03.2021
EXPL_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1
Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065
02.03.2021
EXPL_LOG_CVE_2021_26858_Exchange_Forensic_Artefacts_Mar21_1
Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-26858
02.03.2021
HKTL_CANVAS_Framework_Implant_Mar21_1
Detects CANVAS implants
02.03.2021
HKTL_LNX_Shellcode_Loader_Mar21_1
Detects unknown shellcode loader for Linux
02.03.2021
HKTL_Alaris_Loader_Mar21_1
Detects Alaris loaders
02.03.2021
HKTL_NET_WireTap_Mar21_1
Detects .NET hacktool named WireTap
02.03.2021
MAL_RAT_Svehost_Mar21_1
Detects unknown RAT with ME targeting
02.03.2021
HKTL_PS1_PowerCat_Mar21
Detects PowerCat hacktool
02.03.2021
WEBSHELL_TINY_ASP_Chopper_Mar21_1
Detects forensic artefacts found in HAFNIUM intrusions
02.03.2021
SUSP_AMSI_Bypass_Keywords_Mar21_1
Detects characteristics of AMSI bypass methods
01.03.2021
SUSP_Payload_Keywords_Mar21_1
Detects characteristics of loaders as observed in March 21
01.03.2021
SUSP_Go_Encoded_Payloads_Mar21_1
Detects characteristics of a set of Go based loaders as observed in March 21
01.03.2021
APT_MAL_CN_APT31_Jian_Mar21_1
Detects APT31 Jian malware
01.03.2021
SUSP_Script_PS1_PE_Injection_Indicators_Mar21_1
Detects suspicious script with keywords that indicate pe injection techniques
01.03.2021
SUSP_Script_PS1_PE_Injection_Indicators_Mar21_2
Detects suspicious script with keywords that indicate pe injection techniques
01.03.2021

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_Script_Autoit_Taurus_Dropper_Sep20_1
0.12
17
HKTL_PY_Loader_Feb21_2
1.14
14
EXPL_CVE_2020_0796_Keywords
1.18
28
WEBSHELL_PHP_Assert_Gen_Oct20
2.33
12
MAL_JS_Gootkit_Loader_Feb21_1
3.13
46
MAL_HTML_Phishing_Dec20_1
7.64
55
HKTL_PUA_Chisel_TCP_Tunneling_Oct20_1
8.33
12
WEBSHELL_PHP_mini_Jul20
9.6
15
HKTL_ScareCrow_LoaderCharacteristics_Feb21_1
10.62
13
HKTL_PY_RevShell_Feb21_1
12.62
13
WEBSHELL_OBFUSC_Chopper_Encoded
15.21
14
MAL_Payload_F5_BIG_IP_Exploitations_Jul20_1
15.48
23
HKTL_CSharp_MSBuild_CodeExecution_Jun20
15.62
21
MAL_SFX_Dropper_Sep20_1
16.51
228
SUSP_Encoded_PowerShell_Class
17.79
29
HKTL_PEzor_Packer_Oct20_1
17.9
58
HKTL_LNX_Metasploit_Shell_May20_1
17.92
12
MAL_PS1_Unknown_Apr20_1
18.06
84
HKTL_Empire_Stager_Jul20_1
18.94
31
HKTL_JS_OBFUSC_Loader_Indicators_Oct20_1
19.01
133
MAL_LNX_SH_SaltStack_Campaigns_May20_1
19.93
14
HKTL_VBA_ShellCode_Loader_Jan21_1
20.45
29
HKTL_Go_Shellcode_Loader_Apr20_1
20.58
12
HKTL_Empire_Agent_inMemory_Jul20_1
20.95
44
HKTL_CobaltStrike_PowerShell_Loader_Oct20_1
22.0
23
HKTL_MSF_Keywords_Jul20_1
22.19
16
HKTL_PrintSpoofer_Jun20_1
22.55
11
HKTL_PS1_CobaltStrike_PowerShell_Loader_Dec20_1
22.82
28
HKTL_PS1_DLL_Loader_Dec20_1
24.1
59
HKTL_Beacon_Analysis_Oct20_2
27.65
23

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
Recon_Commands_Windows_Gen1
8
e6d983ce29cb6ab53a85d53bc1452f5afb15864c9b8360bb13d09814e1d9d669
APT_EpicTurla_DiscoveryBatch
8
e6d983ce29cb6ab53a85d53bc1452f5afb15864c9b8360bb13d09814e1d9d669
HKTL_Procdump_BAT
8
e6d983ce29cb6ab53a85d53bc1452f5afb15864c9b8360bb13d09814e1d9d669
HKTL_Keyword_InjectDLL
1
9e66103e2e42b554ef1d8a9efec4a20cfd40a24ea000bf5a2c5df6baa4088c37
HKTL_JS_OBFUSC_Loader_Indicators_Oct20_1
2
75580b8b18ecd77f10083222cb5e6c6dabe066a9e5585fe4dbd7b5e8d4242b01
Disclosed_0day_POCs_injector
10
8cf2f9be018821de6c5a70e409041de2aaaa7590ac871298f97c9d8e9e19fe4d
WEBSHELL_Small_JScript_Oct20_1
5
471f02b716ef50872dea69194d98fa6e297918682c2e5095a35f8af5276e3e38
HKTL_PS1_Hacktool_Indicator_Feb20_1
1
a0de5f72382c8c69c980d3a6cef40afacc7f970160ec222cb9b4e3c0b7bfa1f5
HKTL_ADRecon_Jul20
1
a0de5f72382c8c69c980d3a6cef40afacc7f970160ec222cb9b4e3c0b7bfa1f5
APT_WEBSHELL_HAFNIUM_Chopper_WebShell
7
4db73fd2ace1f29b14d0d36fb19cf619fb571371ba37f366ee7b55aa755d07b5
APT_DarkHydrus_Jul18_4
10
9cfd69c00dba0567b6aaca00a6d171e184ad4b220132d3d3e013013d67c3f478
MAL_Unknown_PWDumper_Apr18_3
11
58bcd372108a24b4922be64324c968bb21d98033f8f051e349e0125dae66c65e
MAL_Unknown_Loader_Mar20_1
11
58bcd372108a24b4922be64324c968bb21d98033f8f051e349e0125dae66c65e
WEBSHELL_suspEval_Mar20
7
6d14d439ad9463f74a2e63d2dee128f7f674f0c89c668ab7b00ed86b3a780bf9
webshell_php_generic_eval
4
686325954ce89149b420e68a11115735d3ef27f4b423d7d9ce83aafbd91e9c87
APT_WEBSHELL_HAFNIUM_Chopper_WebShell
8
8a4169b608fcf01b7b70b5a1d50220b9d6d65ec07affe1083a76ee6b043558a0
APT_WEBSHELL_HAFNIUM_Chopper_WebShell
8
8637860ec236ba7a672c3067909e336b716dada9efe149589793f05958862f4a
MAL_Unknown_Loader_Mar20_1
13
26f5308cb4dd17d25d97e80e2c31bf7c2cc9d3a00677fe7a4a7cc0558507732a
MAL_Unknown_PWDumper_Apr18_3
13
26f5308cb4dd17d25d97e80e2c31bf7c2cc9d3a00677fe7a4a7cc0558507732a
MAL_HKTL_RemoteAdmin_RMS_Dec20_1
2
079d3033b2512d9cb531615eca3befb355b5d442eb45244020cb57eecd6c51f6

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
APT
3518
Malware
3003
Hacktools
2844
Webshells
1982
Threat Hunting
1900
Exploits
215

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html