New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule

Description

Date

Ref

SUSP_Encoded_Casing_Modified_CMD

Detects encoded cmde.exe strings with uncommon casing

02.07.2020

SUSP_GIF_Anomalies

Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type

02.07.2020

HKTL_PowerKatz_Jul20_1

Detects PowerKatz samples

02.07.2020

APT_MAL_RU_Zekapab_Malware_Jul20_1

Detects Zekapab samples related to APT28

02.07.2020

APT_MAL_Unknown_Agent_AUS_Campaign_Jul20_1

Detects samples allegedly related to AUS parliament hack

02.07.2020

APT_MAL_PowerKatz_AUS_Campaign_Jul20_1

Detects samples allegedly related to AUS parliament hack

02.07.2020

WEBSHELL_PerlKit_Jul20_1

Detects PerlKit webshell

01.07.2020

SUSP_AMSI_OBFUSC_ByPass_Jul20_1

Detects indicators of obfuscated AMSI bypass methods

01.07.2020

SUSP_AMSI_ByPass_Jul20_1

Detects indicators of AMSI bypass methods

01.07.2020

SUSP_OBFUSC_PowerShell_Jul20_1

Detects indicators of obfuscation used in malicious PowerShell scripts

01.07.2020

APT_MAL_Shellcode_Indicator_Jul20_1

Detects malware mentioned in ZScaler report

01.07.2020

HKTL_PY_DNSteal_Jun20_1

Detects Python Hack tool named DNSteal

30.06.2020

MAL_GoldenSpy_Jun20_1

Detects GoldenSpy malware

30.06.2020

MAL_Unknown_GS_Jun20_1

Detects malware similar to GoldenSpy malware

30.06.2020

SUSP_Explorer_Root_Defense_Evasion_Jun20_1

Detects explorer.exe command line method sometimes used to evade detection by breaking the typical process tree

29.06.2020

SUSP_Packer_Indicator_Jun20_1

Detects a suspicious packer indicator noticed in June 2020

29.06.2020

SUSP_MAL_Packer_Jun20_1

Detects byte chains only found in malware samples

29.06.2020

SUSP_MAL_Imphash_Jun20_1

Detects file with imphash found in malicious samples

29.06.2020

HKTL_MSHTA_VBS_Downloader_Jun20_1

Detects hacktool that uses MSHTA and VBS to download files

29.06.2020

HKTL_Shellcode_Encoded_Jun20_1

Detects shellcode in encoded form - often used in hacktools

29.06.2020

HKTL_Shellcode_Jun20_1

Detects shellcode - often used in hacktools

29.06.2020

HKTL_Winapiexec

Detects hacktool WinApiExec - dual use tool

29.06.2020

APT_MAL_RU_TurlaCarbon_Dropper_Jun20_1

Detects Turla Carbon dropper

29.06.2020

APT_MAL_AcidBox_Indicators_Jun20_1

Detects malware found in AcidBox cluster

29.06.2020

APT_MAL_BAT_InvisiMole_Artifacts_Jun20_4

Detects batch helper file mentioned in InvisiMole report

29.06.2020

APT_MAL_InvisiMole_Blob_Jun20_1

Detects encoded blob mentioned in InvisiMole report

29.06.2020

APT_CN_BRONZE_VINEWOOD_Artefacts_Jun20_1

Detects WinApicExec artifacts mentioned in InvisiMole report (page 16)

29.06.2020

APT_MAL_CN_BRONZE_VINEWOOD_Malware_Jun20_1

Detects BRONZE VINEWOOD malware

29.06.2020

APT_MAL_CN_BRONZE_VINEWOOD_PS1_Malware_Jun20_1

Detects BRONZE VINEWOOD PowerShell script

29.06.2020

APT_MAL_CN_BRONZE_VINEWOOD_HanaLoader_Malware_Jun20_1

Detects BRONZE VINEWOOD Hana Loader malware

29.06.2020

APT_MAL_CN_BRONZE_VINEWOOD_DropboxAES_RAT_Jun20_1

Detects BRONZE VINEWOOD DropboxAES RAT malware

29.06.2020

APT_CN_BRONZE_VINEWOOD_DropboxAES_RAT_BAT_Helper_Jun20_1

Detects BRONZE VINEWOOD DropboxAES helper file

29.06.2020

SetItem_Keyword_Casing_Anomaly

Detects obfuscated Set-Item by casing anomalies

27.06.2020

SetVariable_Keyword_Casing_Anomaly

Detects obfuscated Set-Variable by casing anomalies

27.06.2020

GetChildItem_Keyword_Casing_Anomaly

Detects obfuscated GetChildItem by casing anomalies

27.06.2020

GetBytes_Keyword_Casing_Anomaly

Detects obfuscated GetBytes by casing anomalies

27.06.2020

PS1_Char_Keyword_Casing_Anomaly

Detects obfuscated Char by casing anomalies

27.06.2020

SUSP_OBFUSC_PowerShell_Indicator_Jun20_1

Detects indicators often found in obfuscated PowerShell scripts

27.06.2020

SUSP_OBFUSC_PowerShell_True_Jun20_1

Detects indicators often found in obfuscated PowerShell scripts

27.06.2020

SUSP_OBFUSC_PS1_Bypass_Jun20_1

Detects PowerShell scripts that show signs of obfuscation

27.06.2020

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule

Average AV Detection Rate

Sample Count

SUSP_Certutil_Copy

0.0

SUSP_Shellcode_Keyword_Mar20

0.85

SUSP_LNX_Base64_Decode_CommandLine

0.97

EXPL_Office_TemplateInjection

1.91

MAL_CobaltGroup_Malware_Aug19_1

2.25

SUSP_LNK_Rundll32_AppData_Ref_Apr20_3

2.64

SUSP_Script_PS1_Deflate_Base64Decode_Jun20_1

2.79

SUSP_OBFUSC_PS1_Bypass_Jun20_1

3.5

SUSP_OBFUSC_FudBypass_Jun20_1

3.89

SUSP_Schtasks_Combo_Jan20_1

3.92

SUSP_PS1_Base64Decode_Regsvr32_Combo

4.71

SUSP_Hex_Encoded_Executable_with_Padding

4.8

SUSP_LNX_PY_Binary

4.82

SUSP_Embedded_Decoy_Doc_Sep19

4.88

128

MAL_PS1_Unknown_Apr20_1

5.0

SUSP_PowerShell_Command_SQB

5.49

SUSP_Encrypted_Excel_With_Macros

6.12

300

SUSP_OBFUSC_Kernel32_Split

6.27

SUSP_Encoded_Convert_ToInt16

6.42

SUSP_Beacon_Indicator_Jun20_1

6.58

SUSP_PostExploitation_Cmds_Aug19_1

6.67

SUSP_JS_WindowChange_Dec19

7.52

2982

SUSP_OBFUSC_PS1_Bypass_Jun20_2

7.79

MAL_PY2EXE_Downloader_May20_1

7.87

SUSP_MZ_PE_Header_Anomaly

8.39

HKTL_NET_DLL_Loader_Subtee_Aug19_1

8.89

SUSP_Encoded_Set_Alias

9.2

251

SUSP_JS_Window_MoveTo_NegativeValue

9.43

MAL_macOS_PY_Agent_Jul19_1

9.44

HKTL_BeefXSSFramework_Dec19

9.92

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule

AVs

Hash

SUSP_XORed_URL_in_EXE

21a84b93932ac435547ccff976cff7df15df01c22ac814ebdb92089542aa6277

SUSP_Administrator_Desktop_Reference

1db03bb904f87ee598b8f59dea39f9f6d94b2d8eb8a30a2fefd202958cb1515e

SUSP_Administrator_Desktop_Reference

c8cef19967cb820d5e92f85a17ebf98f631de62c9760b1eb1a790cb25961e356

SUSP_XORed_URL_in_EXE

5c33257c694a6a27614b2586b291122994ee134f41806f45bbffad18caf75989

SUSP_AutoIt_Indicators_Feb19_4

c4fbe84aa22c74cb4c92d0f04965c0775e937e987cfd2809aac7f0dc485b590a

HKTL_Veil_PS1_Nov19_1

5f6a4d762214b4dc1305901a7b918d90d8705cb3e3a7ccaaa0a464e728cc154e

SUSP_Administrator_Desktop_Reference

2485826ad6e01c5ae26b460a9152854b3a6780da46f4abbca35be5b0bd570eb3

SUSP_XORed_MSDOS_Stub_Message

c02250c6ff65ed0dea7925cce892444df4294cfbc041366d291a3e7ceab6d3e4

SUSP_Administrator_Desktop_Reference

553ee875b3fc39e67daff6b7ace6590da149818f31bc7f84bc115858d10ab4f9

HKTL_Veil_PS1_Nov19_1

f7336a1deaecec3590faac1d603b9d04f81273f6d048dae09f9071a912436f87

SUSP_XORed_URL_in_EXE

c4f7f9039cbc77019abc2254fdacc709d4149794f9050ce6bc49c55c82a0db60

HKTL_Veil_PS1_Nov19_1

f642fe73359f592d59d5c60eb3e2954db2ff3e26f633a1090052e912f99dd3c6

XMRIG_Monero_Miner

79775ef0060c471f5fa562ce4185142703da6f4fa297316c4947ff35f8c305ee

SUSP_Administrator_Desktop_Reference

3892ed500e6a4308b4f2bafa37ea69233ae249a832bc5a96369d18b6adea5539

PEFILE_Header_but_no_DOS_Header

2bef8fab4a998bb3ad7375cd3d17bd71a9d68d46d0f99362923b15f87a940a45

SUSP_JS_WindowChange_Dec19

093df1eb553d03a829503c50adf040accda6e447a9a8549c50f63070a240f1d0

SUSP_JS_WindowChange_Dec19

9c53f46cdaa29a0938fbbbb708c011be99cfe83fbc96989aa02c674416cb32e8

MAL_MetaSploit_Android_Stage_Jul19

938afd1c9b55b67bbeb6efa9657ae18a5e3b970cfe025941a6812e1c9e9b76f4

SUSP_JS_WindowChange_Dec19

64dad8c8e4c8b65a5fd23f797a792dc2ddb2a2dac6fe0a908ce910416c53b585

SUSP_Administrator_Desktop_Reference

635411fb8a81c1232977130d52f6643995799475f35d4d3ecf2c0b74c307c876

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag

Count

T1136

10116

FILE

7201

EXE

5161

APT

3128

MAL

3007

HKTL

2730

DEMO

2474

T1100

1932

WEBSHELL

1901

SUSP

1555

CHINA

1099

SCRIPT

744

T1086

446

RUSSIA

422

T1027

383

MIDDLE_EAST

372

T1064

313

GEN

313

T1003

293

T1193

273

T1203

273

T1075

237

G0044

216

OBFUS

212

T1132

195

EXPLOIT

185

G0007

176

LINUX

175

T1085

163

T1097

147

Tenable Nessus

Requirement: Privileged Scan

YARA Scanning with Nessus works only when scanning with credentials (privileged scan)

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

You can only upload a single .yar file
Filesystem scan has to be activated
You have to define the target locations
The Nessus plugin ID will be 91990
Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html