Valhalla Logo
currently serving 20706 YARA rules and 3672 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
SUSP_SimpleHelp_Remote_Access_Client_HTTP_IP_Config_May24
Detects remote admin tool named SimpleHelp Remote Access Client with a configuration that uses HTTP and an IP instead of a domain name (very suspicious and often used by MuddyWater threat actor)
23.05.2024
PUA_SUSP_SimpleHelp_Remote_Access_Client_May24
Detects remote admin tool named SimpleHelp Remote Access Client, which could be used for legitimate purposes but also be abused by attackers
23.05.2024
SUSP_Curl_HTTP_IP_May24_1
Detects suspicious usage of curl to download files from HTTP (not SSL/TLS protected) web servers using IP addresses
23.05.2024
SUSP_Lasagne_Flag_Combination_May24_1
Detects suspicious command line flag combination often found in relation to Lasagne.exe usage
23.05.2024
SUSP_PingCastle_Usage_May24_1
Detects suspicious usage of PingCastle often found in attacker scripts
23.05.2024
MAL_Unknown_Agent_May24_1
Detects suspicious DLL file identified by various AV vendors
23.05.2024
SUSP_Dropper_Characteristics_May24_1
Detects suspicious characteristics often found in droppers
23.05.2024
SUSP_Base64_Encoded_Content_MIME_Type_DNS_May24_1
Detects suspicious encoded content type statement with type DNS-Message as often found in various droppers
23.05.2024
SUSP_EXPL_FortiSIEM_CVE_2023_34992_May24
Detects potential exploitation of CVE-2023-34992 - Fortinet FortiSIEM Command Injection
22.05.2024
SUSP_PDF_Payload_May24_1
Detects suspicious content in PDF documents that indicate code that is likely to be executed
21.05.2024
SUSP_PY_Payload_May24_1
Detects suspicious content in Python scripts
21.05.2024
MAL_Enc_Dora_RAT_May24
Detects encrypted Dora RAT, related to Andariel group
19.05.2024
MAL_Dora_RAT_May24
Detects Dora RAT, related to Andariel group
19.05.2024
MAL_Keylogger_May24
Detects key logger, related to Andariel group
19.05.2024
HKTL_HellMaker_May24
Detects hellMaker a tool for generating fully undetectable malwares
17.05.2024
APT_MAL_LunarMail_Backdoor_May24
Detects LunarMail backdoor, related to Turla APT
17.05.2024
APT_MAL_LunarWeb_Backdoor_May24
Detects LunarWeb backdoor, related to Turla APT
17.05.2024
MAL_Mallox_May24
Detects mallox ransowmare
17.05.2024
MAL_Suspicious_Implant_May24_1
Detects suspicious old implant noticed on VirusTotal
16.05.2024
SUSP_ZIP_LNK_XLL_DSSTORE_May42_1
Detects suspicious characteristics found in phishing documents that use .lnk files and .xll files in a hidden folder
14.05.2024
SUSP_LNK_Env_AppData_May42_1
Detects suspicious link files with a relative reference to Env:Appdata
14.05.2024
SUSP_LNK_PS1_Content_May42_1
Detects suspicious link files with PowerShell Content
14.05.2024
SUSP_LNK_AppData_Excel_May42_1
Detects suspicious link files with a relative reference to Microsoft Excel XLSSTART
14.05.2024
SUSP_LNK_Conhost_May42_1
Detects suspicious link files with a relative reference to conhost.exe
14.05.2024
HKTL_MAL_Kaptoxa_May24
Detects Kaptoxa a command line tool to find credit card data and other patterns within a process memory address space
14.05.2024
MAL_Brbbot_May24
Detects brbbot
14.05.2024
MAL_PS1_May24
Detects PowerShell script that downloads a payload and is responsible for creating persistence in the startup folder
13.05.2024
WEBSHELL_Hanshell_May24
Detects Hanshell, ASP.NET web shell to abuse leaked token handles.
10.05.2024
MAL_Guptiminer_Apr24
Detects malware from diffrent campaings related to GuptiMiner that distribute backdoors within big corporate networks
10.05.2024
MAL_Guptiminer_PDB_Apr24
Detects malware from diffrent campaings related to GuptiMiner that distribute backdoors within big corporate networks
10.05.2024

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_BAT_OBFUSC_Apr23_1
4
b49a6b165d8eeb7f2592d36431e7a614e703c5c777176f90dd134f342bb76f42
SUSP_BAT_OBFUSC_Apr23_4
4
b49a6b165d8eeb7f2592d36431e7a614e703c5c777176f90dd134f342bb76f42
SUSP_OBF_VMProtect_Jan24
2
2ed5bc678b74a5f96a86a4c3853b27724c690f7e218c5f186df4a969e9b9c18c
SUSP_BAT_OBFUSC_ENV_Obfuscation_Apr21_1
3
9a65134663ec8f3918f543e66c3433ee391ad4457c7b13b4e1ab091b3dec6596
SUSP_BatchEncryption_Obfusctor
3
9a65134663ec8f3918f543e66c3433ee391ad4457c7b13b4e1ab091b3dec6596
SUSP_Env_Var_Obfuscation
3
9a65134663ec8f3918f543e66c3433ee391ad4457c7b13b4e1ab091b3dec6596
SUSP_Env_Variable_Substring_Obfuscation_Sep20_1
3
9a65134663ec8f3918f543e66c3433ee391ad4457c7b13b4e1ab091b3dec6596
SUSP_EnvVar_Substring_Extraction
3
9a65134663ec8f3918f543e66c3433ee391ad4457c7b13b4e1ab091b3dec6596
SUSP_Defender_Exclusion_Aug21
3
875ad40e0f7d57d41f8eb56ecd83a757632ffb669917f36b29c3770ee8f1b6b8
SUSP_PS1_Cmdlet_Defender_Exclusion_Apr21_1
3
875ad40e0f7d57d41f8eb56ecd83a757632ffb669917f36b29c3770ee8f1b6b8
SUSP_Wextract_Anomaly_Unsigned_May23
1
74ea62c98a3f5e218b75521d41d56454dd169c8f1bebe5150394890c0ce72e02
SUSP_OBF_VMProtect_Jan24
1
2ec31763a3b90795d1a9fb3f50d730fcb462c9bfd003377e73ba2b787f356027
SUSP_Wextract_Anomaly_Unsigned_May23
3
04fabec60d681d45bef1a9e1139db69680b08bf769ab102b41083326afbf8412
SUSP_Small_ISO_Image_PE_Marker_Jan22
2
7a7026e4e6730a34258a027e17cfec112ad4f1ef0d54a94441a590201f351d10
SUSP_IMG_Small_Exe_Content_Apr21
2
7a7026e4e6730a34258a027e17cfec112ad4f1ef0d54a94441a590201f351d10
SUSP_Wextract_Anomaly_Unsigned_May23
3
5a5ad00608537c1b3d306aa2bb2675b9892f7f4651d215c49695b67275b670c8
SUSP_BAT_RaspberryRobin_May23
14
6e5a0fe9e8488c838c0f5efd39b41a131a0b329f220f8c469277e02eb4f3abed
Casing_Anomaly_ComputerName
14
6e5a0fe9e8488c838c0f5efd39b41a131a0b329f220f8c469277e02eb4f3abed
SUSP_Wextract_Anomaly_Unsigned_May23
2
dabc05939bac52c7e39a7a062f2b511d27ad5cf1ef8250f083817ac23a52d09f
SUSP_Wextract_Anomaly_Unsigned_May23
1
fc3bfab3ffa251bbce92e96ca381c7df1206c1b034348af2515a89ec7cc2de43

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6065
Threat Hunting (not subscribable, only in THOR scanner)
4961
APT
4820
Hacktools
4467
Webshells
2310
Exploits
621

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Uncommon File System Load Attempt By Format.com - ImageLoad
Detects the load of uncommon file system DLLs by the "format.com" utility. An attacker can point "format.com" to load any DLL using the "/FS" flag.
13.05.2024
Keyboard Layout - Scancode Map Modification - Registry
Detects setting of the "Scancode Map" registry value. This value allow a user to customize and map keyboard keys to different values. Ransomware was seen using this technique in order to prevent user from interacting with the machine during the encryption process.
07.05.2024
Keyboard Layout - Scancode Map Modification - CommandLine
Detects setting of the "Scancode Map" registry value via command line. This value allow a user to customize and map keyboard keys to different values. Ransomware was seen using this technique in order to prevent user from interacting with the machine during the encryption process.
03.05.2024
Remote Access Tool - HopToDesk Silent Installation
Detects installtion of HopToDesk.EXE with the silent flag. HopToDesk is a free remote desktop tool allowing users to share their screen and allow remote control access to their computers and devices. It was seen being abused by ransomware threat actors in order deploy and execute malware remotely.
03.05.2024
Renamed HopToDesk.EXE Execution
Detects the execution of a renamed version of HopToDesk.EXE HopToDesk is a free remote desktop tool allowing users to share their screen and allow remote control access to their computers and devices. It was seen being abused by ransomware threat actors in order deploy and execute malware remotely.
03.05.2024
Local Command Proxy Execution Via Winrs.EXE
Detects the execution of local command via "winrs.exe" using the WinRM service. An attacker can enable the WinRM service locally and start to proxy commands on the system through "winrshost.exe". This form of execution can be used as a living of the land binary in order to potentially bypass application whitelisting.
03.05.2024
Remote Command Execution Via Winrs.EXE
Detects the execution of remote command via "winrs.exe" using the WinRM service.
03.05.2024
Potential Lateral Movement Via Windows Remote Management (WinRM)
Detects child process of "winrshost.exe". This indicate remote execution via Windows Remote Management (WinRM) and could be a sign of potential lateral movement activity.
03.05.2024
Potential Lateral Movement Via Windows Remote Management (WinRM) - Suspicious Process Tree
Detects suspicious process tree of "winrshost.exe". This indicate remote execution via Windows Remote Management (WinRM) and could be a sign of potential lateral movement activity.
03.05.2024
Suspicious Process Tree Execution Via PDQDeployRunner
Detects suspicious child processes executed via "PDQDeployRunner". PDQDeployRunner is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines. Threats such as Avos Locker were seen abusing RMM utilities in order to execute command remotely.
02.05.2024
Potential Suspicious Tampering With Built-In Environment Variables Via Setx.EXE
Detects execution of the "setx.exe" utility in order to modify the value of the built-in environment variables to uncommon values. Attackers were seen modifying environment variable to different values in order to trick programs leveraging them to load or execute different things. This utility allows for the creation or modification of environment variables in the user or system environment, without requiring programming or scripting. The Setx command also retrieves the values of registry keys and writes them to text files.
02.05.2024
Setting Environment Variables Via Setx.EXE
Detects execution of the "setx.exe" utility. This utility allows for the creation or modification of environment variables in the user or system environment, without requiring programming or scripting. The Setx command also retrieves the values of registry keys and writes them to text files.
02.05.2024
Setting Environment Variables From Registry Data Via Setx.EXE
Detects execution of the "setx.exe" utility in order to set an environment variable with a value read from the registry. While this might be a common thing in certain environment, attackers might leverage this in order to read registry content in a sneaky way. This utility allows for the creation or modification of environment variables in the user or system environment, without requiring programming or scripting. The Setx command also retrieves the values of registry keys and writes them to text files.
02.05.2024
Configure Potentially Suspicious Failure Command For Service Via Sc.EXE
Detects the execution of the "sc.exe" utility with the "failure" flag in order to configure a failure command to be executed. Attackers might configure a specific command or script to be executed service when a service fails to start in order to keep persistence on a machine.
29.04.2024
Lock Windows Service Control Manager Database Via Sc.EXE
Detects the execution of the "sc.exe" utility with the "lock" flag in order to lock the Service Control Manager database. Locking the Service Control Manager's database prevents any services from starting. This make sure that a service will not be started after it has been stopped. This can enable attackers to perform an action (for example, deleting the service) without interference.
29.04.2024
Pause Windows Service Via Sc.EXE
Detects the execution of the "sc.exe" utility with the "pause" flag. This flag would allow a user to send a PAUSE control request to the a service. While not not all services can be paused. Those that do, do not perform the same when paused. Some services continue to service existing clients but refuse to accept new clients. Others cease to service existing clients and also refuse to accept new clients.
29.04.2024
Potentially Suspicious Download From GoogleDrive Link Via CommandLine
Detects CommandLine strings referencing Google Drive links with download options and no antivirus scanning. Attackers might use Google Drive in order to host malicious payloads and then later download them via commandline utilities.
29.04.2024
Suspicious CMD Shell Output Redirect
Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
29.04.2024
Configure Failure Action For Service Via Sc.EXE
Detects the execution of the "sc.exe" utility with the "failure" flag in order to configure failure action or command to be executed. Attackers might configure a specific service failure action or command in order to keep persistence on a machine.
29.04.2024
Creation of a New Firewall Rule Via New-NetFirewallRule Cmdlet
Detects the execution of "New-NetFirewallRule" to create a new inbound or outbound firewall rule.
29.04.2024
Windows Default Shell Changed
Detects changes to the default windows shell.
29.04.2024
Creation of a New Firewall Rule Via New-NetFirewallRule Cmdlet - ScriptBLock
Detects the execution of "New-NetFirewallRule" to create a new inbound or outbound firewall rule.
29.04.2024
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
01.04.2024
Certificate-Based Authentication Enabled
Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
26.03.2024
New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
26.03.2024
Deployment Deleted From Kubernetes Cluster
Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations.
26.03.2024
Potential Remote Command Execution In Pod Container
Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
26.03.2024
Creation Of Pod In System Namespace
Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
26.03.2024
Kubernetes Events Deleted
Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.
26.03.2024
Privileged Container Deployed
Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
26.03.2024

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2966
17740
Sigma
3204
468

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1206
windows / registry_set
187
windows / file_event
182
windows / ps_script
163
windows / security
153
linux / process_creation
108
windows / image_load
97
webserver
78
windows / system
72
macos / process_creation
56
proxy
51
linux / auditd
49
windows / network_connection
45
azure / activitylogs
43
windows / registry_event
38
aws / cloudtrail
35
azure / auditlogs
35
windows / ps_module
32
windows / application
28
azure / signinlogs
24
windows / process_access
23
okta / okta
22
windows / dns_query
20
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / create_remote_thread
12
cisco / aaa
12
windows / file_delete
12
windows / ps_classic_start
10
kubernetes / application / audit
10
windows / driver_load
10
github / audit
10
windows / codeintegrity-operational
10
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / msexchange-management
8
dns
8
antivirus
7
windows / firewall-as
7
azure / pim
7
windows / appxdeployment-server
7
gcp / google_workspace.admin
7
windows / bits-client
7
zeek / smb_files
7
windows / file_access
6
windows / registry_delete
6
windows / dns-client
5
jvm / application
5
windows / taskscheduler
4
zeek / dce_rpc
4
zeek / dns
4
windows / sysmon
4
windows / wmi_event
3
linux / network_connection
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
zeek / http
3
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
windows / file_change
2
windows / security-mitigations
2
firewall
2
linux / syslog
2
spring / application
2
m365 / audit
2
sql / application
1
m365 / threat_detection
1
zeek / rdp
1
windows / sysmon_status
1
zeek / kerberos
1
windows
1
windows / dns-server-analytic
1
database
1
windows / printservice-admin
1
windows / driver-framework
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
nginx
1
windows / lsa-server
1
fortios / sslvpnd
1
netflow
1
cisco / bgp
1
cisco / syslog
1
linux / auth
1
cisco / ldp
1
windows / ldap
1
windows / smbclient-connectivity
1
linux / guacamole
1
windows / openssh
1
windows / process_tampering
1
django / application
1
linux / cron
1
huawei / bgp
1
windows / applocker
1
juniper / bgp
1
windows / appmodel-runtime
1
windows / shell-core
1
windows / raw_access_thread
1
nodejs / application
1
linux / clamav
1
windows / appxpackaging-om
1
python / application
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
windows / capi2
1
linux / sudo
1
windows / certificateservicesclient-lifecycle-system
1
windows / smbclient-security
1
windows / file_rename
1
velocity / application
1
zeek / x509
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
ruby_on_rails / application
1
m365 / exchange
1
linux / vsftpd
1
windows / diagnosis-scripted
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
196
windows / ps_script
53
windows / registry_set
51
windows / wmi
29
windows / file_event
20
windows / image_load
15
proxy
11
windows / security
10
windows / system
10
windows / kernel-event-tracing
6
windows / network_connection
6
windows / ntfs
5
windows / ps_module
5
windows / create_remote_thread
4
windows / registry_event
4
linux / process_creation
3
windows / application-experience
3
windows / registry_delete
3
webserver
3
windows / hyper-v-worker
3
windows / pipe_created
3
windows / ps_classic_script
3
windows / vhd
3
windows / bits-client
2
windows / kernel-shimengine
2
windows / driver_load
2
windows / taskscheduler
2
windows / process_access
1
windows / amsi
1
macos / process_creation
1
windows / application
1
windows / file_delete
1
windows / audit-cve
1
windows / dns_query
1
windows / codeintegrity-operational
1
windows / registry-setinformation
1
windows / file_rename
1
windows / file_access
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html