Valhalla Logo
currently serving 11525 YARA rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
MAL_Unknown_Ryuk_Campaign_Oct20_1
Detects samples mentioned in report on group deploying Ryuk ransomware
19.10.2020
MAL_Unknown_Ryuk_Campaign_Forensic_Artefacts_Oct20_1
Detects forensic artefacts mentioned in report on group deploying Ryuk ransomware
19.10.2020
HKTL_CobaltStrike_BOF_DCOM_Lateral_Movement_Oct20
Detects CobaltStrike Beacon Object Files for DCOM lateral movement
19.10.2020
HKTL_CobaltStrike_BOF_WMI_Lateral_Movement_Oct20
Detects CobaltStrike Beacon Object Files for WMI lateral movement
19.10.2020
HKTL_SharpBuster_Oct20
Detects CobaltStrike Beacon Object Files for WMI lateral movement
19.10.2020
WEBSHELL_PHP_Script_Eval_Oct20
Detects small PHP webshell embedded as script block
17.10.2020
WEBSHELL_JSP_Runtime_Exec_Oct20
Detects small JSP webshell
17.10.2020
WEBSHELL_JSP_FromSessionVar_Exec_Oct20
Detects small JSP webshell
17.10.2020
WEBSHELL_JSP_ExecuteGlobalRequest_Exec_Oct20
Detects small JSP webshell
17.10.2020
WEBSHELL_EvalRequest_Gen_Oct20
Detects small webshell
17.10.2020
WEBSHELL_OBFUSC_EvalRequest_Gen_Oct20
Detects small webshell
17.10.2020
WEBSHELL_EvalRequest_Via_Var_Gen_Oct20
Detects small webshell
17.10.2020
WEBSHELL_PHP_ShellExec_Small_Gen_Oct20
Detects small webshell
17.10.2020
WEBSHELL_PHP_EvalR_Gen_Oct20
Detects small webshell
17.10.2020
WEBSHELL_PHP_Assert_Gen_Oct20
Detects small webshell
17.10.2020
WEBSHELL_PHP_POST_CommandReplace_Gen_Oct20
Detects small webshell
17.10.2020
WEBSHELL_PHP_Backtick_CommandReplace_Gen_Oct20
Detects small webshell
17.10.2020
WEBSHELL_JSP_WriteFile_Gen_Oct20
Detects small webshell
17.10.2020
EXPL_CVE_2020_16947_Outlook_Oct20
Detects email files that look as if they would exploit CVE-2020-16947
16.10.2020
MAL_LNX_Ebury_Oct20_1
Detects Ebury Linux malware
16.10.2020
APT_MAL_ME_MuddyWater_Oct20_1
Detects MuddyWater samples mentioned in Operation Quicksand
16.10.2020
APT_MAL_ME_MuddyWater_Covicli_Oct20_2
Detects MuddyWater Covicli backdoor mentioned in Operation Quicksand
16.10.2020
APT_MAL_ME_MuddyWater_MalDoc_Oct20_1
Detects MuddyWater samples mentioned in Operation Quicksand
16.10.2020
APT_MAL_ME_MuddyWater_Hacktool_Oct20_1
Detects MuddyWater socks tool SSF.mx mentioned in Operation Quicksand
16.10.2020
APT_MAL_ME_MuddyWater_WEBSHELL_Oct20_1
Detects MuddyWater Webshell mentioned in Operation Quicksand
16.10.2020
APT_ME_MuddyWater_PowGoop_Indicator_Oct20_1
Detects MuddyWater PowGoop indicators mentioned in Operation Quicksand
16.10.2020
APT_ME_LOG_MuddyWater_Artefacts_Oct20_1
Detects MuddyWater forensic artefacts as mentioned in Operation Quicksand
16.10.2020
SUSP_RTF_Hex_Encoded_Keywords_Combo_Oct20
Detects RTF files with suspicious hex encoded content
15.10.2020
SUSP_Hex_Encoded_Keywords_Combo_Oct20
Detects RTF files with suspicious hex encoded content
15.10.2020
SUSP_WEBSHELL_Tiny_Eval_Oct20
Detects suspicious tiny files including an eval statement
15.10.2020
SUSP_WEBSHELL_Eval_ChinaChopper_Oct20
Detects suspicious files including an eval statement that uses a user defined parameter
15.10.2020
APT_CN_APT18_TManger_Malware_Oct20_1
Detects APT18 TA428 TManger samples
15.10.2020
APT_CN_APT18_TManger_Malware_Oct20_2
Detects APT18 TA428 TManger samples
15.10.2020
HKTL_Invoke_PrintDemon_ualapi_Oct20
Detects Invoke-PrintDemon toolset - file ualapi.dll
14.10.2020
HKTL_MSF_PY_HTTP_Rev_Payload_Oct20_1
Detects Metasploit framework HTTP reverse payload as Python compiled exe
14.10.2020
HKTL_Invoke_PrintDemon_Oct20
Detects Invoke-PrintDemon toolset
14.10.2020
HKTL_UsoDllLoader_Oct20_1
Detects UsoDllLoader hacktool
14.10.2020
HKTL_UsoDllLoader_Oct20_2
Detects UsoDllLoader hacktool
14.10.2020
HKTL_FaxHell_Oct20_1
Detects FaxHell hacktool
14.10.2020
HKTL_ELF_Linux_Hacktool_Gen_Oct20_1
Detects Linux ELF hacktool samples
14.10.2020

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
SUSP_JS_Obfusc_JSFuck_Jan20_1
0.0
48
SUSP_BAT_Aux_Jan20_1
0.0
399
HKTL_Meterpreter_InMemory_Rule
0.0
11
MAL_DOC_ZLoader_Oct20_1
0.58
77
EXPL_CVE_2020_0796_Keywords
0.59
115
SUSP_VBA_User32_Import_Indicators_Oct20_1
0.86
21
SUSP_RAR_Single_Doc_File
1.36
11
MAL_FakeCovid_Mar20_2
1.81
58
SUSP_LNX_PY_Binary
2.0
14
SUSP_GZIP_Packed_Base64_Encoded_Executable
2.23
30
SUSP_VBA_User32_Import_Indicators_Oct20_2
2.33
981
SUSP_PS1_OBFUSC_Through_Cryptography_Method_Jun20
2.75
20
MAL_FinFisher_MacOS_Oct20_2
3.19
52
PS1_Char_Keyword_Casing_Anomaly
3.67
12
SUSP_PS_Get_Random
3.68
22
SUSP_Shellcode_Keyword_Mar20_3
4.0
12
SUSP_CreateMutex_Script
5.0
16
SUSP_VBA_Lib_Kernel32_Import_Oct20
6.02
51
SUSP_Encrypted_Excel_With_Macros
6.06
146
WEBSHELL_CloakedAsPic_Feb20
6.52
27
SUSP_GIF_Anomalies
7.13
15
SUSP_OBFUSC_PS1_Bypass_Jun20_1
7.38
13
SUSP_MZ_PE_Header_Anomaly
7.56
16
HKTL_Shellcode_Loader_Apr20_1
7.63
35
SUSP_OBFUSC_PS1_Bypass_Jun20_2
7.66
44
SUSP_JS_var_OBFUSC
8.13
16
Char_Casing_Anomaly
8.29
21
WEBSHELL_phpWhitespace_Feb20
9.16
43
SUSP_Encoded_Set_Alias
9.54
13
HKTL_MSF_Keywords_Jul20_1
10.08
13

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
CustomerCase_A4_APT_Malware_6
9
70d0b9c9e959cdb72ba05df2c89407682143986a75beed3bbb5aedc0ba4ccb46
HKTL_Implant_Jun20_1
9
89f35b8d8c69dc61437bfe140b6c13a328d1ad2d6d57912bee8d8a067416831d
SUSP_Stage1_Indicators_Jul20_1
11
efc814f840f5ea983afb68c4b1c5de09029d81ef32121098fb1b554d2226c6b0
Malware_Feb17_5
11
f5aa681ef92aa7d90cc838325c399fd09f48a8ee7d13733d5b4f6bdaff101010
MAL_Unknown_Malware_May19_1
11
f5aa681ef92aa7d90cc838325c399fd09f48a8ee7d13733d5b4f6bdaff101010
MAL_GreenBug_Apr18_1
7
fb28b36d8f8547f64f691628186670b6639cd0799d9e6c11c537eacd2336fad0
SUSP_XORed_URL_in_EXE
2
a642bcc7f321df2d7d2edf92f4512195bd8d61c3f67dd998ce3201208626802c
SUSP_VBA_User32_Import_Indicators_Oct20_2
8
d048cb3f1a0843dcb32c0b2dd05c53ef6c38fa571163aa221b7588c824f6eef7
SUSP_VBA_User32_Import_Indicators_Oct20_2
8
ec187a5b91e9f179b556e2e9f6f7855ca92fc56628c52c8d6dc618e1b530c448
SUSP_Encoded_WscriptShell
3
7db8f3275e09589e1de18d3ca8266ccf4e43af1a421b4145de2f9309bc18467a
Hunting_Rule_ShikataGaNai
9
425942cd49fca1546d25a4cdda5672712afa0898107f577c6fde96f93efaa347
Hunting_Rule_ShikataGaNai
10
58622afcfd14d3a44e6d7dcdd523e2a24c163ed5cb398662d8b4eadf0f21e100
Hunting_Rule_ShikataGaNai
10
4412fcd8055820efba583bcd26c9c04ddc317ca3b5c87c01cc23361ef25470cb
Gen_Net_LocalGroup_Administrators_Add_Command
1
5b7d861089f884c2e38395ca59e025e128446ec6d32d89a9e25f2361a2c8eb97
SUSP_Encoded_FromBase64String
1
afd6111eeaaad4ad8505f3ec988f794c03653b1d22c0653a09111416c29ad327
SUSP_Encoded_PS_W_Hidden
1
afd6111eeaaad4ad8505f3ec988f794c03653b1d22c0653a09111416c29ad327
SUSP_Encoded_IO_Decompress
1
afd6111eeaaad4ad8505f3ec988f794c03653b1d22c0653a09111416c29ad327
SUSP_Loader_Opcode_Oct19_1
9
d424291e9a67b17245919a179d7a581d36cbe73b1e1a8caa24dcf1a4039c27e5
SUSP_Loader_Opcode_Oct19_1
9
f69e08f723c6094457db6a77c43b3e83ad931dff5772bbfc5e7182991da77efd
SUSP_Loader_Opcode_Oct19_1
9
6548ab4b0fc14734c98ef1fa3be41cf646c96a99e6f9007ae54596cd3b82a7fd

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
APT
3351
Malware
3149
Hacktools
2946
Webshells
1941
Threat Hunting
1694
Exploits
214

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html