Valhalla Logo
currently serving 14198 YARA rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
SUSP_LIGHTS_BOMB_Indicator_Oct21_1
Detects a string found in HVNC samples used by Kimsuky group
20.10.2021
HKTL_SBD_Netcat_Clone_Oct21_1
Detects SBD netcat clone
20.10.2021
HKTL_SBD_Packed_Netcat_Clone_Oct21_1
Detects SBD netcat clone
20.10.2021
MAL_LNX_Backdoor_TinyShell_Oct21_1
Detects Linux TinyShell backdoors
20.10.2021
APT_LightBasin_Artefacts_Oct21_1
Detects artefacts of LightBasin / UNC1945 activity
20.10.2021
APT_MAL_Kimsuky_TinyNuke_Oct21_1
Detects TinyNuke malware used by Kimsuky group
20.10.2021
PUA_Go_CPU_Miner_Oct21_1
Detects a Go CPU miner
20.10.2021
PUA_TightVNC_Server_Oct21
Detects PUA TightVNC server
20.10.2021
SUSP_TVNServer_Oct21_1
Detects modified TightVNC server versions noticed in October 2021
20.10.2021
SUSP_APT_LightBasin_Pingg_Oct21_1
Detects samples possibly related to LightBasin / UNC1945
20.10.2021
SUSP_LNX_Hacktool_Indicator_Oct21_1
Detects an opcode sequence often found in Linux hacktools
20.10.2021
SUSP_Rundll32_By_Ordinal_Oct21_1
Detects a suspicious rundll32 invocation using an ordinal
20.10.2021
SUSP_AVE_MARIA_Indicator_Oct21_1
Detects a string found in HVNC samples used by Kimsuky group
20.10.2021
SUSP_WIN_Go_Binary_Obfuscated_Oct21_1
Detects suspicious Windows Go PE files that look as if certain common strings have been removed for obfuscation purposes
19.10.2021
HKTL_LSARelay_Oct21_1
Detects LSARelayX hacktool used to deploy a system wide NTLM relay
18.10.2021
MAL_CN_Vampire_Oct21_1
Detects Vampire malware samples
18.10.2021
APT_IR_MAL_Lyceum_Kevin_Oct21_1
Detects strings used by Lyceum malware
18.10.2021
APT_IR_Lyceum_INI_File_Indicators_Oct21_1
Detects characteristics of .ini fules used by Lyceum malware
18.10.2021
EXPL_Apache_ModProxy_CVE_2021_40438_Oct21_1
Detects PoC for Apache mod_proxy vulnerability CVE-2021-40438 or log entries that show the successful exploitation
18.10.2021
SUSP_BlackBone_Ref_Oct21_1
Detects executabkles with suspicious reference to BlackBone memory hacking library
18.10.2021
SUSP_CertOc_LoadDLL_Combo_Oct21_1
Detects suspicious certoc.exe use with -LoadDLL parameter
18.10.2021
SUSP_Hacktool_PoC_Strings_Oct21_1
Detects suspicious strings often found in hacktools, malware or PoC code
18.10.2021
LOG_SUSP_PS1_RDP_History_Removal_Oct21
Detects the removal of terminal server client history via powershell registry manipulation
15.10.2021
APT_TA505_MalDoc_Oct21_1
Detects TA505 malicious document samples
15.10.2021
APT_TA505_MAL_MSI_Oct21_1
Detects TA505 malicious MSI samples
15.10.2021
SUSP_NOP_Sled_Before_MZ_Oct21
Detects files with MZ header that are prefixed with NOP sleds
15.10.2021
HKTL_PUA_FRP_FastReverseProxy_Oct21_1
Detects fast reverse proxy PUA tool often used by threat groups
14.10.2021
WEBSHELL_ASP_CeCe_Oct21_1
Detects web shells found in an open directory in October 2021
14.10.2021
WEBSHELL_ASP_ProcStart_Oct21_1
Detects web shells found in an open directory in October 2021
14.10.2021
WEBSHELL_ASPX_Popup_Oct21_1
Detects web shells found in an open directory in October 2021
14.10.2021
WEBSHELL_ASPX_FileUpload_Oct21_1
Detects web shells found in an open directory in October 2021
14.10.2021
WEBSHELL_PHP_B64_Decoder_Oct21_1
Detects web shells found in an open directory in October 2021
14.10.2021
WEBSHELL_PHP_PhpWaf2_Oct21_1
Detects web shells found in an open directory in October 2021 - file phpwaf2.php
14.10.2021
HKTL_EXPL_PoC_CVE_2016_3309_Oct21_1
Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)
13.10.2021
HKTL_StandIn_Oct21_1
Detects StandIn post exploitation tool
13.10.2021
LOG_PUA_SysInternals_Live_Usage_Oct21_1
Detects access to online SysInternals tools using live.sysinternals.com
13.10.2021
LOG_SUSP_Suspicious_Service_Image_Loc_Oct21_1
Detects a suspicious location of a newly installed servers, very similar to PsExec
13.10.2021
SUSP_HKTL_Encoded_Oct21_1
Detects encoded strings often found in hacktools
13.10.2021
SUSP_HKTL_Hacktool_Strings_Oct21_1
Detects strings often used in exploit codes
13.10.2021
SUSP_HKTL_Encoded_Hacktool_Strings_Oct21_1
Detects encoded strings often found in exploit codes and hack tools
13.10.2021

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
SUSP_CobaltStrike_XOR_Encrypted_Beacon_Marker_Apr21_1
0.0
417
HKTL_RMM_Client_Aug21_1
1.27
37
SUSP_Tiny_RAR_Mar21_1
1.58
228
HKTL_PY_Loader_Feb21_2
2.43
28
SUSP_MalDoc_Indicator_VBA_Nov20_1
2.5
12
HKTL_AMSIBypass_Tool_OpCode_Indicators_May21_1
2.76
42
SUSP_OBFUSC_JS_Sep21_1
3.16
31
HKTL_LNX_GenShell_Feb21_1
3.36
11
SUSP_BAT_to_EXE_Converter_Jul21_1
3.45
22
HKTL_BAT_BypassTamperProtection_Aug21_1
4.07
42
SUSP_PY_OBFUSC_RevShell_Feb21_1
4.32
25
WEBSHELL_PHP_BeginsWith_eval_Sep21
4.49
193
HKTL_PY_Bypass_Tool_Aug21_2
4.93
15
PUA_SUSP_ScreenConnect_Feb21
5.39
59
HKTL_PowerCat_Use_Oct21_1
5.6
15
SUSP_Encoded_PowerShell_Policies_Sep21_1
5.66
41
SUSP_String_Base64_Jun21
6.19
27
SUSP_BAT_Defender_Exclusion_Path
6.25
12
SUSP_PS1_Loader_Generic_Feb21
6.47
15
WEBSHELL_ReGeorg_Variant_Jul21_1
6.56
27
WEBSHELL_Gen_NeoRegeorg_Tunnel_Feb21
6.74
19
SUSP_PHP_Base64Encoded_Nov20
7.88
17
HKTL_PS1_PowerCat_Mar21
8.18
11
WEBSHELL_ASPX_ProxyShell_Aug21_2
8.72
18
SUSP_Small_ISO_Includes_Rundll32_Apr21_1
9.04
49
SUSP_BAT_PS1_AMSI_Bypass_Aug21_1
9.21
38
HKTL_ShellCode_Loaders_Oct21_3
9.27
15
SUSP_PS1_IEX_Pattern_Oct21_1
9.36
14
SUSP_LNX_RevShell_Payloads_Jun21_1
9.57
30
SUSP_SCRIPT_PowerShell_Param_Abbrev_Jul21
9.76
17

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
JSFuck_Obfuscation
8
d2c4f8bd0400459594df892c3856a86b8df1d7212aacb2b6324f4e93f2e27886
EXP_MicrosoftEdge_WSHFILE_CVE_2018_8495
8
1df9c10e8abb33935631bc7455636691b7c6b78edef79f2554169a1c6a8e72ef
Hacktool_Strings_p0wnedShell
8
1df9c10e8abb33935631bc7455636691b7c6b78edef79f2554169a1c6a8e72ef
APT_MAL_Mask_Campaign_Certificate_String
8
1df9c10e8abb33935631bc7455636691b7c6b78edef79f2554169a1c6a8e72ef
InceptionCloudMe
8
1df9c10e8abb33935631bc7455636691b7c6b78edef79f2554169a1c6a8e72ef
Suspicious_PS_JS_Indicators
11
63612a89d642a26d2ed1a141ed52af834162afdbe8d459f3391a3f100c332b80
CustomerCase_A4_APT_maliciousSystems
8
1df9c10e8abb33935631bc7455636691b7c6b78edef79f2554169a1c6a8e72ef
JSFuck_Obfuscation
8
44a825e1a3dccff620bb691b7dc4795a2ef9f91d26920de5a1f67ddea64bdfe5
JSFuck_Obfuscation
8
7d50c6687656e39e0c08d04776a1a872bf36d4e754f9fe7015362cfc15e59f0a
JSFuck_Obfuscation
10
f2029df90597b66d34ddc37a460dc0e37f3be019c0d8a711c246de264a313bdb
CoinMiner_Strings
5
4921059aebd12443745623d734b84c38c92b44b0cde7cedd850dbbb27d9e6c7e
PowerShell_JAB_B64
9
d320002be4a26b80da18be9bf358f70982d0c76ec596ff0bf934cc389505af6e
MAL_GreenBug_Apr18_1
6
c3f49cb1ddcf3679b96c47398e0039387e35b4029dc63bbdacdb9ddef48f2ee3
JS_Run_Users_Folder
3
9a2ab73a0b38063376c57f521512f192e3e42a2532fd000db887216da833c958
Obfuscated_Malware_Jan18_1
7
eb03ca44628ac78702c84a77c73b6df4cbd718a8aefc62c89c9a118c6cbfc6da
JSFuck_Obfuscation
6
9c95d6ca133998a45af542920d0b8bf98fe7c6d48100c7ef3b083c557e1f7699
JSFuck_Obfuscation
3
e4a3d7fa2993ac7009392e99f7fe570356d6b93b05f7c26dc4790ae73ba86eb6
HKTL_LNX_Metasploit_Shell_May20_1
12
982fbe9c1177296c9df2a07a4fa26b60be05714cba69003c8e669b392c35a3e1
HKTL_LNX_Metasploit_Shell_May20_2
12
982fbe9c1177296c9df2a07a4fa26b60be05714cba69003c8e669b392c35a3e1
HKTL_LNX_Metasploit_Agents_Aug21_1
12
982fbe9c1177296c9df2a07a4fa26b60be05714cba69003c8e669b392c35a3e1

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
4436
APT
3902
Hacktools
3342
Threat Hunting
2587
Webshells
2080
Exploits
357

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html