
currently serving 12027 YARA rules
New YARA Rules per Day
Newest YARA Rules
This table shows the newest additions to the rule set
Rule
Description
Date
Ref
APT_MAL_UNC2452_CobaltStrike_Cryptor_Jan21
Detects CobaltStrike beacons based on certain characteristics
21.01.2021
HKTL_CobaltStrike_Beacon_PE_Characteristics_Jan21
Detects CobaltStrike beacons based on certain characteristics
21.01.2021
SUSP_LOG_Raindrop_Artefacts_Jan21_1
Detects suspicious PowerShell invocation matching a pattern as used by the group mentioned in Raindrop report
20.01.2021
MAL_LokiBot_Jan21_1
Detects LokiBot malware
20.01.2021
MAL_RANSOM_Egregor_Jan21_1
Detects Egregor Ransomware
20.01.2021
SUSP_Double_Base64_Encoded_Strings_Dec20_File
Detects strings that have been double encoded bas64 for obfuscation
19.01.2021
SUSP_Base64_Decode_Bash_Jan21
Detects suspicious bash base64 input decoded and directly executed
19.01.2021
SUSP_Bash_IO_TCP_Stream_Jan21
Detects suspicious bash input output redirection to a TCP socket
19.01.2021
SUSP_PY_Stager_Loader_Base64_Jan21_1
Detects suspicious Python loader using and directly executing base64 encoded code
19.01.2021
SUSP_macOS_Encoded_LittleSnitch_Jan21_1
Detects suspicious base64 encoded Little Snitch keyword as used in Empire stagers for macOS
19.01.2021
SUSP_macOS_MAL_Plist_Jan21_1
Detects suspicious Plist used by Empire and mentioned in talk by Patrick Wardle
19.01.2021
SUSP_LNX_SH_Commands_Jan21_1
Detects code often found in malicious scripts for the Linux platform
19.01.2021
SUSP_LNX_Encoded_Clear_History_Jan21_1
Detects suspicious base64 encoded code to clear the shell history
19.01.2021
SUSP_Encoded_GetCurrentThreadId_FileOnly
Detects encoded keyword - GetCurrentThreadId
19.01.2021
SUSP_Encoded_WriteProcessMemory_FileOnly
Detects encoded keyword - WriteProcessMemory
19.01.2021
SUSP_HKTL_ShellCode_Loader_Jan21_1
Detects Shellcode Loaders based on certain characteristics
18.01.2021
SUSP_HKTL_ShellCode_Loader_Jan21_2
Detects Shellcode Loaders based on certain characteristics
18.01.2021
SUSP_HKTL_ShellCode_Loader_Jan21_3
Detects Shellcode Loaders based on certain characteristics
18.01.2021
SUSP_HKTL_ShellCode_Loader_Jan21_4
Detects Linux Shellcode Loaders based on certain characteristics
18.01.2021
MAL_Egregror_Loader_DLL_Jan21_1
Detects Egregor Ransomware loaders
18.01.2021
MAL_PS1_Ransomware_Payloads_Jan21_1
Detects obfuscated malicious PowerShell payloads
18.01.2021
MAL_PS1_Ransomware_Payloads_Jan21_2
Detects unknown PowerShell malware loaders
18.01.2021
MAL_Unknown_MARCUS_Jan21_1
Detects unknown malware named MARCUS and found on Virustotal
18.01.2021
HKTL_LNX_Shellcode_Loader_RC4_Jan21_1
Detects unknown shellcode loaders
18.01.2021
HKTL_VBA_ShellCode_Loader_Jan21_1
Detects unknown shellcode loaders
18.01.2021
HKTL_WIN_ShellCode_Loader_Jan21_2
Detects unknown shellcode loaders
18.01.2021
HKTL_ShellCode_Loader_Payload_x64_Jan21_1
Detects unknown shellcode loaders
18.01.2021
HKTL_Go_ShellCode_Loader_Jan21_1
Detects unknown shellcode loaders writte in Go
18.01.2021
HKTL_WIN_ShellCode_Loader_Jan21_3
Detects unknown shellcode loaders
18.01.2021
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_MalDoc_JS_Indicators_Nov20_1
11
be951f5cc4a0f0bc21f278176f18e2c0633c2f5917e6c72de2afb1a02137be5d
SUSP_MalDoc_JS_Indicators_Nov20_1
9
94b4c39993f13c145726429536075e2b27f7a174734445f4ce23be92ee54055d
SUSP_MalDoc_JS_Indicators_Nov20_1
11
528b642b0f44e1002dfc8693ebaae7acf7167608bd68e238f7374af03624190e
Disclosed_Hacktool_Set_Feb18_RansomwareInfo
8
ee7168037bdf576e9ad7433473963d4020e76206a4648ac25e27f0e49b3df99f
SUSP_MalDoc_JS_Indicators_Nov20_1
11
18411231aedc1042d4e359e38a641e31cbc3171380172590b98518dc8d6a5e48
Rules Per Category
This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
APT
3412
Malware
2965
Hacktools
2775
Webshells
1964
Threat Hunting
1820
Exploits
199
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls