Valhalla Logo
currently serving 21003 YARA rules and 3771 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
MAL_Go_Modbus_Jul24_1
Detects characteristics reported by Dragos for FrostyGoop ICS malware
23.07.2024
SUSP_Go_Modbus_Jul24_1
Detects Go binary that uses the modbus library (github.com/rolfl/modbus), which is sometimes used in ICS malware
23.07.2024
MAL_Sarabi_Jul24_1
Detects unknown malware samples (Sarabi)
19.07.2024
MAL_BeaverTail_Jul24
Detects BeaverTail that retrieves additional malware as its second-stage payload
18.07.2024
MAL_Packed_ZharkBot_Jul24
Detects packed ZharkBot
18.07.2024
HKTL_Nim_NimBackdoor_Jul24
Detects characteristics found in NimBackdoor samples
18.07.2024
HKTL_PINEGROVE_Jul24
Detects PINEGROVE a command-line uploader written in Go with functionality to collect and upload a file to OneDrive via the OneDrive API
18.07.2024
HKTL_SQLULDR2_Jul24
Detects SQLULDR2 a command-line utility written in C/C++ that can be used to export the contents of a remote Oracle database to a local text-based file
18.07.2024
MAL_APT_DUSTPAN_Jul24
Detects DUSTPAN an in-memory dropper written in C/C++ that decrypts and executes an embedded payload
18.07.2024
MAL_Packed_AvNeutralizer_Jul24
Detects packed AvNeutralizer (aka AuKill), a highly specialised tool developed by FIN7 to tamper with security solutions
18.07.2024
MAL_Carbanak_Jul24
Detects Carbanak
18.07.2024
MAL_Powertrash_Jul24
Detects Powertrash, a heavily obfuscated PowerShell script, that is designed to reflectively load an embedded PE file in-memory
18.07.2024
HKTL_Scan4all_Jul24
Detects scan4all, a vulnerability scanner and brute force hacktool
15.07.2024
HKTL_SysWhispers3WinHttp_Jul24
Detects SysWhispers3WinHttp, a hacktool for AV/EDR evasion via direct system calls
15.07.2024
APT_MAL_BugSleep_Backdoor_Jul24
Detects BugSleep a custom backdoor used by MuddyWater in phishing campaigns
15.07.2024
MAL_Trojan_Ladvix_Jul24
Detects the Ladvix trojan
14.07.2024
SUSP_EXPL_MSF_Payload_Jul24
Detects indicators of Metasploit sql injection payloads exploiting vulnerabilities
12.07.2024
SUSP_BAT_OBFUSC_Jul24_1
Detects indicators of obfuscation in Windows Batch files
12.07.2024
SUSP_BAT_OBFUSC_Jul24_2
Detects indicators of obfuscation in Windows Batch files
12.07.2024
SUSP_BAT_OBFUSC_Jul24_3
Detects indicators of obfuscation in Windows Batch files
12.07.2024
MAL_Mofongo_Loader_Jul24
Detects Mofongo loader, maps and executes a payload in a hollowed msedge process
12.07.2024
APT_MAL_APT27_Rshell_Jul24_1
Detects RSHELL / SYSUPDATE backdoor used by APT27
11.07.2024
MAL_APT_DodgeBox_Jul24
Detects DodgeBox loader, related to APT41
11.07.2024
MAL_APT_StealthVector_Jul24
Detects StealthVector loader, related to APT41
11.07.2024
SUSP_Registry_Editor_PDF_Export
Detects PDF files that were exported or saved (printed) from the registry editor (regedit)
08.07.2024
HKTL_PEEditor_Jul24
Detects files modified using PEEditor
08.07.2024
HKTL_Go_Reverse_SSH_Jul24
Detects Go based SSH based reverse shells
08.07.2024
HKTL_MDE_Enum_Jul24
Detects MDE_Eunm, a .NET tool designed to extract and display detailed information about Windows Defender exclusions and Attack Surface Reduction (ASR) rules without Admin privileges
08.07.2024
HKTL_Loader_Havoc_Jul24_1
Detects characteristics found in Havoc loaders
07.07.2024
SUSP_HKTL_Loader_Unknown_Jul24_1
Detects opcodes found in unknown loader
07.07.2024

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_PS1_IEX_From_Download_Dec22_1
1
eabf8657a8385ba0d5572e9a3459a75a6b3d78ff13def2d65bcf09b27d37d7ad
SUSP_Download_Cradles_Feb22_1
1
eabf8657a8385ba0d5572e9a3459a75a6b3d78ff13def2d65bcf09b27d37d7ad
SUSP_PS1_Indicators_Aug21_1
7
9858481b7d629cc99469e78fe1debd397983f64c9f744aa0be0406ce917a114e
SUSP_OBFUSC_UPX_Oct20
5
2f51a5e8b4286d4fa3d423d35c401a3f65b2e85cd613e05743ac0bfc5c838145
SUSP_HKTL_CobaltStrike_PS1_Loader_Indicator_Nov23_2
11
192161662f04d3a37b55c2725140dba34f9ad72d11ac16edf17380ec524d0b2a
HKTL_PY_Stealer_Blank_Grabber_No23
11
192161662f04d3a37b55c2725140dba34f9ad72d11ac16edf17380ec524d0b2a
SUSP_Defender_Exclusion_Aug21
11
192161662f04d3a37b55c2725140dba34f9ad72d11ac16edf17380ec524d0b2a
SUSP_Encoded_Registry_Key_Paths_Sep22_1
11
192161662f04d3a37b55c2725140dba34f9ad72d11ac16edf17380ec524d0b2a
SUSP_OBFUSC_PS1_Encoded_PowerShell_Commands_Apr22_1
11
192161662f04d3a37b55c2725140dba34f9ad72d11ac16edf17380ec524d0b2a
SUSP_B64_Atob_Aug23
11
192161662f04d3a37b55c2725140dba34f9ad72d11ac16edf17380ec524d0b2a
SUSP_OBFUSC_JS_Encoded_Pattern_Sep23
11
192161662f04d3a37b55c2725140dba34f9ad72d11ac16edf17380ec524d0b2a
SUSP_Encoded_DisableRealtimeMonitoring_Mar20
11
192161662f04d3a37b55c2725140dba34f9ad72d11ac16edf17380ec524d0b2a
SUSP_Defense_Evasion_Known_System_UUID_Jun23
11
192161662f04d3a37b55c2725140dba34f9ad72d11ac16edf17380ec524d0b2a
SUSP_OBFUSC_Reversed_String_Mar15
4
938305576804c51bc49313bed7dd6ce918b4b155cd083ce01e13c03a9279b4e0
SUSP_AMSI_Manipulation_Indicator_Mar23_1
6
c6beb88fd0a07dd13d6f59f48922daebdc7ebca1233957751f2b95b2ea7157af
SUSP_PE_Themida_Packed_Nov22
5
7120cdbcf80a53ee6aaf0830ec10cd816195418d3f11abdcd6182009c4dcd766
SUSP_Protector_Themida_Packed_Samples_Mar21_1
5
7120cdbcf80a53ee6aaf0830ec10cd816195418d3f11abdcd6182009c4dcd766
SUSP_PUA_Compressed2TXT_Encoded_Feb22_1
1
5a504b2839a195214cb02ed87c9f4c7dc62ed750f45ff0d48725d9dabfe3e039
SUSP_OBF_VMProtect_Jan24
7
477aed5b5148a7ca80dde9cd4df27f45139306dbcdb0f45963292323aef3e565
SUSP_WindowsFolder_With_Blank
4
a8354d974f6048ccefd52796b0e9b9be88af79648251b140d30356ab53de067c

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6256
Threat Hunting (not subscribable, only in THOR scanner)
5027
APT
4866
Hacktools
4515
Webshells
2310
Exploits
628

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Powershell Executed From Headless ConHost Process
Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.
23.07.2024
Process Launched Without Image Name
Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
23.07.2024
Renamed BOINC Client Execution
Detects the execution of a renamed BOINC binary.
23.07.2024
Microsoft Teams Sensitive File Access By Uncommon Application
Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
22.07.2024
COM Object Hijacking Via Modification Of Default System CLSID Default Value
Detects potential COM object hijacking via modification of default system CLSID.
16.07.2024
Renamed Microsoft Teams Execution
Detects the execution of a renamed Microsoft Teams binary.
12.07.2024
New Network Route Added
Detects the addition of a new network route to a route table in AWS.
11.07.2024
Ingress/Egress Security Group Modification
Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
11.07.2024
Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.
11.07.2024
New Network ACL Entry Added
Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
11.07.2024
Potential Malicious Usage of CloudTrail System Manager
Detect when System Manager successfully executes commands against an instance.
11.07.2024
RDS Database Security Group Modification
Detects changes to the security group entries for RDS databases. This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.
11.07.2024
LoadBalancer Security Group Modification
Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
11.07.2024
BitLockerTogo.EXE Execution
Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
11.07.2024
Directory Service Restore Mode(DSRM) Registry Value Tampering
Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
11.07.2024
Potential DLL Sideloading Of DbgModel.DLL
Detects potential DLL sideloading of "DbgModel.dll"
11.07.2024
Potential DLL Sideloading Of MpSvc.DLL
Detects potential DLL sideloading of "MpSvc.dll".
11.07.2024
Potential DLL Sideloading Of MsCorSvc.DLL
Detects potential DLL sideloading of "mscorsvc.dll".
11.07.2024
Multiple File Combined Via Built-In Copy Command
Detects the use of the built-in CMD "copy" command with 2 or more plus signs in order to combine the content of multiple files.
11.07.2024
Kubernetes CronJob/Job Modification
Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
11.07.2024
Kubernetes Admission Controller Modification
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
11.07.2024
Kubernetes Rolebinding Modification
Detects when a Kubernetes Rolebinding is created or modified.
11.07.2024
Kubernetes Secrets Modified or Deleted
Detects when Kubernetes Secrets are Modified or Deleted.
11.07.2024
Potential Domain DPAPI Backup Key Extraction
Detects potential DPAPI backup Key extraction.
10.07.2024
Printing Activity Initiated Via RegEdit.EXE
Detects the creation of a file with an ".SPL" by the "RegEdit.exe" process which might indicate the start of a print acitvity. This could be an indicator that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.
10.07.2024
Uncommon File Created By RegEdit.EXE
Detects the creation files with an uncommon extension by the RegEdit.EXE process. By default the "RegEdit.exe" process would allow for the export of keys via the GUI as either ".reg", ".txt" or "hives". By excluding known extensions, we can hunt for anomalous ones created by "RegEdit.exe" that covers cases such as when a user might choose to print or save a key as a PDF file in order to extract sensitive information and potentially bypass defenses.
10.07.2024
RemoteRegistry Service Started Via Svchost
Detects the start of the "RemoteRegistry" service by looking at "svchost" process creation events. If not authorized this action can indicate a potential lateral movement activity being in-progress, as the "Remote Registry" service enables remote users to modify registry settings on a computer. Attackers can leverage this in order to manipulate certain value remotely.
10.07.2024
Potential Service ImagePath Value Tampering
Detects potential tampering of the ImagePath of some built-in and third party services. Attackers sometimes tamper with the an existing service "ImagePath" instead of creating a new one to avoid raising "New Service Creation" events alerts and avoid defenses. This rule uses a baseline of services "ImagePath" values and triggers if there are any anomalies.
10.07.2024
New Blocking Firewall Rule For Critical Service/Application Added In Windows Firewall Exception List
Detects the addition of a new "Block" firewall rule targeting critical services and application paths and binaries. An attacker can leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule" to add block rules targeting security services and applications in order to stop communication between them and their management console.
09.07.2024
Microsoft Defender For Endpoint Service Failed To Connect To The Server
Detects instances where the Microsoft Defender for Endpoint service has failed to connect to the server. This could be due to issues with the internet connectivity or a potential attackers blocking traffic towards defender domains.
09.07.2024

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2970
18033
Sigma
3278
493

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1219
windows / registry_set
197
windows / file_event
189
windows / ps_script
165
windows / security
154
linux / process_creation
109
windows / image_load
102
webserver
78
windows / system
72
macos / process_creation
62
proxy
52
windows / network_connection
49
linux / auditd
49
azure / activitylogs
43
aws / cloudtrail
42
windows / registry_event
38
azure / auditlogs
36
windows / ps_module
33
windows / application
28
azure / signinlogs
24
okta / okta
22
windows / process_access
22
windows / dns_query
21
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
rpc_firewall / application
17
linux
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / create_remote_thread
12
cisco / aaa
12
windows / file_delete
12
github / audit
10
windows / codeintegrity-operational
10
windows / ps_classic_start
10
kubernetes / application / audit
10
windows / driver_load
10
linux / file_event
9
windows / create_stream_hash
9
windows / registry_add
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
windows / file_access
8
zeek / smb_files
7
windows / bits-client
7
windows / registry_delete
7
gcp / google_workspace.admin
7
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
linux / network_connection
5
windows / dns-client
5
jvm / application
5
kubernetes / audit
5
zeek / dns
4
windows / taskscheduler
4
windows / sysmon
4
zeek / dce_rpc
4
linux / sshd
3
zeek / http
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
windows / security-mitigations
2
firewall
2
spring / application
2
linux / syslog
2
m365 / audit
2
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
windows / file_change
2
windows / capi2
1
windows / file_executable_detected
1
windows / raw_access_thread
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
velocity / application
1
linux / sudo
1
zeek / x509
1
windows / smbclient-security
1
windows / file_rename
1
ruby_on_rails / application
1
m365 / exchange
1
windows / diagnosis-scripted
1
sql / application
1
linux / vsftpd
1
zeek / rdp
1
windows / terminalservices-localsessionmanager
1
m365 / threat_detection
1
zeek / kerberos
1
windows / sysmon_error
1
database
1
windows
1
windows / sysmon_status
1
windows / driver-framework
1
windows / dns-server-analytic
1
nginx
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
cisco / ldp
1
windows / printservice-admin
1
netflow
1
cisco / bgp
1
windows / ldap
1
fortios / sslvpnd
1
linux / auth
1
django / application
1
cisco / syslog
1
linux / cron
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
windows / process_creation / windows
1
nodejs / application
1
windows / smbclient-connectivity
1
linux / guacamole
1
juniper / bgp
1
windows / appxpackaging-om
1
windows / process_tampering
1
paloalto / file_event / globalprotect
1
cisco / duo
1
windows / applocker
1
windows / shell-core
1
python / application
1
paloalto / appliance / globalprotect
1
linux / clamav
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
206
windows / ps_script
55
windows / registry_set
54
windows / wmi
29
windows / file_event
23
windows / image_load
16
windows / security
11
proxy
11
windows / network_connection
7
windows / system
7
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / registry_event
5
windows / sense
4
windows / create_remote_thread
4
windows / pipe_created
3
windows / ps_classic_script
3
linux / process_creation
3
webserver
3
windows / vhd
3
windows / registry_delete
3
windows / application-experience
3
windows / hyper-v-worker
3
windows / kernel-shimengine
2
windows / taskscheduler
2
windows / bits-client
2
windows / driver_load
2
windows / file_access
1
windows / file_rename
1
macos / process_creation
1
windows / amsi
1
windows / windefend
1
windows / process_access
1
windows / application
1
windows / audit-cve
1
windows / codeintegrity-operational
1
windows / registry-setinformation
1
windows / firewall-as
1
windows / file_delete
1
windows / dns_query
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022