
currently serving 15778 YARA rules
New YARA Rules per Day
Newest YARA Rules
This table shows the newest additions to the rule set
Rule
Description
Date
Ref
SUSP_Vulnerabilty_Scanning_Indicators_May22_1
Detects suspicious indicators that are often found in samples that check for certain vulnerabilities (remotely or locally)
21.05.2022
HKTL_AdFly_May22_1
Detects Adfly hacktool - active directory query tool using LDAP Protocol, helps red teamer / penetration testers to validate users credentials, retrieve information about AD users, AD groups
21.05.2022
HKTL_TChopper_May22_1
Detects TChopper tool used to perform lateral movement using windows services display name and WMI by smuggling the malicious binary as base64 chunks - file chopper.exe
21.05.2022
SUSP_PSExec_EULA_Accept_Registry_Add_May22
Detects suspicious automatic way to accept PsExecs EULA
20.05.2022
SUSP_VBA_Indicators_May22_1
Detects indicators found in malicious VBA code
20.05.2022
SUSP_PDF_JavaScript_OpenAction_Combo_May22_1
Detects PDF files with suspicious JavaScript and OpenAction function
20.05.2022
SUSP_JS_WScriptShell_Folder_Combo_May22_1
Detects suspicious JavaScript files that combine a WScript.Shell with a suspicious folder
20.05.2022
SUSP_Script_Indicators_May22_1
Detects JavaScript code that contains indicators as found in many malicious samples
20.05.2022
APT_CN_TwistedPanda_ForensicArtefacts_May22_1
Detects forensic artefacts found in Twisted Panda campaigns
20.05.2022
APT_JS_MUstangPanda_May22_1
Detects patterns found in JavaScript code as used by Mustang Panda threat actor (could be found in other malicious scripts as well)
20.05.2022
MAL_BlackByte_ForensicArtefacts_May22_1
Detects forensic artefacts found in BlackByte campaigns
20.05.2022
SUSP_ELF_Malware_Indicators_May22_1
Detects characteristics found in malicious Linux samples
19.05.2022
SUSP_ELF_Rootkit_Indicators_May22_1
Detects characteristics found in malicious Linux samples
19.05.2022
MAL_LNX_LinaDungeon_May22_1
Detects LinaDungeon Linux malware used by UNC1945 LightBasin
19.05.2022
MAL_LNX_LinaDoor_Rootkit_May22
Detects LinaDoor Linux Rootkit
19.05.2022
MAL_LNX_LinaDoor_Malware_May22
Detects LinaDoor Lion Linux malware
19.05.2022
SUSP_WUSA_Uninstall_KB_May22_1
Detects the use of wusa to uninstall a certain KB patch
18.05.2022
SUSP_SMALL_VBS_Invoke_Windows_May22
Detects suspicious small VBS script that runs something within the Windows folder
17.05.2022
APT_IR_COBALT_MIRAGE_ForensicArtefacts_May22_1
Detects forensic artefacts or samples found in COBALT MIRAGE intrusions
17.05.2022
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
HKTL_Metasploit_Shellcode_Aug20_1
3
7c70f474b1d1891d2911c32a10a04712463e9559cb380279e1ff509813e59e24
Rules Per Category
This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
4846
APT
4233
Hacktools
3688
Threat Hunting
3302
Webshells
2114
Exploits
457
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls