Valhalla Logo
currently serving 21868 YARA rules and 3891 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
MAL_DLL_Jan25
Detects malicious DLL possibly related to Chaperone/TajMahal APT
10.01.2025
MAL_Legion_ShellCode_Jan25
Detects Legoin loader shellcoder
01.01.2025
MAL_Legion_DLL_Loader_Jan25
Detects Legoin loader DLL
01.01.2025
MAL_Legion_Loader_Jan25
Detects Legoin loader
01.01.2025
HKTL_ShadowHound_Dec24
Detects ShadowHound, a set of PowerShell scripts for Active Directory enumeration without the need for introducing known-malicious binaries like SharpHound
30.12.2024
MAL_PHP_Dec24_1
Detects a PHP script that infects PHP files to embed code for subsequent payload delivery, infects Baota (BT) panels to collect sensitive information and modify system files, downloads and executes next stage payload
27.12.2024
MAL_PHP_Backdoor_Dec24_2
Detects contents found in a PHP script that acts as a backdoor
27.12.2024
MAL_OBFUSC_PHP_Dec24
Detects obfuscated PHP script
26.12.2024
HKTL_SharpShares_Dec24
Detects SharpShares a hacktool that lists network share information from all machines in the current domain
25.12.2024
MAL_PS1_Veam_Password_Recovery_Dec24
Detects PowerShell script that recovers passwords used by Veeam to connect to remote hosts
24.12.2024
HKTL_CSHARP_SccmHound_Dec24
Detects sccmhound, a BloodHound collector for Microsoft Configuration Manager
23.12.2024
MAL_OBFUSC_JS_Dec24
Detects Obfuscated script seen used by Lazarus APT
23.12.2024
HKTL_VeeamHax_Dec24
Detects VeeamHax a Proof of Concept code to exploit CVE-2023-27532
23.12.2024
MAL_PS1_Keylogger_Indicators_Dec24
Detects indicators of a PowerShell keylogger
21.12.2024
MAL_PS1_HWorm_Dec24
Detects HWorm PowerShell malware
21.12.2024
MAL_PS1_PSRansom_Dec24
Detects PowerShell ransomware
21.12.2024
HKTL_PS1_PowerDump_Indicators_Dec24
Detects PowerShell PowerDump indicators
21.12.2024
WEBSHELL_ASPX_Dec24_1
Detects ASPX web shells
21.12.2024
WEBSHELL_ASPX_Dec24_2
Detects ASPX web shells
21.12.2024
WEBSHELL_ASPX_Dec24_3
Detects unknown encoded ASPX web shells
21.12.2024
WEBSHELL_ASPX_Dec24_4
Detects ASPX web shells
21.12.2024
WEBSHELL_ASPX_Dec24_5
Detects ASPX web shells
21.12.2024
WEBSHELL_Encoded_Payloads_Dec24_6
Detects encoded payloads found in ASPX web shells
21.12.2024
WEBSHELL_ASPX_Dec24_7
Detects ASPX web shells
21.12.2024
WEBSHELL_OBFUSC_ASPX_Dec24_1
Detects obfuscated ASPX web shells
21.12.2024
WEBSHELL_ASPX_Dec24_8
Detects ASPX web shells
21.12.2024
WEBSHELL_MAL_ASPX_Dec24_9
Detects ASPX web shells
21.12.2024
MAL_CookiePlus_Loader_Dec24
Detects CookiePlus loader
20.12.2024
HKTL_MAL_ReflectiveLoader_OpCodes_Dec24
Detects shell code used in some obfuscated loaders
20.12.2024
HKTL_MAL_Go_PrivEsc_Dec24
Detects unknown Go based implants (often obfuscated Sliver agent)
20.12.2024

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_PS1_Cmdlet_Defender_Exclusion_Apr21_1
3
688e6d02de30b862d1701482a6a60e63564a271cfb285b5ff3287d85791274e1
SUSP_Defender_Exclusion_Aug21
3
688e6d02de30b862d1701482a6a60e63564a271cfb285b5ff3287d85791274e1
SUSP_PS1_Small_NetworkFunc_Jun22_1
10
2a72544fc5897891297a052faa1044ab09e9fc83b803d5d63c2f58e772ba92be
MAL_LNX_Mirai_Mar23_1
11
0d538550477f39685f4c1bbe307faf239aed607a9958f751fa1eb6675ebced87
SUSP_Encoded_FromBase64String
12
15d13052da0082b0fcc131dc2eaa66457c5635276d215cb8871860946110e0a3
SUSP_Encoded_SystemReflection_Assemly_Load
12
15d13052da0082b0fcc131dc2eaa66457c5635276d215cb8871860946110e0a3
SUSP_Encoded_DownloadData
12
15d13052da0082b0fcc131dc2eaa66457c5635276d215cb8871860946110e0a3
SUSP_Encoded_PowerShell_Class
12
15d13052da0082b0fcc131dc2eaa66457c5635276d215cb8871860946110e0a3
SUSP_PS1_Base64_Encoded_SingleLiner_Jun22_1
12
15d13052da0082b0fcc131dc2eaa66457c5635276d215cb8871860946110e0a3
HKTL_ADCSPwn_Jul21_1
2
8a3ccb39f0d8ba3acfd6aa2409e5953cc4a7068edcba19e89639291a012e5a50
SUSP_JS_OBFUSC_Feb23_2
1
cc5e60dc5a5521a7541259f7e269dcb8e595e78cf1b8e43a293814b96c699752
SUSP_JS_OBFUSC_Feb23_2
1
2c8b26c88b1abbe68235bbf6d70b5533c3ed89c38c378bad76cf78b3715c28df
SUSP_B64_Atob_Aug23
3
c1c75d0337e525eb5099a7969a6f594f673b1be2e30bbfa760c243ce8bdd6d5e
HKTL_ADCSPwn_Jul21_1
2
e6091ed7fb98c524ce05806b5031590cf1b8f9c3a5ae7bf5451d1b41cdf69a52
LNK_Malicious_Nov1
13
0edef066ac8d4849bb43dbb885b47d41680d5925f5b889994a1e5c4bfcc64244
HKTL_ADCSPwn_Jul21_1
1
52dd0c90e3d726aff576f92a93c916360f9a95eba225ce6b563db2b93ba0b139
HKTL_ADCSPwn_Jul21_1
1
09ebcf9bbeded20c7c5233883fec42005cf798673c6f97240bc4d8979b8b1965
WEBSHELL_PHP_Generic
11
2606abed315d60d25a82354a7ae064b35df7dfe67346800014344650b23e67aa
SUSP_ELF_LNX_UPX_Compressed_File_DeepEval
5
0b76a4d0887bbc663f15613bcd551796d28b0cca46dd693c70ffb7eb458f573d
WEBSHELL_PHP_Generic
11
53157f31ae77f9b0b9358f522f4db3f9186df176774a1abe1285ee79597326d6

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6569
Threat Hunting (not subscribable, only in THOR scanner)
5214
APT
4919
Hacktools
4616
Webshells
2351
Exploits
650

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
CVE-2024-50623 Exploitation Attempt - Cleo
Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
09.12.2024
Modification or Deletion of an AWS RDS Cluster
Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
06.12.2024
Suspicious ShellExec_RunDLL Call Via Ordinal
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
01.12.2024
Setup16.EXE Execution With Custom .Lst File
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.
01.12.2024
Potential File Extension Spoofing Using Right-to-Left Override
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
17.11.2024
Disable Application Bound Encryption for Chrome and Edge
Detects disabling of Application Bound Encryption for Google Chrome and Microsoft Edge by setting registry keys to 0.
14.11.2024
Suspicious Use of RAR for File Archiving
Detects the use of `rar.exe` to create archives, which may indicate file compression for exfiltration or malicious purposes.
10.11.2024
Suspicious File Copy To Admin Share
Detects suspicious file copy operations to administrative shares, which may indicate lateral movement or malicious staging.
10.11.2024
Remote Execution Using PsExec
Detects suspicious use of PsExec to remotely execute a batch file located in unusual directories. This could indicate lateral movement or malicious activity, as seen in some cyberattack scenarios.
10.11.2024
Expand File Over Admin Share
Detects the use of expand command to extract files from located on an administrative share, potentially used for lateral movement or staging files.
10.11.2024
Execution of ServiceUI.exe in Suspicious Location
Detects execution of ServiceUI.exe, a legitimate binary from the Microsoft Deployment Toolkit, potentially used for privilege escalation by running it outside of its expected directory.
06.11.2024
Execution via Serviceui.exe
Detects potential abuse of ServiceUI.exe for privilege escalation using specific flags that allow running applications in a system context within a user session.
06.11.2024
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
01.11.2024
.RDP File Created by Outlook Process
Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use RDP files as attachments.
01.11.2024
Disable Antivirus Autostart
Detects disable antivirus products autostart capability
28.10.2024
ValleyRAT Malware Registry Modification
Detects creation of registry keys used to store C2 seen used by the ValleyRAT malware
28.10.2024
Registry Modifications to Change Default Programs Handling Files
Detects change to the default program handling file extension, which could be used by threat actors to run there malware when a certain extension is opened.
28.10.2024
Hacktool Nifo Usage
Detects Nifo - a tool that disables Windows AV/EDR software by corrupting their files offline via physical access
27.10.2024
Registry Set for WinDefend Deletion
Detects the deletion of the WinDefend registry key in attempt to disable Windows Defender.
23.10.2024
Potential DLL Sideloading Via taskhost.exe
Detects potential DLL sideloading of "SbieDll.dll".
21.10.2024
Curl Variable Execution
Detecting curl execution with variable being passed as the domain to fetch data, could be used by threat actor to hide the actul malicious domain.
20.10.2024
Domain Obfuscation
Detecting domain obfuscation used by threat actor to hide the actual C2 used.
20.10.2024
MSC File Execution From Potential Suspicious Location
Detecting execution of Microsoft Management Console (MMC) files from potentially suspicious locations.
20.10.2024
IMEEX Framework Registry Modification Detected
Detects modifications to registry keys associated with the IMEEX malware framework, a tool used by attackers to gain extensive control over compromised Windows systems.
12.10.2024
Potential Conti Ransomware Activity
Detects a specific command line pattern based on flags used by the Conti ransomware
07.10.2024
Wazuh Agent Remote Execution
Detects enabling of remote commands in the Wazuh agent. By setting this value to 1, the agent is allowed to accept and execute remote commands from the Wazuh manager or other controlling systems. This could be used for legitimate remote administration, but it also opens up the potential for misuse if the Wazuh manager or server it's connecting to is malicious or compromised, as it grants significant control over the agent.
07.10.2024
New Module Module Added To IIS Server
Detects the addition of a new module to an IIS server.
06.10.2024
HTTP Logging Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
06.10.2024
ETW Logging/Processing Option Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
06.10.2024
Previously Installed IIS Module Was Removed
Detects the removal of a previously installed IIS module.
06.10.2024

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
3209
18659
Sigma
3343
548

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1249
windows / registry_set
201
windows / file_event
191
windows / ps_script
165
windows / security
157
linux / process_creation
118
windows / image_load
105
webserver
78
windows / system
72
macos / process_creation
65
windows / network_connection
52
proxy
52
linux / auditd
48
aws / cloudtrail
43
azure / activitylogs
43
windows / registry_event
38
azure / auditlogs
38
windows / ps_module
33
windows / application
28
azure / signinlogs
24
okta / okta
22
windows / process_access
22
windows / dns_query
21
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
rpc_firewall / application
17
linux
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
github / audit
13
m365 / threat_management
13
windows / create_remote_thread
13
windows / file_delete
13
cisco / aaa
12
windows / codeintegrity-operational
10
kubernetes / application / audit
10
windows / driver_load
10
windows / registry_add
9
linux / file_event
9
windows / ps_classic_start
9
windows / create_stream_hash
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
gcp / google_workspace.admin
7
windows / bits-client
7
windows / registry_delete
7
zeek / smb_files
7
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / dns-client
6
windows / file_access
6
linux / network_connection
5
jvm / application
5
kubernetes / audit
5
zeek / dns
4
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
linux / sshd
3
zeek / http
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
firewall
2
windows / file_change
2
spring / application
2
linux / syslog
2
m365 / audit
2
windows / security-mitigations
2
apache
2
windows / dns-server
2
onelogin / onelogin.events
2
qualys
2
macos / file_event
2
windows / shell-core
1
windows / capi2
1
velocity / application
1
windows / certificateservicesclient-lifecycle-system
1
windows / file_executable_detected
1
ruby_on_rails / application
1
m365 / exchange
1
linux / sudo
1
zeek / x509
1
windows / microsoft-servicebus-client
1
sql / application
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_status
1
m365 / threat_detection
1
zeek / rdp
1
windows / sysmon_error
1
database
1
windows / terminalservices-localsessionmanager
1
zeek / kerberos
1
windows / dns-server-analytic
1
windows / driver-framework
1
windows
1
windows / printservice-operational
1
nginx
1
windows / printservice-admin
1
netflow
1
cisco / bgp
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
fortios / sslvpnd
1
linux / auth
1
cisco / ldp
1
django / application
1
cisco / syslog
1
linux / clamav
1
windows / ldap
1
windows / smbclient-connectivity
1
linux / guacamole
1
huawei / bgp
1
windows / appmodel-runtime
1
nodejs / application
1
paloalto / file_event / globalprotect
1
cisco / duo
1
linux / cron
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
windows / process_tampering
1
windows / raw_access_thread
1
python / application
1
paloalto / appliance / globalprotect
1
windows / appxpackaging-om
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
237
windows / registry_set
63
windows / ps_script
56
windows / wmi
29
windows / file_event
23
windows / image_load
19
proxy
12
windows / security
11
linux / process_creation
11
windows / network_connection
7
windows / system
7
windows / kernel-event-tracing
6
windows / registry_event
6
windows / ntfs
5
windows / ps_module
5
windows / pipe_created
4
windows / sense
4
windows / create_remote_thread
4
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / registry_delete
3
windows / application-experience
3
windows / driver_load
2
windows / bits-client
2
windows / kernel-shimengine
2
windows / taskscheduler
2
windows / audit-cve
1
windows / file_access
1
windows / registry-setinformation
1
windows / codeintegrity-operational
1
windows / file_delete
1
windows / firewall-as
1
windows / file_rename
1
windows / dns_query
1
macos / process_creation
1
windows / amsi
1
windows / windefend
1
windows / process_access
1
windows / application
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html