Valhalla Logo
currently serving 10635 rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
HKTL_Meterpreter_XORED_Shellcode_Jun20_1
Detects Meterpreter samples
04.06.2020
APT_MAL_CN_GoblinPanda_USBCulprit_Jun20_1
Detects Goblin Panda USBCuplrit malware
04.06.2020
SUSP_Recon_Outputs_Jun20_1
Detects outputs of many different commands often used for reconnaissance purposes
04.06.2020
APT_MAL_CN_GoblinPanda_BlueCore_Jun20_1
Detects Goblin Panda BlueCore malware
04.06.2020
APT_MAL_CN_GoblinPanda_USBCulprit_Jun20_2
Detects Goblin Panda malware USBCulprit
04.06.2020
APT_MAL_CN_GoblinPanda_ChromePass_Jun20_2
Detects Goblin Panda ChromePass hacktool
04.06.2020
APT_MAL_CN_GoblinPanda_BlueCore_Jun20_2
Detects Goblin Panda BlueCore malware
04.06.2020
APT_MAL_CN_GoblinPanda_USBCulprit_Jun20_3
Detects Goblin Panda USBCulprit malware
04.06.2020
APT_MAL_JS_Higasia_Jun20_1
Detects Higasia group JavaScript helper file
04.06.2020
APT_MAL_Higasia_Jun20_1
Detects Higasia group JavaScript helper file
04.06.2020
WEBSHELL_ASPX_SadBoy_Jun20_1
Detects SadBoy webshell related to activity in ACSC report
03.06.2020
WEBSHELL_ASPX_OBFUSC_Jun20_5
Detects obfuscated ASPX webshell
03.06.2020
WEBSHELL_ASPX_Jun20_4
Detects ASPX webshell
03.06.2020
WEBSHELL_ASPX_Jun20_3
Detects ASPX webshell
03.06.2020
WEBSHELL_ASPX_Jun20_2
Detects ASPX webshell
03.06.2020
WEBSHELL_ASPX_Jun20_1
Detects ASPX webshell
03.06.2020
APT_MAL_CN_MustangPanda_Loader_Jun20_1
Detects Mustang Panda loader
03.06.2020
APT_MAL_ACSC_Report_Forensic_Artefacts_Jun20_1
Detects forensic artefacts mentioned in ACSC report for 2019 and 2020
03.06.2020
HKTL_Mimikatz_Indicators_Jun20_1
Detects strings found in Mimikatz hacktool - even in modified versions
02.06.2020
APT_MAL_DNSTunnel_RAT_Jun20_1
Detects DNSTunnel RAT
02.06.2020
APT_MAL_CN_Chimera_BaseClient_Jun20_1
Detects malware mentioned in Chimera report on attacks against Taiwanese high tech sector
02.06.2020
APT_MAL_CN_Chimera_SkeletonKeyInjector_Jun20_2
Detects malware mentioned in Chimera report on attacks against Taiwanese high tech sector
02.06.2020
APT_MAL_CN_Chimera_CobaltStrike_Beacon_Jun20_1
Detects malware mentioned in Chimera report on attacks against Taiwanese high tech sector
02.06.2020
APT_MAL_CN_Chimera_PDB_Jun20_1
Detects malware mentioned in Chimera report on attacks against Taiwanese high tech sector
02.06.2020
APT_MAL_CN_Chimera_CmdLine_Jun20_1
Detects specific command line mentioned in Chimera report on attacks against Taiwanese high tech sector
02.06.2020
EXPL_HKTL_SMBGhost_RCE_PoC_Jun20_1
Detects Proof of Concept code for exploits against CVE-2020-0796 SMBGhost vulnerability
02.06.2020
MAL_Unknown_Jun20_1
Detects indicators found in malware used by an unknown Middle Eastern actor
02.06.2020
MAL_Unknown_Jun20_2
Detects indicators found in malware used by an unknown Middle Eastern actor
02.06.2020
APT_Unknown_RemoteProcess_Injector_Jun20_1
Detects unknown process injector found in a campaign against an Isreali victim
01.06.2020
APT_MAL_Turla_Implant_Jun20_1
Detects Turla implants
01.06.2020
SUSP_MAL_ProcessInjector_May20_1
Detects suspicious indicators often used in hack tools and malware
01.06.2020
APT_MAL_CobaltStrike_May20_2
Detects CobaltStrike beacon used in activity noticed in May 2020 - likely related to Chinese actor
29.05.2020
APT_MAL_ReverseShell_May20_1
Detects reverse shell used in activity noticed in May 2020 - likely related to Chinese actor
29.05.2020
APT_MAL_NTTCom_Campaign_Script_Keywords_May20_1
Detects scripts as used in campaign against NTTCom
29.05.2020
HKTL_PS1_PowerSploit_Encrypted_Script_May20_1
Detects encrypted scripts as used in PowerSploit
29.05.2020
APT_MAL_NTTCom_Campaign_SERKDES_May20_1
Detects malware as used in campaign against NTTCom
29.05.2020
APT_MAL_Unknown_ReverseShell_May20_2
Detects Chinese threat actor activity
29.05.2020
MAL_Agent_May20_1
Detects malware used in activity noticed in May 2020 - likely related to Chinese actor
29.05.2020
MAL_LNK_May20_2
Detects malware used in activity noticed in May 2020 - likely related to Chinese actor
29.05.2020
MAL_SERKDES_May20_1
Detects SERKDES malware
29.05.2020

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
VT
SUSP_Encrypted_Excel_With_Macros
0.19
303
HKTL_Meterpreter_InMemory_Rule
0.29
14
MAL_ToTok_Android_APK
1.53
15
HKTL_SilentTrinity_PS1_Posh_Stager
2.13
15
HKTL_PS1_Hacktool_Indicator_Feb20_1
3.77
13
SUSP_OBFUSC_TrippleDash_Replace
4.44
64
SUSP_JS_WindowChange_Dec19
4.8
3886
SUSP_URL_Persistence
5.19
16
WEBSHELL_PHP_Apr20_2
5.82
11
SUSP_Base64_Encoded_GithubUserContent_URL
5.92
12
SUSP_LNX_Base64_Decode_CommandLine
6.07
113
SUSP_GrabBrowsingHistory_Jan20
6.64
11
EXPL_Office_TemplateInjection
7.02
42
SUSP_Encoded_Convert_ToInt16
7.64
22
SUSP_MZ_PE_Header_Anomaly
7.85
13
MAL_LNX_SH_SaltStack_Campaigns_May20_1
7.91
11
HKTL_Empire_Win_MSWord_Dec19_1
8.27
11
SUSP_Double_IEX
8.4
20
SUSP_Shellcode_Keyword_Mar20
8.77
13
WEBSHELL_Obfuscator_PHP_OverflowZone
9.24
17
SUSP_Encoded_Set_Alias
9.58
136
SUSP_Encoded_StartSleep
9.63
48
SUSP_Hex_Encoded_Executable_with_Padding
9.88
16
SUSP_ShellCommands_Oct19
10.56
25
SUSP_Shellcode_Keyword_Mar20_2
10.83
12
APT_MAL_CN_BronzeUnion_Apr20_3
11.76
33
SUSP_JS_String_Keyword_Combo_Apr20_1
12.08
12
SUSP_Reversed_Base64_Encoded_EXE
12.64
242
SUSP_WinScriptHost_MyScript_Combo
12.92
13
SUSP_PS2EXE_PowerShell2Exe_2
13.36
113

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
HKTL_screencap
1
9b282864268dc306bb5f6ef8ca7025790814e3d20c34f954da7a6036afa033f8
SUSP_ConfuserEx_Obfuscated_Gen
12
7417a57c814b5adde725f747a1e27384e22388bcc39248e98b72e1be3859a7bb
SUSP_ConfuserEx_Obfuscated_Gen
9
b05f893d7afd2e458ad3bd6777e0a8ff73ca19aa59497d523fa6f14d5d7f4784
MAL_AutoIt_Malware_Indicator_1
7
c137ca3614a08a22a5f214da9bb929297a7379b0b374d0569ad254d97cb6e026
SUSP_AutoIt_Indicators_Feb19_4
7
c137ca3614a08a22a5f214da9bb929297a7379b0b374d0569ad254d97cb6e026
SUSP_OfficeDoc_Macro_Indicator_Jun19_1
13
7705cec2a6cbf51ddaa8b4da0c97e323bc5aaf3ce3dbf35e62b53ef466db6851
PEFILE_Header_but_no_DOS_Header
6
6a0ddfc05976ae1e314f46018b498f24c011da5eaacb7a087b8fc8e832696aed
SUSP_JS_WindowChange_Dec19
9
e7bb0559ddfc8c46a04f1b495494e8a77a1ffc61c15afa5eb63a56172c90817e
SUSP_Schtasks_TaskName_Short
14
e55c983d2d6c7ee93203346286ffc8a41d378a35b5bbd8e6a520645a8963200e
PEFILE_Header_but_no_DOS_Header
8
10d64de2606158c860a71aca483f8d44956bd34d2bd298b78182afd73742ba0a
SUSP_AutoIt_Indicators_Feb19_4
12
3c50504ed37ca451020ab96618082678d6239e17c65dd4f99295f9d4e67f97e8
MAL_AutoIt_Malware_Indicator_1
12
3c50504ed37ca451020ab96618082678d6239e17c65dd4f99295f9d4e67f97e8
APT_Sofacy_Rel_Sep18_2
12
c1ecbae875dbca680a9cc5d16b394a82a451cda76096ec47dfc4221c21246d0a
SUSP_OfficeDoc_Macro_Indicator_Jun19_1
12
5d6fb1e51019b9a324d6993f5dc40560cef183411c980ed0df7989a19b36f9c8
SUSP_Reversed_LOLBAS
7
2c2a9a35182152623a1566c867b9af5c2d17e9c4f38840a2240951d22466db7f
SUSP_Linux_Hacktool_Keywords_SCTEST
5
9a7601dca121462e9cbfa6c323259fd78398026516a2e3e7cdb51a353632d292
SUSP_JS_WindowChange_Dec19
8
9c9e87ed926880766a4ec2572703994327f64f3943c437c09bac67ec98a07f9e
Suspicious_PowerShell_Code_1
12
88852df90fd87a8a5e31f802c2754fa42a17ced8b4b8bb5934d8b8aa9ebd778b
Suspicious_PowerShell_WebDownload_1
12
88852df90fd87a8a5e31f802c2754fa42a17ced8b4b8bb5934d8b8aa9ebd778b
SUSP_JS_WindowChange_Dec19
9
5bab394954ab4f8cfaed2c46bad156e8f6125f2cfb9d59db74e35096b54398a6

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag
Count
FILE
7100
EXE
5082
APT
3068
MAL
2962
HKTL
2682
DEMO
2468
T1100
1926
WEBSHELL
1895
SUSP
1501
CHINA
1093
SCRIPT
728
T1086
430
RUSSIA
417
MIDDLE_EAST
369
T1027
358
T1064
313
GEN
313
T1003
289
T1193
270
T1203
270
T1075
232
G0044
216
OBFUS
193
T1132
190
EXPLOIT
183
G0007
176
LINUX
171
T1085
162
T1097
145
T1178
145

Tenable Nessus

Requirement: Privileged Scan

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html