Valhalla Logo
currently serving 21464 YARA rules and 3852 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
MAL_Rust_Splinter_Implants_Sep24
Detects C2 implants of the Splinter post-exploitation framework
25.09.2024
PUA_LNX_TMate_Sep24_1
Detects PUA TMate terminal sharing utility. Tmate is a fork of tmux but allows for easier sharing of terminal sessions to remote users.
24.09.2024
SUSP_UPX_Inside_PE_Sep24
Detects a UPX packed PE binary inside a small PE, which makes it more probable, that UPX was used to obfuscate rather than for compression
23.09.2024
SUSP_Nim_UPX_Packed_Small_Sep24
Detects a suspicious unsigned executable written in Nim, which is packed with UPX despite already being quite small
23.09.2024
PUA_Mullvad_VPN_Sep24
Detects Mullvad VPN, a legitimate VPN tool sometimes abused by threat actors
23.09.2024
SUSP_Rust_UPX_Packed_Small_Sep24
Detects a suspicious unsigned executable written in Rust, which is packed with UPX despite already being quite small
23.09.2024
MAL_Packer_Sep24
Detects unknown packer used for malware
23.09.2024
SUSP_Rust_Implant_Indicators_Sep24_1
Detects suspicious indicators found in Rust based malware samples
20.09.2024
SUSP_PS1_LummaStealer_Pattern_Sep24_1
Detects suspicious patterns found in LummaStealer PowerShell scripts that users copy to the command line an execute
20.09.2024
SUSP_CronTab_Entries_Sep24_2
Detects suspicious crontab entries
19.09.2024
SUSP_PS1_Casing_Anomaly_Join
Detects suspicious casing in commands
19.09.2024
EXPL_HTKL_VeeamBackup_CVE_2024_40711_Sep24_1
Detects exploit code for Veeam Backup & Replication RCE CVE-2024-40711
17.09.2024
EXPL_HTKL_Exploit_Remoting_Service_Sep24_1
Detects exploit code for Remoting Service
17.09.2024
WEBSHELL_ASPX_Ghost_Sep24_1
Detects Ghost ASPX web shells
17.09.2024
WEBSHELL_PHP_Gen_Sep24_1
Detects PHP web shells based on certain patterns
17.09.2024
WEBSHELL_JSP_Pattern_Sep24_1
Detects obfuscated JSP web shells based on certain characteristics
17.09.2024
WEBSHELL_JSP_Pattern_Sep24_2
Detects obfuscated JSP web shells based on certain characteristics
17.09.2024
WEBSHELL_ASP_Pattern_Sep24_1
Detects obfuscated ASP web shells based on certain characteristics
17.09.2024
WEBSHELL_ASP_Pattern_Sep24_2
Detects obfuscated ASP web shells based on certain characteristics
17.09.2024
WEBSHELL_JSP_Pattern_Sep24_3
Detects obfuscated JSP web shells based on certain characteristics
17.09.2024
WEBSHELL_JSP_Tiny_Sep24_1
Detects tiny JSP web shells
17.09.2024
WEBSHELL_ASP_OBFUSC_Sep24_1
Detects obfuscated ASP web shells
17.09.2024
WEBSHELL_Tiny_Sep24_1
Detects tiny obfuscated web shells based on certain characteristics
17.09.2024
WEBSHELL_JSP_OBFUSC_Sep24_1
Detects obfuscated JSP web shells
17.09.2024
MAL_ShadowPad_Downloader_Sep24
Detects downloader, seen being used by ShadowPad APT group
16.09.2024
MAL_BruteRatel_Loader_Sep24
Detects Brute Ratel C4 loaders
13.09.2024
PUA_Tdskiller_Sep24
Detects Tdskiller a legitimate tool developed by Kaspersky to remove rootkits. It is also capable of disabling EDR software
13.09.2024
MAL_RANSOM_Beast_Sep24
Detects Beast ransomware
13.09.2024
MAL_Sambaspy_Dropper_Sep24
Detects Sambaspy RAT dropper
13.09.2024
MAL_VBS_Download_Payload_Sep24
Detects VBS script that downloads next stage payload
13.09.2024

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_OBFUSC_PowerShell_String_Split_May23
14
58d5a22ddb5cf8735c4d2084ab6c7b93f5e1516c9b5c5e084f5b91daafb83acf
SUSP_OBF_VMProtect_Jan24
13
6607c0647ee024f6c82cd77c1bd8f422c2fb6b3a9890c464b5fe112f4e7da85b
SUSP_OBFUSC_JS_Oct23_4
12
ec728957d4fed8da333a6d1a5c04c9ff12110890c82c8875f51c80d92abc3ed1
Generic_Strings_Hacktools
14
215f8fb02036a68ea2c895d9267b454877c9cf9c6aa55fed54334bcc73aeef96
SUSP_HKTL_Hacktool_Strings_Oct21_1
14
215f8fb02036a68ea2c895d9267b454877c9cf9c6aa55fed54334bcc73aeef96
SUSP_MAL_QBot_Droppers_Jul22_1
14
e66fa58f32b55fcbe21ced0080f60613f8c0a17e4991771915e605b1b7662135
MAL_MacroPack_VBA_Template
12
d49bd6ae4ec4bf9a6f13c003fbfed20bfa48e06c54544781b9e3a88dc53e32e6
SUSP_OBFUSC_UPX_Oct20
5
e380aa26a1309c07a963b00a8851e3fb956ed28ad49119cc37d3c9a852ea4f88
SUSP_Decimal_Encoded_Executable_May21_1
12
d49bd6ae4ec4bf9a6f13c003fbfed20bfa48e06c54544781b9e3a88dc53e32e6
SUSP_Encoded_MSDOS_Stub_RareEncoding_Mar21_1
12
d49bd6ae4ec4bf9a6f13c003fbfed20bfa48e06c54544781b9e3a88dc53e32e6
SUSP_OBFUSC_UPX_Oct20
5
ea2371e5e8b8c54e3408724279bd7f47487aac7e96b6c0c84b2bc39abfff9d9d
SUSP_OBFUSC_PS1_Backtick_Jun22
8
698dd96fbfe42ed22a833a1d8fa8ad79bbb98b625a1e12a275f66518b4ed4606
SUSP_MSHTA_Invocation_Dec21_2
8
698dd96fbfe42ed22a833a1d8fa8ad79bbb98b625a1e12a275f66518b4ed4606
SUSP_MSHTA_Invocation_Dec21_1
8
698dd96fbfe42ed22a833a1d8fa8ad79bbb98b625a1e12a275f66518b4ed4606
SUSP_PS1_OBFUSC_IEX_Pattern_Feb22_1
8
698dd96fbfe42ed22a833a1d8fa8ad79bbb98b625a1e12a275f66518b4ed4606
SUSP_OBF_VMProtect_Jan24
14
f4aecfe8fbb2cf91670a43439a8f888b605aa2ac70ed3d6dfd46571ab21a5e8b
SUSP_OBFUSC_JS_Indicators_Jul24_1
1
f60c57183f1949842e5512da19dc213ecb2cda83a481385a817dfea7cbe1dbdd
SUSP_Bitsadmin_Transfer_Github_Jun22
3
f7f1f9f2cf7bf21ec17025cadaf0082048916394409a80dd2bd9e191d28ece3a
SUSP_OBFUSC_JS_Indicators_Jul24_1
1
fc3d820fd013bf50a795954d5c595824113a349f94f43c9bb068ceb5396ff89f
SUSP_OBFUSC_JS_Indicators_Jul24_1
2
fda49d6a0d8f1b141d1227c0d264dcca8540e5f20aaccb0d5b9dffd84a6531de

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6354
Threat Hunting (not subscribable, only in THOR scanner)
5122
APT
4877
Hacktools
4545
Webshells
2333
Exploits
632

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Potential Lumma Stealer PowerShell Pattern
Detects process command line pattern of the Lumma Stealer malware family.
21.09.2024
Splinter Traffic Activity
Detects splinter pentest tool GET requests used to retrive data from the C2
20.09.2024
Java JAR Execution From Potentially Suspicious Location
Detects execution of Java application that has been packaged into a JAR from suspicious locations.
20.09.2024
Java JAR Execution With Uncommon JAR Extension
Detects execution of Java application that has been packaged into a JAR that doesn't contain a common extension.
20.09.2024
Suspicious Granting of Full Control to Everyone via Security Descriptor
Detects the usage of commands that modify security descriptors to grant full control (KA) permissions to the Everyone (WD) group. The presence of "D:(A;;KA;;;WD)" in a command line is unusual and may indicate an attempt to weaken security by allowing all users unrestricted access to critical system objects, potentially leading to privilege escalation or unauthorized system modifications.
19.09.2024
Suspicious Modification of Service Control Manager Permissions Via Sc.EXE
Detects changes to the Service Control Manager (SCManager) security descriptor that grant excessive permissions (e.g., Everyone group) to control system services. This behavior can indicate an attempt at local privilege escalation by allowing unauthorized users to manipulate critical services.
19.09.2024
Suspicious Veeam Backup Process Creation
Detects the execution of suspicious Veeam Backup sub processes and PowerShell commands that are often related to exploitation
17.09.2024
Network Connection Initiated To BTunnels Domains
Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
13.09.2024
Potential Iisreset Abuse
Detects iisreset usage to stop the IIS services to prevent users to access the webserver
10.09.2024
PowerShell Restart Windows Defender
Detects powershell restarting services related to Windows Defender
10.09.2024
Renamed SharpNBTScan.EXE Execution
Detects the execution of a renamed "SharpNBTScan.exe". Often used by the attackers to perform scanning in the environment/.
10.09.2024
Tasklist AV Software
Detects tasklist usage to detect security software presence
10.09.2024
Startup/Logon Script Added to Group Policy Object
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
06.09.2024
Group Policy Abuse for Privilege Addition
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
04.09.2024
Process Deletion of Its Own Executable
Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.
03.09.2024
PowerShell Web Access Feature Enabled Via DISM
Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
03.09.2024
PowerShell Web Access Installation - PsScript
Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
03.09.2024
Remote Access Tool - AnyDesk Incoming Connection
Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
02.09.2024
Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
02.09.2024
Suspicious Invocation of Shell via AWK - Linux
Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
02.09.2024
Capsh Shell Invocation - Linux
Detects the use of the "capsh" utility to invoke a shell.
02.09.2024
Shell Invocation via Env Command - Linux
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
02.09.2024
Shell Execution via Flock - Linux
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Execution via Find - Linux
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
02.09.2024
Shell Execution GCC - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Execution via Git - Linux
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Execution via Nice - Linux
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Inline Python Execution - Spawn Shell Via OS System Library
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
02.09.2024
Shell Execution via Rsync - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Invocation Via Ssh - Linux
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
29.08.2024

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
3197
18267
Sigma
3334
518

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1245
windows / registry_set
200
windows / file_event
189
windows / ps_script
166
windows / security
157
linux / process_creation
120
windows / image_load
104
webserver
78
windows / system
72
macos / process_creation
65
windows / network_connection
52
proxy
52
linux / auditd
48
azure / activitylogs
43
aws / cloudtrail
42
windows / registry_event
38
azure / auditlogs
38
windows / ps_module
33
windows / application
28
azure / signinlogs
24
okta / okta
22
windows / process_access
22
windows / dns_query
21
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
gcp / gcp.audit
16
windows / windefend
16
bitbucket / audit
14
windows / file_delete
13
github / audit
13
m365 / threat_management
13
windows / create_remote_thread
13
cisco / aaa
12
windows / codeintegrity-operational
10
windows / ps_classic_start
10
kubernetes / application / audit
10
windows / driver_load
10
windows / registry_add
9
linux / file_event
9
windows / create_stream_hash
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
windows / registry_delete
7
windows / bits-client
7
gcp / google_workspace.admin
7
zeek / smb_files
7
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / dns-client
6
windows / file_access
6
linux / network_connection
5
kubernetes / audit
5
jvm / application
5
zeek / dns
4
zeek / dce_rpc
4
windows / sysmon
4
windows / taskscheduler
4
linux / sshd
3
zeek / http
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
firewall
2
windows / file_change
2
windows / security-mitigations
2
spring / application
2
m365 / audit
2
linux / syslog
2
windows / dns-server
2
macos / file_event
2
onelogin / onelogin.events
2
apache
2
qualys
2
juniper / bgp
1
windows / applocker
1
nodejs / application
1
paloalto / appliance / globalprotect
1
cisco / duo
1
windows / appxpackaging-om
1
windows / shell-core
1
python / application
1
linux / clamav
1
windows / raw_access_thread
1
windows / capi2
1
windows / file_executable_detected
1
linux / sudo
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
velocity / application
1
zeek / x509
1
windows / smbclient-security
1
windows / file_rename
1
ruby_on_rails / application
1
m365 / exchange
1
sql / application
1
linux / vsftpd
1
zeek / rdp
1
windows / diagnosis-scripted
1
windows / sysmon_status
1
m365 / threat_detection
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
zeek / kerberos
1
windows
1
windows / dns-server-analytic
1
database
1
windows / driver-framework
1
windows / printservice-operational
1
nginx
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
cisco / bgp
1
windows / ldap
1
fortios / sslvpnd
1
netflow
1
cisco / ldp
1
cisco / syslog
1
linux / auth
1
django / application
1
windows / smbclient-connectivity
1
linux / cron
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
windows / process_tampering
1
paloalto / file_event / globalprotect
1
linux / guacamole
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
217
windows / registry_set
57
windows / ps_script
55
windows / wmi
29
windows / file_event
23
windows / image_load
17
proxy
12
linux / process_creation
11
windows / security
11
windows / system
7
windows / network_connection
7
windows / kernel-event-tracing
6
windows / ps_module
5
windows / registry_event
5
windows / ntfs
5
windows / sense
4
windows / pipe_created
4
windows / create_remote_thread
4
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / application-experience
3
windows / registry_delete
3
windows / hyper-v-worker
3
windows / taskscheduler
2
windows / bits-client
2
windows / driver_load
2
windows / kernel-shimengine
2
macos / process_creation
1
windows / windefend
1
windows / amsi
1
windows / process_access
1
windows / codeintegrity-operational
1
windows / application
1
windows / audit-cve
1
windows / file_access
1
windows / registry-setinformation
1
windows / dns_query
1
windows / firewall-as
1
windows / file_delete
1
windows / file_rename
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html