New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule

Description

Date

Ref

HKTL_Octopus_Payload_HTA_JS

Detects Octopus agent payloads

24.01.2020

HKTL_Octopus_Payload_PS1

Detects Octopus agent payloads

24.01.2020

APT_MAL_KasperAgent_Jan20_1

Detects KasperAgent samples

24.01.2020

MAL_macOS_Darthminer

Detects macOS Darthminer malware

23.01.2020

HKTL_CobaltStrike_PS1_Jan20_1

Detects CobaltStrike PowerShell Dropper

23.01.2020

HKTL_ETW_False_Trigger_Injector

Detects a tool that falsly triggers ETW

23.01.2020

WEBSHELL_PHP_ME_Jan20_1

Detects Webshell used in Middle Eastern campaigns

22.01.2020

WEBSHELL_Obfuscator_PHP_OverflowZone

Detects OverflowZone PHP Obfuscator

22.01.2020

MAL_AVKiller_Jan20_1

Detects a malware sample referenced as AVKiller

22.01.2020

HKTL_PUA_Secure_Socket_Funneling

Detects Secure Socket Funneling - Network tool and toolkit

22.01.2020

HKTL_PUA_Secure_Socket_Funneling_UPX

Detects MuddyWater samples - from files upx-ssf, upx-ssf.exe

22.01.2020

APT_MuddWater_Helper_Jan20_1

Detects MuddyWater samples

22.01.2020

APT_CN_Tick_Group_MZ_Header_Mod_Jan20_1

Detects MZ modification as applied by Chinese Tick threat actor

22.01.2020

APT_CN_Tick_Group_ABK_Downloader_Jan20_1

Detects malware used by Chinese Tick threat actor

22.01.2020

APT_CN_Tick_Group_Avirra_Downloader_Jan20_1

Detects malware used by Chinese Tick threat actor

22.01.2020

APT_CN_Conime_PlugX_Jan20_1

Detects malware used by Chinese Conime threat actor

22.01.2020

APT_CN_Temp_Trident_Jan20_1

Detects malware used by Chinese Temp.Trident threat actor

22.01.2020

APT_CN_Bisonal_Malware_Jan20_1

Detects malware used by Chinese threat actors

22.01.2020

APT_MuddyWater_MalDoc_Jan20_1

Detects samples noticed in MuddyWater campaign

21.01.2020

MAL_Strictor_Jan20_1

Detects Strictor Windows Trojan

21.01.2020

SUSP_MalDoc_Indicators_Jan20_1

Detects samples that look the weaponized Office documents

21.01.2020

APT_RoyalRoad_8_T_Header_Pattern

Detects file with RoyalRoad encrypted payload magic header found in 8.t files

21.01.2020

APT_RoyalRoad_RTF_Hex_Pattern_1

Detects RoyalRoad hex encoded payload pattern

21.01.2020

APT_RoyalRoad_RTF_Hex_Pattern_2

Detects RoyalRoad hex encoded payload pattern

21.01.2020

WEBSHELL_JSP_MuddyWater_Jan20_1

Detects samples noticed in MuddyWater campaign

20.01.2020

SUSP_CMD_Obfuscation_Jan20

Detects suspicious technique to obfuscation cmd.exe

20.01.2020

SUSP_Obfusc_JS_MuddyWater_Jan20_1

Detects obfuscation used by MuddyWater in a campaign

20.01.2020

APT_MAL_Helper_PS1_MuddyWater_Jan20_1

Detects samples noticed in MuddyWater campaign

20.01.2020

APT_MAL_Helper_PS1_MuddyWater_Jan20_2

Detects samples noticed in MuddyWater campaign

20.01.2020

MAL_Camp_CS_Jan20_1

Detects samples found in a CobaltStrike / Ursnif campaign

18.01.2020

MAL_Camp_CS_Jan20_2

Detects samples found in a CobaltStrike / Ursnif campaign

18.01.2020

MAL_Camp_CS_Jan20_3

Detects samples found in a CobaltStrike / Ursnif campaign

18.01.2020

SUSP_JS_Obfusc_JSFuck_Jan20_1

Detects Javascript obfuscation technique JSFuck using a set of special characters

18.01.2020

MAL_Unknown_Camp_DE_Jan20_1

Detects malware from campaign noticed in January 2020

17.01.2020

MAL_Unknown_Camp_DE_Jan20_2

Detects malware dropped in campaign noticed in January 2020

17.01.2020

MAL_JhoneRAT_PY_EXE_Jan20_1

Detects malware and dropped components of JhoneRAT

17.01.2020

MAL_Unknown_Packer_Jan20_1

Detects unknown malware packer

17.01.2020

MAL_JhoneRAT_JPEG_Embedded_EXE_Jan20_1

Detects malware and dropped components of JhoneRAT

17.01.2020

MAL_JhoneRAT_Temp_File

Detects sample dropped components of JhoneRAT - file temp1.tmp

17.01.2020

SUSP_Payload_Indicator_OleObject_Jan20_1

Detects suspicious code sequence found in many different malicious dropper documents with embedded payloads

17.01.2020

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule

Average AV Detection Rate

Sample Count

EXPL_Shitrix_Exploit_Code_Jan20_1

0.06

HKTL_Meterpreter_InMemory_Rule

0.1

109

HKTL_Empire_Win_CSharp_Dec19_1

0.42

HKTL_Meterpreter_JS

1.94

HKTL_Metasploit_Indicators

2.4

SUSP_JS_Obfusc_JSFuck_Jan20_1

2.54

MAL_Obfuscated_PS1_Code_Feb19_1

3.0

SUSP_EXPL_ExternalTemplate_Generic

3.19

SUSP_Doc_StartMenu_Startup_Reference

4.74

MAL_NET_MeterPreter_Payload_1

4.81

SUSP_JS_WindowChange_Dec19

5.6

SUSP_PS2EXE_PowerShell2Exe_2

6.85

HKTL_BeefXSSFramework_Dec19

7.72

SUSP_Obfuscation_ChrW_Feb19_1

8.42

SUSP_Embedded_Decoy_Doc_Sep19

8.44

SUSP_ShellCode_Variable

9.1

HKTL_DarkArmor_Imp_Jan20_1

9.19

SUSP_Encoded_IEX_2

9.69

HKTL_Koadic_Strings_Gen

9.81

HKTL_Veil_PS1_Nov19_1

10.38

SUSP_Encoded_StartSleep

10.65

SUSP_JS_ChrW_Obfuscation

11.26

SUSP_OfficeDoc_Kernel32_Imports

11.57

MAL_macOS_PY_Agent_Jul19_1

11.71

Casing_Anomaly_WindowStyle_Hidden

11.73

222

SUSP_Encoded_Pastebin_URL

12.14

343

SUSP_JS_Window_MoveTo_NegativeValue

12.29

SUSP_CryptoObfuscator

12.73

SUSP_Encoded_VBE

12.86

SUSP_XORed_MSDOS_Stub_Message

13.0

3198

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule

AVs

Hash

MAL_AutoIt_Malware_Indicator_1

f8bf4400d8c5966482a27c5c533864aba38f68f1186d4ef39532fa2901397679

SUSP_AutoIt_CompScript_NET_Combo

f8bf4400d8c5966482a27c5c533864aba38f68f1186d4ef39532fa2901397679

SUSP_AutoIt_Malware_Indicator_1

f8bf4400d8c5966482a27c5c533864aba38f68f1186d4ef39532fa2901397679

MAL_AutoIt_Malware_Indicator_1

afa43f1743e0d8f9eca57a24dcf71d527b3f915995b713b592770c0048c62d86

PrivEsc_PowerLine

11abc942cf0244069f0ff1f17eb5fe14d63edd3cb320f8df60cda3b4454c2ef9

SUSP_VMProtect_File

6f7f5629281fa4c026a3ab473c49cd0afee3ae411f6fb0faffda5c02dca3602b

SUSP_ELF_LNX_UPX_Compressed_File

6852f45f36651f3fd0f332d49a7005203200ef0c74b7c5066d946b589d073f55

SUSP_LNK_File_Jul19_1

7f2cd7c648943dc088ad273e5c1e3b31aac3868a14c126fe651816a4543662c1

SUSP_ELF_LNX_UPX_Compressed_File

c90753bcdc6c23cc06ca6dc304d60f112532824361990087dac527a8ea5a4425

SUSP_OfficeDoc_DropperStrings_Dec18_1

bcc02c8470d23b0b9cd663e05ff098c9db88b4baad4812222301f71e777abf51

SUSP_OfficeDic_Macro_Strings_Gen_Jan19_1

bcc02c8470d23b0b9cd663e05ff098c9db88b4baad4812222301f71e777abf51

SUSP_OfficeDoc_Macro_Indicator_Jun19_1

bcc02c8470d23b0b9cd663e05ff098c9db88b4baad4812222301f71e777abf51

SUSP_OfficeDoc_Macro_Indicator_SubAutoOpen_Jun19_2

0dc075215a29249772e9b91b0d1968511c5802caf7e9b0ef0741c554dd51aa83

SUSP_TTP_VBFrame_EXECUTION

0dc075215a29249772e9b91b0d1968511c5802caf7e9b0ef0741c554dd51aa83

SUSP_OfficeDoc_Macro_Indicator_Jun19_1

0dc075215a29249772e9b91b0d1968511c5802caf7e9b0ef0741c554dd51aa83

SUSP_Compromised_Cert_LuckyMouse

392c45f93294217720b59a5eee24970bc161077bbc3dab0255e3b6462e249e24

SUSP_Double_Base64_Encoded_Executable

13e7554a2a433e909ede37c487f56ef496c36a30cfc4cec2441ebb17e5f33d22

SUSP_ConfuserEx_Obfuscated_Gen

af53e14185aa56858d4635fcefa117c84b54a8b23723fd7ce38314720570037a

SUSP_ConfuserEx_Obfuscated_Gen

442e36276925faf5eea5c9e1cd3159dbc5ce07a044d17b285b801f3b57130a9e

SUSP_JS_Obfuscation_Sep19_1

dd4bcc6d20a2574438148933de61b19499e81cfe6a37b70b577ea143c8718bf4

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag

Count

FILE

6504

EXE

4667

APT

2788

MAL

2735

HKTL

2493

DEMO

2446

T1100

1839

WEBSHELL

1811

SUSP

1326

CHINA

1025

SCRIPT

663

RUSSIA

408

T1086

364

MIDDLE_EAST

350

T1027

323

T1064

313

GEN

307

T1003

272

T1193

253

T1203

253

T1075

205

OBFUS

165

T1132

162

EXPLOIT

161

T1085

154

LINUX

146

T1178

134

T1097

134

METASPLOIT

112

T1053

111

Tenable Nessus

Requirement: Privileged Scan

YARA Scanning with Nessus works only when scanning with credentials (privileged scan)

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

You can only upload a single .yar file
Filesystem scan has to be activated
You have to define the target locations
The Nessus plugin ID will be 91990
Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html