Valhalla Logo
currently serving 20952 YARA rules and 3764 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
HKTL_Scan4all_Jul24
Detects scan4all, a vulnerability scanner and brute force hacktool
15.07.2024
HKTL_SysWhispers3WinHttp_Jul24
Detects SysWhispers3WinHttp, a hacktool for AV/EDR evasion via direct system calls
15.07.2024
MAL_Trojan_Ladvix_Jul24
Detects the Ladvix trojan
14.07.2024
SUSP_EXPL_MSF_Payload_Jul24
Detects indicators of Metasploit sql injection payloads exploiting vulnerabilities
12.07.2024
SUSP_BAT_OBFUSC_Jul24_1
Detects indicators of obfuscation in Windows Batch files
12.07.2024
SUSP_BAT_OBFUSC_Jul24_2
Detects indicators of obfuscation in Windows Batch files
12.07.2024
SUSP_BAT_OBFUSC_Jul24_3
Detects indicators of obfuscation in Windows Batch files
12.07.2024
MAL_Mofongo_Loader_Jul24
Detects Mofongo loader, maps and executes a payload in a hollowed msedge process
12.07.2024
MAL_APT_DodgeBox_Jul24
Detects DodgeBox loader, related to APT41
11.07.2024
MAL_APT_StealthVector_Jul24
Detects StealthVector loader, related to APT41
11.07.2024
APT_MAL_APT27_Rshell_Jul24_1
Detects RSHELL / SYSUPDATE backdoor used by APT27
11.07.2024
SUSP_Registry_Editor_PDF_Export
Detects PDF files that were exported or saved (printed) from the registry editor (regedit)
08.07.2024
HKTL_Go_Reverse_SSH_Jul24
Detects Go based SSH based reverse shells
08.07.2024
HKTL_MDE_Enum_Jul24
Detects MDE_Eunm, a .NET tool designed to extract and display detailed information about Windows Defender exclusions and Attack Surface Reduction (ASR) rules without Admin privileges
08.07.2024
HKTL_PEEditor_Jul24
Detects files modified using PEEditor
08.07.2024
HKTL_Loader_Havoc_Jul24_1
Detects characteristics found in Havoc loaders
07.07.2024
SUSP_HKTL_Loader_Unknown_Jul24_1
Detects opcodes found in unknown loader
07.07.2024
MAL_RANSOM_LNX_Unknown_Jul24_1
Detects unknown ransomware samples for Linux
06.07.2024
MAL_RANSOM_Go_Unknown_Jul24_1
Detects unknown Go based ransomware samples
06.07.2024
MAL_RANSOM_LNX_Hive_Jul24_1
Detects Hive ransomware samples for Linux
06.07.2024
SUSP_RANSOM_LNX_Indicators_Jul24_1
Detects indicators often found in ransomware samples for Linux
06.07.2024
PUA_HKTL_LNX_FileCrypt_Jul24
Detects a simple file encryption / decryption tool that can be used in ransomware attacks
06.07.2024
SUSP_ELF_Loader_Indicators_Jul24
Detects indicators found in tiny ELF loaders
06.07.2024
SUSP_PY_PyInstaller_Loader_Jul24
Detects unknown Python based loader (PyInstaller)
06.07.2024
SUSP_PY_PyInstaller_Jul24_1
Detects Linux executables, which are compiled Python scripts (PyInstaller)
06.07.2024
SUSP_PS1_IEX_IWR_Combo_Jul24_1
Detects a suspicious PowerShell command line that uses IEX and IWR
05.07.2024
SUSP_OBFUC_VBS_LitterDrifter_Jul24_1
Detects obfuscated VBS code found in LitterDrifter
05.07.2024
HKTL_MSC_GrimResource_Indicators_Load_Jul24_1
Detects indicators found in the files that used the GrimResource infection technique
05.07.2024
HKTL_MSC_GrimResource_Indicators_Size_Jul24_1
Detects indicators found in the files that used the GrimResource infection technique (based on the size of the file)
05.07.2024
SUSP_MSC_Indicators_Jul24_1
Detects indicators found in the files that used the GrimResource infection technique (based on commands that indicate script/process execution)
05.07.2024

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
HKTL_Invoke_ADSBackdoor
1
317bb16be59b4524ceb0f6d3c9dd3275f026b0ca07dd6aa96d3621548e239f75
HKTL_P0wnedShell_Strings_Jan17
1
317bb16be59b4524ceb0f6d3c9dd3275f026b0ca07dd6aa96d3621548e239f75
SUSP_PowerShell_IEX_Download_Combo
1
317bb16be59b4524ceb0f6d3c9dd3275f026b0ca07dd6aa96d3621548e239f75
HKTL_MSF_Keywords_Jul20_1
1
317bb16be59b4524ceb0f6d3c9dd3275f026b0ca07dd6aa96d3621548e239f75
Hacktool_Strings_p0wnedShell
1
317bb16be59b4524ceb0f6d3c9dd3275f026b0ca07dd6aa96d3621548e239f75
HKTL_PUA_SystemInformer_Nov22_1
2
d31fd11f4683d39b7c3ceb43df07a9fc3e84c95b0752fe86937aa99b5ea820fe
APT_SoftCell_Keywords_Dec19
1
ad74b182a5969d1a2e8d0637faef24f780661061373e3c8c399e83b9d7c323a1
HKTL_Invoke_ADSBackdoor
1
8b056cd8209cb5afdb87f59496455a880a437672c3d5e08cd4a4d9c1b5f30b67
HKTL_P0wnedShell_Strings_Jan17
1
8b056cd8209cb5afdb87f59496455a880a437672c3d5e08cd4a4d9c1b5f30b67
Hacktool_Strings_p0wnedShell
1
8b056cd8209cb5afdb87f59496455a880a437672c3d5e08cd4a4d9c1b5f30b67
HKTL_MSF_Keywords_Jul20_1
1
8b056cd8209cb5afdb87f59496455a880a437672c3d5e08cd4a4d9c1b5f30b67
SUSP_PowerShell_IEX_Download_Combo
1
8b056cd8209cb5afdb87f59496455a880a437672c3d5e08cd4a4d9c1b5f30b67
SUSP_LNX_Github_HKTL_Projects_Jun22
1
24f12b794bb319d546c3fdb1ae4d2e0b11231d108968d48a8d5884585e3fdab8
MAL_Unknown_PWDumper_Apr18_3
13
1f29a2722f5e2d865ad32172dc71a4bd323ef14552912e68b7c9fe0ee760dd82
HKTL_VM_Detection_Jan24
7
dcd0a914713faefec1b4c70b625f9d1546516fb7e2c5b1758b3cc7a03dd7ec8c
MAL_Unknown_PWDumper_Apr18_3
14
27514370a42cb8156e92bfc398180c5c5c983eb09722e353c2a8224d0f979578
HKTL_Poolparty_Mar24
3
a34e7344c6d1dcd85b1d340de0713271215ee4734add6532163972e3fdc68afe
Sofacy_Jan18_1_PE_Info_Anomaly
3
a34e7344c6d1dcd85b1d340de0713271215ee4734add6532163972e3fdc68afe
WEBSHELL_suspEval_Mar20
4
0035167bd91133fd7abf131825780c23ba98e58be107c64f4676faea61da782e
SUSP_EXPL_Java_Indicators_Jun22_1
4
0035167bd91133fd7abf131825780c23ba98e58be107c64f4676faea61da782e

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6215
Threat Hunting (not subscribable, only in THOR scanner)
5022
APT
4855
Hacktools
4510
Webshells
2310
Exploits
628

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Kubernetes Rolebinding Modification
Detects when a Kubernetes Rolebinding is created or modified.
11.07.2024
Kubernetes Secrets Modified or Deleted
Detects when Kubernetes Secrets are Modified or Deleted.
11.07.2024
New Network Route Added
Detects the addition of a new network route to a route table in AWS.
11.07.2024
New Network ACL Entry Added
Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
11.07.2024
Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.
11.07.2024
Ingress/Egress Security Group Modification
Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
11.07.2024
LoadBalancer Security Group Modification
Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
11.07.2024
Potential Malicious Usage of CloudTrail System Manager
Detect when System Manager successfully executes commands against an instance.
11.07.2024
RDS Database Security Group Modification
Detects changes to the security group entries for RDS databases. This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.
11.07.2024
BitLockerTogo.EXE Execution
Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
11.07.2024
Potential DLL Sideloading Of DbgModel.DLL
Detects potential DLL sideloading of "DbgModel.dll"
11.07.2024
Directory Service Restore Mode(DSRM) Registry Value Tampering
Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
11.07.2024
Potential DLL Sideloading Of MpSvc.DLL
Detects potential DLL sideloading of "MpSvc.dll".
11.07.2024
Potential DLL Sideloading Of MsCorSvc.DLL
Detects potential DLL sideloading of "mscorsvc.dll".
11.07.2024
Multiple File Combined Via Built-In Copy Command
Detects the use of the built-in CMD "copy" command with 2 or more plus signs in order to combine the content of multiple files.
11.07.2024
Kubernetes Admission Controller Modification
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
11.07.2024
Kubernetes CronJob/Job Modification
Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
11.07.2024
Potential Domain DPAPI Backup Key Extraction
Detects potential DPAPI backup Key extraction.
10.07.2024
Printing Activity Initiated Via RegEdit.EXE
Detects the creation of a file with an ".SPL" by the "RegEdit.exe" process which might indicate the start of a print acitvity. This could be an indicator that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.
10.07.2024
Uncommon File Created By RegEdit.EXE
Detects the creation files with an uncommon extension by the RegEdit.EXE process. By default the "RegEdit.exe" process would allow for the export of keys via the GUI as either ".reg", ".txt" or "hives". By excluding known extensions, we can hunt for anomalous ones created by "RegEdit.exe" that covers cases such as when a user might choose to print or save a key as a PDF file in order to extract sensitive information and potentially bypass defenses.
10.07.2024
RemoteRegistry Service Started Via Svchost
Detects the start of the "RemoteRegistry" service by looking at "svchost" process creation events. If not authorized this action can indicate a potential lateral movement activity being in-progress, as the "Remote Registry" service enables remote users to modify registry settings on a computer. Attackers can leverage this in order to manipulate certain value remotely.
10.07.2024
Potential Service ImagePath Value Tampering
Detects potential tampering of the ImagePath of some built-in and third party services. Attackers sometimes tamper with the an existing service "ImagePath" instead of creating a new one to avoid raising "New Service Creation" events alerts and avoid defenses. This rule uses a baseline of services "ImagePath" values and triggers if there are any anomalies.
10.07.2024
Microsoft Defender For Endpoint Service Failed To Connect To The Server
Detects instances where the Microsoft Defender for Endpoint service has failed to connect to the server. This could be due to issues with the internet connectivity or a potential attackers blocking traffic towards defender domains.
09.07.2024
Microsoft Defender For Endpoint Service Failed To Start
Detects instances where the Microsoft Defender for Endpoint service failed to start. Review other messages to determine possible cause and troubleshooting steps.
09.07.2024
New Blocking Firewall Rule For Critical Service/Application Added In Windows Firewall Exception List
Detects the addition of a new "Block" firewall rule targeting critical services and application paths and binaries. An attacker can leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule" to add block rules targeting security services and applications in order to stop communication between them and their management console.
09.07.2024
Microsoft Defender For Endpoint Service Shutdown
Detects instances where the Microsoft Defender for Endpoint service has shutdown. Occurs when the device is shut down or offboarded.
09.07.2024
Windows Defender Threat Detected - WDBlockFirewallRule
Triggers on instances of a Windows Defender threat of type "WDBlockFirewall". This indicates that an attacker is trying to add blocking firewall rule in order to block communication between Windows Defender and the internet to bypass defenses.
09.07.2024
Local Firewall Policy Merge Allowed Via AllowLocalPolicyMerge Registry Value
Detects the deletion or setting of the "AllowLocalPolicyMerge" registry value with a data of "DWORD (0x00000001)". This would allow the merging of local firewall rules with those of the group policy. This may weaken intended group policy firewall configurations.
09.07.2024
New Blocking Firewall Rule For Critical Service/Application Added In Windows Firewall Exception List - Reg
Detects the addition of a new "Block" firewall rule targeting critical services and application paths and binaries. An attacker can leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule" to add block rules targeting security services and applications in order to stop communication between them and their management console.
09.07.2024
Startup State Changed For Remote Registry Service - Registry
Detects changes to "Remote Registry" service startup status. Where the status has been changed from a "disabled" state to any other state such as "manual" or "automatic". If not authorized this action can indicate a potential lateral movement activity being in-progress, as the "Remote Registry" service enables remote users to modify registry settings on a computer. Attackers can leverage this in order to manipulate certain value remotely.
09.07.2024

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2969
17983
Sigma
3271
493

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1216
windows / registry_set
195
windows / file_event
188
windows / ps_script
164
windows / security
154
linux / process_creation
109
windows / image_load
102
webserver
78
windows / system
72
macos / process_creation
62
windows / network_connection
51
proxy
51
linux / auditd
49
azure / activitylogs
43
aws / cloudtrail
42
windows / registry_event
38
azure / auditlogs
35
windows / ps_module
33
windows / application
28
azure / signinlogs
24
windows / process_access
23
okta / okta
22
windows / dns_query
21
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
linux
17
rpc_firewall / application
17
gcp / gcp.audit
16
windows / windefend
16
bitbucket / audit
14
m365 / threat_management
13
windows / create_remote_thread
12
cisco / aaa
12
windows / file_delete
12
kubernetes / application / audit
10
windows / driver_load
10
github / audit
10
windows / codeintegrity-operational
10
windows / ps_classic_start
10
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / msexchange-management
8
dns
8
windows / firewall-as
8
azure / pim
7
windows / appxdeployment-server
7
windows / file_access
7
windows / bits-client
7
windows / registry_delete
7
gcp / google_workspace.admin
7
zeek / smb_files
7
antivirus
7
jvm / application
5
kubernetes / audit
5
linux / network_connection
5
windows / dns-client
5
zeek / dns
4
zeek / dce_rpc
4
windows / taskscheduler
4
windows / sysmon
4
windows / ntlm
3
linux / sshd
3
zeek / http
3
windows / wmi_event
3
windows / powershell-classic
3
apache
2
macos / file_event
2
qualys
2
windows / file_change
2
spring / application
2
windows / security-mitigations
2
m365 / audit
2
linux / syslog
2
firewall
2
windows / dns-server
2
onelogin / onelogin.events
2
windows / driver-framework
1
windows / dns-server-analytic
1
nginx
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
windows / printservice-admin
1
netflow
1
cisco / ldp
1
windows / ldap
1
fortios / sslvpnd
1
linux / auth
1
cisco / bgp
1
django / application
1
cisco / syslog
1
linux / cron
1
windows / appmodel-runtime
1
windows / openssh
1
windows / process_creation / windows
1
windows / smbclient-connectivity
1
linux / guacamole
1
huawei / bgp
1
windows / appxpackaging-om
1
windows / process_tampering
1
nodejs / application
1
paloalto / file_event / globalprotect
1
juniper / bgp
1
windows / applocker
1
windows / shell-core
1
python / application
1
paloalto / appliance / globalprotect
1
cisco / duo
1
linux / clamav
1
windows / capi2
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
windows / raw_access_thread
1
windows / certificateservicesclient-lifecycle-system
1
velocity / application
1
windows / smbclient-security
1
windows / file_rename
1
ruby_on_rails / application
1
m365 / exchange
1
linux / sudo
1
zeek / x509
1
windows / diagnosis-scripted
1
sql / application
1
windows / terminalservices-localsessionmanager
1
m365 / threat_detection
1
linux / vsftpd
1
zeek / rdp
1
windows / sysmon_status
1
database
1
zeek / kerberos
1
windows
1
windows / sysmon_error
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
206
windows / ps_script
55
windows / registry_set
54
windows / wmi
29
windows / file_event
23
windows / image_load
16
windows / security
11
proxy
11
windows / network_connection
7
windows / system
7
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / registry_event
5
windows / sense
4
windows / create_remote_thread
4
windows / pipe_created
3
linux / process_creation
3
windows / ps_classic_script
3
webserver
3
windows / vhd
3
windows / application-experience
3
windows / registry_delete
3
windows / hyper-v-worker
3
windows / kernel-shimengine
2
windows / taskscheduler
2
windows / bits-client
2
windows / driver_load
2
windows / application
1
windows / file_delete
1
windows / file_rename
1
windows / file_access
1
macos / process_creation
1
windows / codeintegrity-operational
1
windows / firewall-as
1
windows / amsi
1
windows / windefend
1
windows / process_access
1
windows / audit-cve
1
windows / dns_query
1
windows / registry-setinformation
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html