Valhalla Logo
currently serving 9227 rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
SUSP_Administrator_Desktop_Reference
Detects suspicious reference in file to Administrator desktop
19.10.2019
SUSP_URL_Persistence_JS
Detects an .url file that points to an IP address - possible URL persistence
19.10.2019
MAL_ME_Unknown_NET_Oct19_1
Detects unknown .NET malware
19.10.2019
MAL_ME_Unknown_NET_Oct19_2
Detects unknown .NET malware
19.10.2019
EXPL_PulseSecureSSLVPN_CVE_2019_11510
Detects exploit code or attempts of Pulse Secure SSL VPN vulnerability with CVSS score 10
17.10.2019
APT_APT29_Ghost_Dukes_Oct19_1
Detects APT29 malware
17.10.2019
APT_APT29_RegDuke_Oct19_1
Detects RegDuke malware
17.10.2019
APT_APT29_RegDuke_Oct19_2
Detects RegDuke malware
17.10.2019
APT_APT29_FatDuke_Oct19_1
Detects FatDuke malware
17.10.2019
APT_APT29_LiteDuke_Oct19_1
Detects LiteDuke malware
17.10.2019
SUSP_Protected_by_NET_Reactor
Detects suspicious .NET executable protected by .NET Reactor
17.10.2019
APT_Kimsuky_Malware_Oct19_1
Detects Kimsuky malware
17.10.2019
SUSP_Rundll32_Ordinal
Detects suspicious rundll32 invocation by ordinal
17.10.2019
SUSP_MSF_Keyword_File_Oct19_1
Detects a metasploit filename reference in file
17.10.2019
SUSP_PlusSign_VBS_Excel_Obfuscation
Detects a method that splits strings using plus signs
17.10.2019
SUSP_PlusSign_WScript_Obfuscation
Detects a method that splits strings using plus signs
17.10.2019
MAL_Unknown_Keyword_Combo_Oct19_1
Detects malware that has characteristics of PolyglotDuke
17.10.2019
MAL_Unknown_UA_Combo_Oct19_1
Detects suspicious User-Agent combination as found in malware like APT29s Fatduke malware
17.10.2019
MAL_ME_VBS_Malware_Obfuscation_Oct19_1
Detects unknown VBS malware dropper
17.10.2019
EXPL_Solaris_11_XScreenSaver
Detects exploit code to exploit Solaris XScreensaver vulnerability
16.10.2019
SUSP_Deadbeef_Info
Detects suspicious keyword in file
16.10.2019
MAL_BlackRemote_BlackRAT_Oct19_1
Detects BlackRAT malware
16.10.2019
MAL_TA505_Malware_Oct19_1
Detects TA505 related malware
16.10.2019
MAL_TA505_Malware_Oct19_2
Detects TA505 related malware
16.10.2019
MAL_TA505_Malware_Oct19_3
Detects TA505 related malware
16.10.2019
CRIME_CobaltGang_Malware_Oct19_1
Detects CobaltGang malware
16.10.2019
MAL_Xmrig_CoinMiner_Malware
Detects XMRIG coin miner malware
16.10.2019
EXPL_Sudo_PrivEsc_CVE_2019_14287
Detects sudo privilege escalation attack exploiting CVE-2019-14287
15.10.2019
APT_Lazarus_Malware_Oct19_2
Detects Lazarus malware
15.10.2019
APT_APT28_Zebrocy_Oct19_1
Detects APT28 Zebrocy malware
15.10.2019
APT_CN_Mirage_Malware_Oct19_1
Detects Mirage malware
15.10.2019
SUSP_Responder_Error_Page_404
Detects 404 error page created by Responder using a hard-coded timestamp
15.10.2019
SUSP_LOL_Packer
Detects suspicious LOL packer
15.10.2019
SUSP_UserAgent_Mozilla_4
Detects suspicious old user agent embedded in executable
15.10.2019
MAL_NyaDrop_IoT_Malware
Detects NyaDrop IoT malware
15.10.2019
APT_NK_OpRedSalt_Malware_Oct19_3
Detects Operation Red Salt related malware
14.10.2019
APT_NK_OpRedSalt_Malware_Oct19_2
Detects Operation Red Salt related malware
14.10.2019
APT_NK_OpRedSalt_Malware_Oct19_1
Detects Operation Red Salt related malware
14.10.2019
APT_Winnti_NET_Injector_Oct19_1
Detects Winnti .NET injector
14.10.2019
APT_Winnti_VBS_Injector_Oct19_1
Detects Winnti VBS injector
14.10.2019

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
HKTL_ladpdomaindump_bloodhound
0.0
12
SUSP_CompileAfterDelivery_T1500
0.0
14
Casing_Anomaly_ExecuteRequest
0.05
19
SUSP_PS_Base64_CWB_String
0.15
13
SUSP_Scheduled_Task_AppData_Folder
0.17
12
SUSP_Netsh_PortProxy_Command
1.94
114
APT_WebShell_Tiny_1
2.55
22
SUSP_Base64_Encoded_Hex_Encoded_Code
2.98
126
MAL_VBS_ME_May19_1
3.25
12
SUSP_Scriptlet_Keyword_Combo_Sep19
3.4
15
HKTL_SilentTrinity_PS1_Posh_Stager
3.46
13
SUSP_Embedded_Decoy_Doc_Sep19
3.99
70
SUSP_RevShell_CmdLine_Code
4.0
13
SUSP_Hex_Encoded_WScript_Shell
4.84
19
SUSP_PHP_Obfuscation_GZ_Base64
5.45
11
SUSP_LNX_Base64_Decode_CommandLine
5.46
103
SUSP_SwearWord_in_Code
5.81
120
MAL_NET_MeterPreter_Payload_1
7.36
440
SUSP_Base64_Encoded_E_IEX
7.38
48
PUA_APT_Chafer_xCmdSvc_Jan19_1
7.6
15
SUSP_OfficeDoc_DropperStrings_Dec18_1
8.24
29
MAL_Predator_JS_Dropper
8.3
53
SUSP_Nishang_Script_Keyword
8.55
33
SUSP_PS2EXE_PowerShell2Exe_2
8.55
64
SUSP_Env_Var_Obfuscation
8.87
15
HKTL_SilentTrinity_Wmic_XLS_Stager
8.92
24
MAL_macOS_PY_Agent_Jul19_1
9.0
54
SUSP_RTF_HexEncodedLibImports_Aug19
9.39
18
SUSP_AMSI_ByPass_Strings
9.97
31
MAL_TA505_Campaign_Oct19_4
10.36
89

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
PEFILE_Header_but_no_DOS_Header
9
e19090e9a679ba4ff5239cd0039baa29206b65f2ff4a5c201adc0277842b12eb
SUSP_ConfuserEx_Obfuscated_Gen
2
170a0cd8359f2d977402aba7373744d0243059ce14c3482aa4224802aaf8ac9a
SUSP_VBA_AutoOpen_AppData_Combo
14
31ba4682a4173e6058fdcb02885e305e97edb157ebcf18a8fd69e4ead1c0f316
SUSP_UPX_Autoit_Combo
2
a746ad93b5ba379e8d918a4968c7a1e77a2fc6d2e6c6b1d8e87f7cc840245223
SUSP_AutoIt_CompScript_NET_Combo
2
58aade102002058be1af41c5f2a016e30eef4320df370b0f2e64f14a55750dab
SUSP_AutoIt_Indicators_Feb19_4
2
58aade102002058be1af41c5f2a016e30eef4320df370b0f2e64f14a55750dab
SUSP_VBA_AutoOpen_AppData_Combo
10
bf1e832d6610023323cf085ada6d65bdec9815462248af46478685cc795f80a0
MAL_Loaderx86_Feb18_1
11
1b29f49c15687c8b2cab69955613b51dfa4713d0a795a9d69dbf5666caf299ea
SUSP_VBA_AutoOpen_AppData_Combo
7
5d894180130ba2398c5441a5f2c85272e20a5091cc830712f48e6e0f67f05490
Embedded_PE_File
3
49f91036d289da7d9d00055f460c13edb68634c087678983e1f0eee8cbb4d581
SUSP_Base64_Encoded_UserAgent_String
9
023eb9078b47cd01760ac13c7b16564ec9f3c07101b57354f5158348abf299c1
Embedded_PE_File
11
5dd27bde9a21c34c1c9f5368b10991a6791f5b93f24d180ed97563ad1666aed0
Embedded_PE_File
7
7273b994d6437a0f89ae7f580945b95f1759c391801c5ddf45aa83e679058a92
MAL_AutoIt_Malware_Indicator_1
8
7b256ac034afa2743625ca45e4a939f5b75870bf266e21e7395565d6b70f27c0
SUSP_AutoIt_Malware_Indicator_1
8
7b256ac034afa2743625ca45e4a939f5b75870bf266e21e7395565d6b70f27c0
SUSP_AutoIt_Indicators_Feb19_4
8
7b256ac034afa2743625ca45e4a939f5b75870bf266e21e7395565d6b70f27c0
SUSP_Base64_Encoded_UserAgent_String
2
be2d7e0bc1cf6c9367c83e6d0904930e3ef92051ea6eeb8cfe81a91e46b25299
SUSP_Base64_UserAgent_Definition
2
be2d7e0bc1cf6c9367c83e6d0904930e3ef92051ea6eeb8cfe81a91e46b25299
SUSP_ExploitTool_Keywords_Mar19_1
2
be2d7e0bc1cf6c9367c83e6d0904930e3ef92051ea6eeb8cfe81a91e46b25299
SUSP_CredStore_GUID_UnsignedBinary
9
42e8e163f599d27cb340a17f738657c78073f778854ec941ebae6104c5f33d84

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag
Count
FILE
6130
EXE
4408
MAL
2638
APT
2617
DEMO
2438
HKTL
2312
T1100
1800
WEBSHELL
1778
SUSP
1199
CHINA
1005
SCRIPT
635
RUSSIA
397
MIDDLE_EAST
338
T1086
335
T1064
308
GEN
301
T1027
294
T1003
267
T1203
242
T1193
242
T1075
191
T1132
152
T1085
146
OBFUS
145
EXPLOIT
144
LINUX
139
T1178
135
T1097
135
T1050
109
METASPLOIT
107

Tenable Nessus

Requirement: Privileged Scan

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html