Valhalla Logo
currently serving 13172 YARA rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
HKTL_ShellCode_Loader_Jun21_1
Detects XOR encrypted shellcode loader
14.06.2021
MAL_Stealer_Jun21_1
Detects unknown stealer
14.06.2021
APT_MAL_LNX_Turian_Jun21_1
Detects Linux Turian backdoor mentioned in BackdoorDiplomacy report
14.06.2021
APT_MAL_LNX_Turian_Jun21_2
Detects Linux Turian backdoor mentioned in BackdoorDiplomacy report
14.06.2021
APT_MAL_ME_Backdoor_Jun21_1
Detects malware used by a Middle Eastern threat group
14.06.2021
SUSP_PY_Download_FD_Combo_Jun21_1
Detects suspicious Python script with combo of suspcious features/functions
14.06.2021
Casing_Anomaly_CurrentVersion_RUN
Detects suspicious casing in Registry RUN key value
14.06.2021
HKTL_BadPotato_Jun21_1
Detects BadPotato .NET version
11.06.2021
HKTL_PingCastle_Jun21_1
Detects all different variants of PingCastle or similar tools
11.06.2021
HKTL_RDPWrap_Jun21_1
Detects RDPWrap hacktool
10.06.2021
APT_MAL_NK_Lazarus_Jun21_1
Detects Lazarus malware used in a campaign in June 2021 - file 3b33b0739107411b978c3cbafb312a44b7488bd7adabae3e7b02059240b6dc83
10.06.2021
APT_MalDoc_NK_Lazarus_Jun21_1
Detects Lazarus malware used in a campaign in June 2021
10.06.2021
SUSP_WIN_Exploit_Keywords_Jun21_1
Detects strings often found in exploit codes for the Windows platform
10.06.2021
LOG_HKTL_PowerShell_Keywords_Jun21_1
Detects keywords found in PowerShell logs during intrusions using CobaltStrike
10.06.2021
LOG_SUSP_PowerShell_Keywords_Jun21_1
Detects suspicious keywords found in PowerShell logs
10.06.2021
LOG_SUSP_PowerShell_Keywords_Jun21_2
Detects suspicious keywords found in PowerShell logs
10.06.2021
LOG_CobaltStrike_NamedPipe_Names_Jun21_3
Detects suspicious
10.06.2021
LOG_SUSP_CobaltStrike_NamedPipe_Pattern_Low_Conf_Jun21_1
Detects suspicious NamedPipe names as found in Sysmon logs when certain CobaltStrike actions are peformed
10.06.2021
LOG_SUSP_CobaltStrike_ServiceInstall_Binary_Pattern_Jun21_1
Detects suspicious UNC paths as used in CobaltStrike attacks
10.06.2021
EXPL_WIN_DWM_CVE_2021_33739_Jun21_1
Detects exploit codes for DWM privilege escalation vulnerability CVE-2021-33739
10.06.2021
HKTL_PY_BabyShark_Agent_Jun21_1
Detects a suspicious pipe redirect from a tmp folder file
09.06.2021
APT_MAL_PuzzleMaker_Jun21_1
Detects PuzzleMaker malware
09.06.2021
APT_MAL_PuzzleMaker_Dropper_Jun21_1
Detects PuzzleMaker malware dropper
09.06.2021
APT_MAL_PuzzleMaker_RemoteShell_Jun21_1
Detects PuzzleMaker malware remote shell
09.06.2021
SUSP_Pipe_Redirect_From_Temp_Jun21_1
Detects a suspicious pipe redirect from a tmp folder file
09.06.2021
SUSP_LNX_RevShell_Payloads_Jun21_1
Detects reverse shell code as used in Linux hack tools or payloads
09.06.2021
SUSP_PS1_IEX_IWR_Downloads_Jun21_1
Detects suspicious IEX IWR combos
09.06.2021
SUSP_Encoded_PS1_ASCII_GetBytes_Jun21_1
Detects suspicious base64 encoded ASCII GetBytes combo
09.06.2021
SUSP_Export_RHOST_RPORT_Jun21_1
Detects suspicious RHOST and RPORT variables exported in a file
09.06.2021
SUSP_PS1_Param_Combo_Jun21_1
Detects suspicious PowerShell parameter combos
09.06.2021
SUSP_LNX_RevShell_Tiny_Jun21_1
Detects tiny Linux reverse shells
09.06.2021
SUSP_LNX_RevShell_Tiny_Telnet_Jun21_1
Detects tiny Linux reverse shells using telnet
09.06.2021
SUSP_LNX_Small_UPX_File_Jun21
Detects suspicious small UPX packed linux binary
09.06.2021
HKTL_LNX_ProcessHider_Characteristics_Jun21_1
Detects ProcessHider samples
08.06.2021
SUSP_Exchange_Suspicious_TransportAgent_Jun21_1
Detects non-default assemblyPath in TransportAgent configuration pointing to folders other than C:\\Program
08.06.2021
SUSP_WIN_ProcessHider_Characteristics_Jun21_1
Detects characteristics of ProcessHider samples
08.06.2021
SUSP_LNX_Malware_Characteristics_Jun21_1
Detects ProcessHider samples
08.06.2021
LOG_SUSP_TransportAgent_Installation_Jun21_1
Detects a TransportAgent Installation from suspicious folders
08.06.2021
HKTL_RDPThiefInject_Jun21_1
Detects RDPThiefInject hacktool
07.06.2021
HKTL_Base64_Encoded_Donut_Shellcode_Jun21_1
Detects Base64 encoded Donut shellcodes
07.06.2021

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

  Currently summoning the gods ... please check back in a few minutes.

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_JS_WindowChange_Dec19
1
99e115026d69fc279949439a9d7233b01089dab2e30a520a751cc9ec9cf6b8a2
SUSP_Enigma_Protector
4
178656c2b5e38c3a92a0b6a6b8adf33536716ae4d6b750dcde1b7512511da200
SUSP_Enigma_Protector
3
8e3a4c430a6d7ca36c5690f104db83c5ba23d0b7f1f6b8a0e29bcc349fa987b9
SUSP_Enigma_Protector
3
df3510f0afafe50d29ece8ebd9879090fab97f9534099e7000244cd1c300a18d
SUSP_Enigma_Protector
3
6eff47cbdf5fcb9746454773a6d78d1752ddd2f196026eb25a94f68e9aa5f7e9
SUSP_JS_Obfuscaton_Feb20_1
8
97e5bd165cc76e7021d521419f659ac217f58e17580b48f25fbc5d45f7f881f9
SUSP_JS_OBFUSC_Obfuscated_JavaScript_May21_2
1
c27c04714203549d361b5caba5c367f214fedc4898919ffef5b85743765784bd
SUSP_JS_OBFUSC_Obfuscated_JavaScript_May21_3
1
c27c04714203549d361b5caba5c367f214fedc4898919ffef5b85743765784bd
SUSP_Enigma_Protector
3
76b0ea94cc75095212aae564c027ecdf1129fa7344a635e39b05b76d366b1b96
SUSP_PS1_Cmdlet_Defender_Exclusion_Apr21_1
13
7f5082d718ddeeea1d7f50e2a736ae478357b119715f7abba4cdf8a873d81c97
SUSP_Enigma_Protector
4
019e3021e2910a69d520b195788af3e7b14d0753feddb21b50fb4957897981c1
WebClient_Keyword_Casing_Anomaly
14
7e7c0bc6d038674c13f8b3c5476dd391a38d27a0b7c429aa0a846667b6cee6de
Casing_Anomaly_SystemNetWebClient
14
7e7c0bc6d038674c13f8b3c5476dd391a38d27a0b7c429aa0a846667b6cee6de
Casing_Anomaly_NewObject
14
7e7c0bc6d038674c13f8b3c5476dd391a38d27a0b7c429aa0a846667b6cee6de
Casing_Anomaly_CMD_C
14
7e7c0bc6d038674c13f8b3c5476dd391a38d27a0b7c429aa0a846667b6cee6de
Casing_Anomaly_NoProfile
14
7e7c0bc6d038674c13f8b3c5476dd391a38d27a0b7c429aa0a846667b6cee6de
Powershell_Suspicious_Strings
14
7e7c0bc6d038674c13f8b3c5476dd391a38d27a0b7c429aa0a846667b6cee6de
Casing_Anomaly_ByPass
14
7e7c0bc6d038674c13f8b3c5476dd391a38d27a0b7c429aa0a846667b6cee6de
Casing_Anomaly_Windowstyle
14
7e7c0bc6d038674c13f8b3c5476dd391a38d27a0b7c429aa0a846667b6cee6de
NetWebClient_Casing_Anomaly
14
7e7c0bc6d038674c13f8b3c5476dd391a38d27a0b7c429aa0a846667b6cee6de

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
APT
3720
Malware
3131
Hacktools
3052
Threat Hunting
2183
Webshells
2026
Exploits
277

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html