Valhalla Logo
currently serving 21380 YARA rules and 3841 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
HKTL_Sccmhttplooter_Sep24
Detects sccm-http-looter, a hacktool to find interesting files stored on (System Center) Configuration Manager (SCCM/CM) shares via HTTP(s)
09.09.2024
SUSP_OBFUSC_PY_Oxyry_Sep24
Detects Python code obfuscated using Oxyry
09.09.2024
SUSP_PY_Stealer_Characteristics_Sep24
Detects characteristics found in compiled Python scripts that steals browser secrets
09.09.2024
HKTL_SCCMSecrets_Sep24
Detects SCCMSecrets, a hacktool that aims at exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement.
09.09.2024
HKTL_Goffloader_Sep24
Detects goffloader, a Go implementation of Cobalt Strike style BOF/COFF loaders.
09.09.2024
HKTL_TrueSightKiller_Sep24
Detects TrueSightKiller is a CPP AV/EDR Killer. This driver can be used in Windows 23H2 with HVCI enabled, loldrivers blocklist, or WDAC enabled. HVCI is designed to ensure the integrity of code executed in the kernel, but it cannot protect against all possible vulnerabilities or actions that can be performed through drivers or system interfaces
06.09.2024
MAL_CXCLNT_Loader_Sep24
Detects CXCLNT loader, CXCLNT has basic upload and download file capabilities, along with features for clearing traces, collecting victim information such as file listings and computer names, and downloading additional portable executable (PE) files for execution
05.09.2024
MAL_Loader_Sep24
Detects loader related to TIDRONE, an unidentified threat actor
05.09.2024
MAL_Toneshell_Backdoor_Sep24
Detects toneshell backdoor
04.09.2024
MAL_Babylon_RAT_Sep24
Detects babylon RAT
04.09.2024
MAL_JoJoLoader_Sep24
Detects JoJoLoader that helps Redteam members generate Evasive Anti-virus software Trojan
03.09.2024
MAL_RANSOM_LNX_BlackSuit_Sep24_1
Detects BlackSuit ransomware samples
03.09.2024
MAL_RANSOM_WIN_BlackSuit_Sep24_1
Detects BlackSuit ransomware samples
03.09.2024
SUSP_RANSOM_Indicators_Sep24_1
Detects suspicious commands often found in ransomware samples
03.09.2024
SUSP_LNX_Indicators_Sep24_1
Detects suspicious commands often found in malware samples for Linux
03.09.2024
MAL_RANSOM_Cicada3301_Sep24
Detects Cicada3301 ransomware
03.09.2024
MAL_Bat_Sep24
Detects bat file that downloads further payloads, gathers files of interest and target application files, uploads data via curl S/FTP
02.09.2024
MAL_PYC_Chrome_Stealer_Sep24
Detects a compiled Python script that steals Chrome data
02.09.2024
MAL_PYC_Keylogger_Sep24
Detects a compiled Python script that logs keystrokes
02.09.2024
MAL_PYC_Clipboard_Stealer_Sep24
Detects a compiled Python script that steals data from the clipboard
02.09.2024
APT_APT42_Blacksmith_Aug24
Detects DLL used by TA453 by export
29.08.2024
WEBSHELL_JAVA_VersaMem_JAR_Aug24_2
Detects VersaMem Java webshell samples (as used by Volt Typhoon)
29.08.2024
MAL_Qwerty_Stealer_Indexer_Aug24
Detects Indexer that indexes all the files, being seen by Qwerty stealer
28.08.2024
MAL_Qwerty_Stealer_Uploader_Aug24
Detects Uploader that uploads stolen files, being seen by Qwerty stealer
28.08.2024
MAL_Nikmok_Downloader_Aug24
Detects Nikmok downloader
28.08.2024
MAL_Qwerty_Stealer_Aug24
Detects Qwerty stealer
27.08.2024
MAL_MacOS_HZRat_Backdoor_Aug24
Detects HZRAT backdoor that targets users of popular messaging platforms such as WeChat and DingTalk and is designed to steal sensitive data, monitor user activity, and potentially gain control of infected systems
27.08.2024
WEBSHELL_JAVA_VersaMem_JAR_Aug24_1
Detects VersaMem Java webshell samples (as used by Volt Typhoon)
27.08.2024
HKTL_VeilTransfer_AUg24_1
Detects VeilTransfer - a data exfiltration utility designed to test and enhance the detection capabilities
27.08.2024
MAL_LNX_Unknown_Aug24_1
Detects an unknown Linux malware
27.08.2024

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_OBF_VMProtect_Jan24
12
a7a3bbd2060c183fc91b3c2ff1a0d99f2f3e5b266a045104e31435a543e359c2
SUSP_OBF_VMProtect_Jan24
11
c39058317e99ac6aa792064edc1bdee7eb2d5a694769bb7a92bc425fe5b897f3
SUSP_OBF_VMProtect_Jan24
6
c05c0591be36a7f02a8dce9feb182d3989c0836ad8dd591081b5de76f8b6912a
SUSP_NET_Binary_Mar23_1
10
2eef52875321ab993f81619a9fefaf29744a9efdafba84c23fca8b42b2ab9c7a
SUSP_Malformed_PE_Header_Dec17
14
3c567b479d8c51ef64d916a71907af7bd9592a71f3578019f1e9855f47855335
SUSP_MAL_Strings_ConsoleApp_Eval_Jan19_1
14
3c567b479d8c51ef64d916a71907af7bd9592a71f3578019f1e9855f47855335
SUSP_MAL_Strings_ConsoleApp_Eval_Jan19_1
14
847ad0582eb7b9756ea4c95d88241fb06c5f17ee4069bdb951c38cc6811b9683
SUSP_Malformed_PE_Header_Dec17
14
847ad0582eb7b9756ea4c95d88241fb06c5f17ee4069bdb951c38cc6811b9683
PUA_ConnectWise_ScreenConnect_Mar23
1
1fc414b1cb80adda4433e2f56d22476775a1a659d622a70c7b6f84a742de723b
SUSP_MSIL_NET_ConfuserEx_Module_Encryption_Sep23
1
ed923e57403b70036cd5b31fc38c4ca648d7e7d35fb5ad4354b9043a54b7cecc
SUSP_Protector_Themida_Packed_Samples_Mar21_1
8
6bb031f801371345c329bd0c7949aaf8dfb3a0e1b9670509e2b3c5ddd9494111
SUSP_PE_Themida_Packed_Nov22
8
6bb031f801371345c329bd0c7949aaf8dfb3a0e1b9670509e2b3c5ddd9494111
SUSP_Malformed_PE_Header_Dec17
14
feebf89b57e3166d6f32d4f76c74d3b337982437f14b96483d362ff0f65c93c6
SUSP_MAL_Strings_ConsoleApp_Eval_Jan19_1
14
feebf89b57e3166d6f32d4f76c74d3b337982437f14b96483d362ff0f65c93c6
SUSP_PE_Signed_by_Suspicious_Entitiy_Mar23
3
685162da5ec8db9c2bf503782d24b037e60d3aa2bf132062ae7f9d7e1d1ceef1
SUSP_OBFUSC_JS_Oct23_4
6
04542b0f5e9c5057e56fb1a4410411d6da2e27f381056bdfbc916acdd3a69683
SUSP_OBFUSC_JS_Oct23_4
6
1921d6d8889bd82f22cb6969fc7b73d90bf3e1a2c9c6b7e890256ae4cb0ed0cf
SUSP_OBF_VMProtect_Jan24
10
1720138bab2d9b44eeea1946a602a714213d47ffb6ee82d76bcbf5545cba0e15
SUSP_Wextract_Anomaly_Unsigned_May23
10
f62e4329aaa62d62eb1ef12015f269852dfd201c28d0e1080944286a3646fd22
HTKL_Error_Kernel_BaseAddress
7
29f2a28362d7b855a0a85c2464fa582a1cb5443dc6656655885b79fcdcfba27e

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6308
Threat Hunting (not subscribable, only in THOR scanner)
5112
APT
4872
Hacktools
4539
Webshells
2314
Exploits
630

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Startup/Logon Script Added to Group Policy Object
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
06.09.2024
Group Policy Abuse for Privilege Addition
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
04.09.2024
Process Deletion of Its Own Executable
Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.
03.09.2024
PowerShell Web Access Feature Enabled Via DISM
Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
03.09.2024
PowerShell Web Access Installation - PsScript
Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
03.09.2024
Remote Access Tool - AnyDesk Incoming Connection
Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
02.09.2024
Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
02.09.2024
Suspicious Invocation of Shell via AWK - Linux
Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
02.09.2024
Capsh Shell Invocation - Linux
Detects the use of the "capsh" utility to invoke a shell.
02.09.2024
Shell Invocation via Env Command - Linux
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
02.09.2024
Shell Execution via Find - Linux
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
02.09.2024
Shell Execution GCC - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Execution via Flock - Linux
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Execution via Git - Linux
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Execution via Nice - Linux
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Inline Python Execution - Spawn Shell Via OS System Library
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
02.09.2024
Shell Execution via Rsync - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
02.09.2024
Shell Invocation Via Ssh - Linux
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
29.08.2024
AppDomainManager Injection via Environment Variables
Detects environment variables that indicate injection of AppDomainManager DLLs into .NET binaries
28.08.2024
VeilTransfer Data Exfiltration
Detects usage of VeilTransfer, a tool to exfiltrate data via different protocols and services (e.g. Github, Telegram, Mega, etc.)
27.08.2024
Python Function Execution Security Warning Disabled In Excel - Registry
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
23.08.2024
DNS Query To Put.io - DNS Client
Detects DNS queries for subdomains related to "Put.io" sharing website.
23.08.2024
Hidden Flag Set On File/Directory Via Chflags - MacOS
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
21.08.2024
Multi Factor Authentication Disabled For User Account
Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
21.08.2024
Data Export From MSSQL Table Via BCP.EXE
Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
20.08.2024
Potentially Suspicious Rundll32.EXE Execution of UDL File
Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
16.08.2024
ESXi Auto-Start Feature Disabled Via Vim-Cmd
Detects the execution of "vim-cmd" with the "hostsvc/autostartmanager/enable_autostart" flag, in order to disable the auto-start feature. If disabled, when the host reboots (e.g., after maintenance, power outage, or crash), the virtual machines will not automatically start.
14.08.2024
Virtual Machine Suspended Via VMdumper
Detects the execution of "VMdumper" with the "suspend_v" flag, which allows a user to suspend a running running virtual machine pn ESXi servers. The LockBit ransomware was seen using this technique before encrypting the VMs.
14.08.2024
New Screenshot Saved Via VMdumper
Detects the execution of "VMdumper" with the "screenshot" flag, which allows a user to take a screenshot of a running virtual machine on ESXi servers.
14.08.2024
Delete Virtual Machine Snapshot Via Vim-Cmd
Detects the execution of "vim-cmd" with the "vmsvc/snapshot.removeall" flag, in order to remove all snapshots for a specific virtual machine on an ESXi host. This command was seen being used by ransomware operators in order to remove all snapshot before initiating the encryption process.
14.08.2024

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
3197
18183
Sigma
3333
508

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1245
windows / registry_set
200
windows / file_event
189
windows / ps_script
166
windows / security
157
linux / process_creation
120
windows / image_load
104
webserver
78
windows / system
72
macos / process_creation
65
proxy
52
windows / network_connection
51
linux / auditd
48
azure / activitylogs
43
aws / cloudtrail
42
azure / auditlogs
38
windows / registry_event
38
windows / ps_module
33
windows / application
28
azure / signinlogs
24
okta / okta
22
windows / process_access
22
windows / dns_query
21
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / create_remote_thread
13
windows / file_delete
13
github / audit
13
cisco / aaa
12
windows / codeintegrity-operational
10
windows / ps_classic_start
10
kubernetes / application / audit
10
windows / driver_load
10
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / registry_delete
7
windows / bits-client
7
gcp / google_workspace.admin
7
zeek / smb_files
7
windows / dns-client
6
windows / file_access
6
linux / network_connection
5
jvm / application
5
kubernetes / audit
5
windows / sysmon
4
windows / taskscheduler
4
zeek / dns
4
zeek / dce_rpc
4
zeek / http
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
windows / dns-server
2
macos / file_event
2
onelogin / onelogin.events
2
apache
2
qualys
2
firewall
2
windows / file_change
2
windows / security-mitigations
2
spring / application
2
linux / syslog
2
m365 / audit
2
linux / sudo
1
zeek / x509
1
windows / smbclient-security
1
windows / file_rename
1
ruby_on_rails / application
1
m365 / exchange
1
sql / application
1
linux / vsftpd
1
zeek / rdp
1
windows / diagnosis-scripted
1
windows / sysmon_status
1
m365 / threat_detection
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
database
1
zeek / kerberos
1
windows
1
windows / dns-server-analytic
1
windows / driver-framework
1
windows / printservice-admin
1
nginx
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
cisco / bgp
1
fortios / sslvpnd
1
netflow
1
cisco / ldp
1
windows / ldap
1
cisco / syslog
1
linux / auth
1
windows / openssh
1
django / application
1
windows / smbclient-connectivity
1
linux / cron
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / process_tampering
1
paloalto / file_event / globalprotect
1
juniper / bgp
1
windows / applocker
1
nodejs / application
1
paloalto / appliance / globalprotect
1
cisco / duo
1
linux / clamav
1
windows / appxpackaging-om
1
windows / shell-core
1
python / application
1
linux / guacamole
1
windows / raw_access_thread
1
windows / capi2
1
windows / file_executable_detected
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
velocity / application
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
207
windows / registry_set
57
windows / ps_script
55
windows / wmi
29
windows / file_event
23
windows / image_load
17
linux / process_creation
11
windows / security
11
proxy
11
windows / network_connection
7
windows / system
7
windows / kernel-event-tracing
6
windows / registry_event
5
windows / ntfs
5
windows / ps_module
5
windows / create_remote_thread
4
windows / pipe_created
4
windows / sense
4
webserver
3
windows / application-experience
3
windows / registry_delete
3
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / vhd
3
windows / bits-client
2
windows / driver_load
2
windows / kernel-shimengine
2
windows / taskscheduler
2
windows / windefend
1
windows / process_access
1
windows / audit-cve
1
windows / codeintegrity-operational
1
windows / file_access
1
windows / file_delete
1
windows / registry-setinformation
1
windows / application
1
windows / dns_query
1
windows / firewall-as
1
windows / file_rename
1
macos / process_creation
1
THOR / ProcessCheck
1
windows / amsi
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html