Valhalla Logo
currently serving 18745 YARA rules and 2924 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
HKTL_LPE_GodPotato_Jun23_1
Detects GodPotato local privilege escalation tool
03.06.2023
HKTL_LPE_Characteristics_Jun23
Detects indicators found in local privilege escalation tool
03.06.2023
SUSP_BAT_OBFUSC_Comrade_Jun23_1
Detects BAT files obfuscated with Comrade obfuscator
03.06.2023
SUSP_PE_OK_RU_URL_Jun23
Detects suspicious reference to https://ok.ru/ in PE files
03.06.2023
LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_2
Detects a potential compromise indicator found in MOVEit Transfer logs
03.06.2023
MAL_RANSOM_MoneyBird_Jun23_1
Detects MoneyBird ransomware samples
03.06.2023
HKTL_LPE_PrintNotifyPotato_Jun23_1
Detects LPE tool that uses PrintNotify COM service for privilege escalation
01.06.2023
WEBSHELL_ASPX_DLL_Jun23_1
Detects compiled chopper like ASPX web shells
01.06.2023
WEBSHELL_ASPX_DLL_Jun23_2
Detects compiled chopper like ASPX web shells
01.06.2023
WEBSHELL_ASPX_DLL_MOVEit_Jun23_1
Detects compiled ASPX web shells found being used in MOVEit Transfer exploitation
01.06.2023
WEBSHELL_ASPX_MOVEit_Jun23_1
Detects ASPX web shells as being used in MOVEit Transfer exploitation
01.06.2023
LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_1
Detects a potential compromise indicator found in MOVEit Transfer logs
01.06.2023
HKTL_Blackout_AV_EDR_Killer_May23_1
Detects EDR/AV killer tool Blackout
29.05.2023
HKTL_Wizard_Loader_May23_1
Detects shellcode injectors / loaders
29.05.2023
HKTL_RuyLopez_BlockDLL_May23_1
Detects PoC code used to disable EDRs by preventing their DLLs from being loaded
29.05.2023
SUSP_ShellCode_Loaders_May23_1
Detects shellcode injectors / loaders
29.05.2023
SUSP_HKTL_Author_ZeroMemoryEx_May23_1
Detects EDR/AV killer tool Blackout
29.05.2023
SUSP_HxD_Icon_Anomaly_May23_1
Detects suspicious use of the free hex editor HxD's icon in PE files that don't seem to be a legitimate version of HxD
29.05.2023
SUSP_ShellCode_Loader_May23_1
Detects shellcode injectors / loaders
29.05.2023
SUSP_ProcessInjector_Indicator_May23_1
Detects strings often found in malicious payloads that inject into or kill processes
29.05.2023
APT_MAL_CopperStealth_Rootkit_May23_2
Detects CopperStealth rootkit
22.05.2023
MAL_RK_Rhaast_May23_1
Detects indicators found in Rhaast rootkit samples (rootkit driver and client)
22.05.2023
HKTL_ProcInject_GregsBestFriend_May23_1
Detects GregsBestFriend process injection code created from the White Knight Labs Offensive Development course
20.05.2023
MAL_FIN7_PS1_POWERTRASH_May23_1
Detects sequences found in FIN7's obfuscated POWERSTRASH PowerShell malware samples
20.05.2023
MAL_CryptoMiner_May23_1
Detects malware mentioned in report on crypto mining activity
20.05.2023
MAL_Stealer_Unknown_May23_1
Detects unknown password stealer
20.05.2023
SUSP_Process_Injection_ShellCode_May23_1
Detects code found in GregsBestFriend process injection samples created from the White Knight Labs Offensive Development course
20.05.2023
SUSP_PUA_WinRing0_Driver_May23_1
Detects suspicious WinRing0 driver (often embedded in other software that needs access to Ring0, but sometimes used by malware as well)
20.05.2023
SUSP_PE_Loader_Indicators_May23_1
Detects suspicious indicators found in unknown PE loader
19.05.2023
SUSP_LSASS_Process_Dumper_Indicators_May23_1
Detects indicators found in LSASS process dumpers
19.05.2023

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.13
15
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.15
186
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
0.31
13
SUSP_PUA_RustDesk_Apr23_1
0.68
34
HKTL_Clash_Tunneling_Tool_Aug22_2
1.38
16
SUSP_JS_OBFUSC_Feb23_2
1.44
1599
WEBSHELL_PHP_Jul22_1
1.62
13
SUSP_ISO_PhishAttachment_Password_In_Body_Jun22_1
1.83
47
SUSP_OBFUSC_JS_Execute_Base64_Mar23
2.1
40
SUSP_VBS_Copying_Files_To_Folder_Apr23
2.27
22
SUSP_LNK_Public_SubFolder_FileType_Jun22_1
2.45
11
SUSP_BAT_OBFUSC_Apr23_3
2.51
81
SUSP_JS_Redirector_Mar23
2.69
16
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
3.0
32
SUSP_PY_OBFUSC_Hyperion_Aug22_1
3.18
11
SUSP_OBFUSC_JS_Executing_DLL_Apr23_2
3.4
2695
SUSP_BAT_PS1_Combo_Jan23_2
3.62
29
SUSP_WEvtUtil_ClearLogs_Sep22_1
3.67
36
SUSP_BAT_OBFUSC_Apr23_1
3.67
12
SUSP_Tiny_RAR_Suspicious_Extensions_Mar21_1
4.25
24
SUSP_JS_Decrypting_DataBlob_May23
4.33
12
SUSP_VBS_DownloadCradles_Jul22_1
4.62
13
SUSP_RANSOM_Note_Aug22
4.71
66
SUSP_JS_OBFUSC_Base64_Combo_Jul22_1
5.05
44
SUSP_MSF_MSFVenom_Indicator_Jan23_1
5.06
17
HKTL_LinPEAS_Indicators_Dec22_1
5.21
34
SUSP_RAR_With_File_MacroEnabled_MsOffice_Content_Jun22
5.27
15
SUSP_LNX_Cat_Shadow_Jun22_1
5.37
43
SUSP_PS1_Loader_Indicators_Jul22_6
5.75
16
SUSP_BAT_OBFUSC_Apr23_4
5.79
14

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_JS_Document_Write_Unescape_Indicators_Mar22_1
2
f5a40219f271cb2e4398891281019a197404aa24d4060d4ad712b2d784c2e143
MAL_Athena_Agent_Oct22
5
bf3fae6db9235f7f97b4c0b46a40623a8b27a1dcb7d05911a86966acc64aa25d
APT_PlugX_SFX_with_Chinese_Chars
5
558675cf9aa5266bc7af92b10aa573bf9aa1901b1293346a8cf5c5eba938a3ba
SUSP_Base64_Encoded_Hex_Encoded_Code
4
af6233e5a72d2ca977cf2cea4a1a0c0c9c6c9b3bbf8c706c20937057bb01f116
SUSP_Encoded_PowerShell_Policies_Sep21_1
2
b2766ae0f9d2ccb22253db093a88fef4528d149f3e82a61e1ec34ee2b8103af2
SUSP_Base64AtEndOfFile_Jul21
10
af27549dbe132de0c1d6584613771ee90db88ad1391a266d0ba40026d2cb937c
webshell_php_generic_eval
5
7babfdec1973144c849e4a552aa21e65915340411ffb6ecd47f2d4d0511364c7
webshell_php_by_string_known_webshell
5
7babfdec1973144c849e4a552aa21e65915340411ffb6ecd47f2d4d0511364c7
SUSP_WEBSHELL_Tiny_Eval_Oct20
5
7babfdec1973144c849e4a552aa21e65915340411ffb6ecd47f2d4d0511364c7
APT_WebShell_Tiny_1
5
7babfdec1973144c849e4a552aa21e65915340411ffb6ecd47f2d4d0511364c7
WEBSHELL_suspEval_Mar20
5
7babfdec1973144c849e4a552aa21e65915340411ffb6ecd47f2d4d0511364c7
webshell_php_generic
5
7babfdec1973144c849e4a552aa21e65915340411ffb6ecd47f2d4d0511364c7
PUA_ConnectWise_ScreenConnect_Mar23
1
5425b36e3ab0c13750d2f6765b3f50ce3e9c0abdde2347a2a4c497e63fb14a93
SUSP_Encoded_Pastebin_URL
1
bbee0434b7096c78d76fb28fc270dc0094533fd7729c67d503ecae5c9deb497f
SUSP_PS1_Small_Base64Decode_Jun22_1
1
bbee0434b7096c78d76fb28fc270dc0094533fd7729c67d503ecae5c9deb497f
SUSP_OBFUSC_Go_Garbled_Apr22_1
1
5e63ddb14d29b1cd287d4dfd986204d5f6281840e5c5b39955578a7c24b2d9de
SUSP_PE_Discord_Attachment_Oct21_1
7
78a140f3fc328b8b58cc094f1f5a64fc35be01fc0d828aea2afcf0acf3b91207
MAL_Antiaris_Dropper_Mar21_1
7
78a140f3fc328b8b58cc094f1f5a64fc35be01fc0d828aea2afcf0acf3b91207
SUSP_Base64AtEndOfFile_Jul21
11
a60221bb7def6e5246d646268ced25ce5f5665e405ec8f7fe021d0b925784a06
SUSP_Enigma_Protector
1
46c041e00cc0c01370b15a9c690613d18179033f97f229cb77146a6543e09b17

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
5242
APT
4639
Threat Hunting (not subscribable, only in THOR scanner)
4439
Hacktools
4241
Webshells
2217
Exploits
566

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Potentially Suspicious Shell Script Creation in Profile Folder
Detects the creation of shell scripts under the "profile.d" path.
02.06.2023
Wget Creating Files in Tmp Directory
Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
02.06.2023
Crontab Enumeration
Detects usage of crontab to list the tasks of the user
02.06.2023
OS Architecture Discovery Via Grep
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
02.06.2023
Potential GobRAT File Discovery Via Grep
Detects the use of grep to discover specific files created by the GobRAT malware
02.06.2023
Suspicious Nohup Execution
Detects execution of binaries located in potentially suspicious locations via "nohup"
02.06.2023
Potentially Suspicious Execution From Tmp Folder
Detects a potentially suspicious execution of a process located in the '/tmp/' folder
02.06.2023
Shell Execution Of Process Located In Tmp Directory
Detects execution of shells from a parent process located in a temporary (/tmp) directory
02.06.2023
Execution Of Script Located In Potentially Suspicious Directory
Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
02.06.2023
Download File To Potentially Suspicious Directory Via Wget
Detects the use of wget to download content to a suspicious directory
02.06.2023
Potential SmadHook.DLL Sideloading
Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
01.06.2023
Potential Suspicious Change To Sensitive/Critical Files
Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
30.05.2023
Regsvr32 Execution From Potential Suspicious Location
Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.
26.05.2023
Regsvr32 Execution From Highly Suspicious Location
Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
26.05.2023
Scripting/CommandLine Process Spawned Regsvr32
Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
26.05.2023
Potentially Suspicious Regsvr32 HTTP/FTP Pattern
Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
24.05.2023
Failed DNS Zone Transfer
Detects when a DNS zone transfer failed.
24.05.2023
Potentially Suspicious ODBC Driver Registered
Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
23.05.2023
New ODBC Driver Registered
Detects the registration of a new ODBC driver.
23.05.2023
Suspicious Driver/DLL Installation Via Odbcconf.EXE
Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.
23.05.2023
Driver/DLL Installation Via Odbcconf.EXE
Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.
22.05.2023
Odbcconf.EXE Suspicious DLL Location
Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.
22.05.2023
New DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
22.05.2023
Potentially Suspicious DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
22.05.2023
Suspicious Response File Execution Via Odbcconf.EXE
Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.
22.05.2023
Response File Execution Via Odbcconf.EXE
Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
22.05.2023
Uncommon Child Process Spawned By Odbcconf.EXE
Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
22.05.2023
Suspicious Non-Browser Network Communication With Telegram API
Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
19.05.2023
Password Policy Enumerated
Detects when the password policy is enumerated.
19.05.2023
Potential WWlib.DLL Sideloading
Detects potential DLL sideloading of "wwlib.dll"
18.05.2023

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2609
16136
Sigma
2622
302

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
982
windows / ps_script
162
windows / registry_set
157
windows / file_event
145
windows / security
137
linux / process_creation
85
windows / image_load
72
windows / system
63
linux / auditd
49
macos / process_creation
43
windows / network_connection
41
proxy
38
azure / activitylogs
38
windows / registry_event
36
azure / auditlogs
33
windows / ps_module
32
aws / cloudtrail
29
windows / process_access
27
azure / signinlogs
24
windows / application
23
rpc_firewall / application
17
windows / pipe_created
17
linux
17
windows / driver_load
16
okta / okta
15
gcp / gcp.audit
14
m365 / threat_management
13
windows / dns_query
13
windows / windefend
12
cisco / aaa
12
webserver
12
windows / file_delete
11
windows / ps_classic_start
11
windows / create_remote_thread
11
windows / create_stream_hash
9
windows / registry_add
9
windows / firewall-as
8
windows / msexchange-management
8
windows / bits-client
7
github / audit
7
linux / file_event
7
zeek / smb_files
7
antivirus
7
dns
7
windows / appxdeployment-server
7
google_workspace / google_workspace.admin
6
windows / registry_delete
6
jvm / application
5
windows / dns-client
5
azure / azureactivity
5
zeek / dns
4
zeek / dce_rpc
4
windows / file_access
4
windows / wmi_event
3
windows / codeintegrity-operational
3
zeek / http
3
linux / network_connection
3
windows / taskscheduler
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
2
windows / security-mitigations
2
windows / file_rename
2
linux / syslog
2
spring / application
2
windows / dns-server
2
onelogin / onelogin.events
2
apache
2
macos / file_event
2
qualys
2
windows / file_change
2
firewall
2
nodejs / application
1
linux / sudo
1
windows / capi2
1
windows / shell-core
1
windows / file_block
1
python / application
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
django / application
1
zeek / x509
1
windows / sysmon
1
m365 / exchange
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / sysmon_status
1
m365 / threat_detection
1
zeek / rdp
1
windows / process_tampering
1
velocity / application
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
ruby_on_rails / application
1
database
1
nginx
1
windows / driver-framework
1
windows
1
windows / ps_classic_provider_start
1
sql / application
1
windows / lsa-server
1
netflow
1
cisco / ldp
1
windows / dns-server-analytic
1
windows / wmi
1
linux / auth
1
cisco / bgp
1
linux / cron
1
windows / ldap_debug
1
windows / raw_access_thread
1
linux / clamav
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
linux / guacamole
1
juniper / bgp
1
windows / applocker
1
windows / appxpackaging-om
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
133
windows / ps_script
40
windows / wmi
29
windows / registry_set
20
windows / file_event
11
proxy
11
windows / system
8
windows / security
5
windows / create_remote_thread
4
windows / image_load
3
linux / process_creation
3
windows / network_connection
3
windows / pipe_created
3
windows / ps_classic_script
3
windows / ps_module
3
windows / registry_event
3
webserver
2
windows / driver_load
2
windows / bits-client
2
windows / vhd
2
windows / taskscheduler
2
windows / dns_query
1
windows / application
1
macos / process_creation
1
windows / amsi
1
windows / process_access
1
windows / registry_delete
1
windows / audit-cve
1
windows / file_access
1
windows / registry-setinformation
1
windows / file_delete
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022