Valhalla Logo
currently serving 14477 YARA rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
EXPL_Zoho_RCE_Fix_Lines_Dec21_1
Detects lines in log lines of Zoho products that indicate RCE fixes (silent removal of evidence)
06.12.2021
SUSP_User_Folder_PDB_Dec21_1
Detects suspicious user name in PE file
03.12.2021
SUSP_PowerShell_Caret_OBFUSC_Dec21_1
Detects suspicious caret obfuscation of powershell keyword
03.12.2021
SUSP_PowerShell_Caret_OBFUSC_Dec21_2
Detects suspicious caret obfuscation of powershell keyword
03.12.2021
LOG_EXPL_Zoho_ServiceDesk_CVE_2021_44077_Dec21_1
Detects the exploitation of a vulnerability in Zoho ServiceDesk as described in CVE-2021-44077
03.12.2021
APT_MAL_Go_NGLite_Backdoor_Dec21_1
Detects samples found in attack against Zoho ServiceDesk Plus
03.12.2021
APT_MAL_KDC_Sponge_Dec21_1
Detects KDC Sponge samples found in attack against Zoho ServiceDesk Plus
03.12.2021
APT_MAL_Godzilla_Dropper_Dec21_1
Detects dropper found in attack against Zoho ServiceDesk Plus
03.12.2021
APT_MAL_ZimbraImplant_Dec21_1
Detects dropper found in attack against Zoho ServiceDesk Plus
03.12.2021
WEBSHELL_SUSP_JSP_Dec21_1
Detects indicators of a JSP webshell
03.12.2021
WEBSHELL_SUSP_JSP_TomcatBackdoor_Dec21_1
Detects indicators of JSP Tomcat-Backdoor samples
03.12.2021
SUSP_MSHTA_Invocation_Dec21_1
Detects suspicious invocation pattern of MHSTA
02.12.2021
SUSP_MSHTA_Invocation_Dec21_2
Detects suspicious invocation pattern of MHSTA
02.12.2021
SUSP_APT_Scarcruft_Indicator_Dec21_1
Detects indicators found in ScarCruft samples
02.12.2021
SUSP_MSHTA_Invocation_Dec21_3
Detects suspicious invocation pattern of MHSTA
02.12.2021
SUSP_MSHTA_Invocation_Dec21_4
Detects suspicious invocation pattern of MHSTA
02.12.2021
APT_NK_Scarcruft_Indicators_Nov21_1
Detects PowerShell stager used by a Middle Eastern threat group
02.12.2021
APT_NK_Scarcruft_Chinotto_Nov21_1
Detects ScarCruft Chinotto samples
02.12.2021
APT_NK_Scarcruft_PoorWeb_Nov21_1
Detects ScarCruft PoorWeb samples
02.12.2021
APT_ME_WIRTE_LitePower_Stager_Nov21_1
Detects PowerShell stager used by a Middle Eastern threat group
30.11.2021
APT_ME_WIRTE_VBS_Nov21_1
Detects VBS script as used by a Middle Eastern threat group
30.11.2021
SUSP_PS1_OBFUSC_Patterns_Nov21_1
Detects suspicious PowerShell obfuscation patterns
29.11.2021
SUSP_Loader_Indicator_Nov21_1
Detects code seuqences often found in malicious loaders
29.11.2021
SUSP_Cmd_Flags_U_C_Placeholder_Nov21
Detects suspicious use of cmd.exe with /u and /c flag and placeholder value
29.11.2021
SUSP_Cmd_Flags_U_C_Nov21
Detects suspicious use of cmd.exe with /u and /c flag
29.11.2021
APT_MAL_NK_Nov21_1
Detects unknown malware samples likely related to Kimsuky or another NK actor
29.11.2021
APT_MAL_NK_Lazarus_Nov21_1
Detects VSingle Lazarus malware
29.11.2021
APT_NK_Lazarus_Artefacts_Scan_Log_Nov21_1
Detects artefacts found after Lazarus group infections
29.11.2021
APT_NK_Lazarus_Torisma_BAK_Nov21_1
Detects encrypted .bak file artefacts found in Lazarus group activity
29.11.2021
MAL_Emotet_Nov21_1
Detects Emotet malware samples
29.11.2021
HKTL_EfsPotato_Variant_Nov21_1
Detects modified EfsPotato tool published in November 2021
29.11.2021
HKTL_ATPMiniDump_Nov21_1
Detects ATPMiniDump Tool
27.11.2021
HKTL_MatteoMalvica_Nov21_1
Detects process dumping tools made by Matteo uf0 Malvica
27.11.2021
SUSP_VSSADMIN_Resize_Nov21
Detects suspicious usage of vssadmin resizing the storage to low values
26.11.2021
SUSP_LNX_SH_CURL_Insecure_HTTPS_IP_Nov21
Detects curl using insecure TLS connection to IP addresses via HTTPS
26.11.2021
SUSP_Base64_Encoded_Base64Decode_String_Nov21
Detects suspicious base64 encoded base64 decode string
26.11.2021
SUSP_Rundll32_DLL_Execution_Nov21
Detects rundll32 used to obfuscate the calling of other PE files
26.11.2021
SUSP_Keylogger_Indicators_Nov21_1
Detects characteristics found in keyloggers
25.11.2021
SUSP_Keylogger_Indicators_Nov21_2
Detects characteristics found in keyloggers
25.11.2021
SUSP_CredentialStealer_Indicators_Nov21_1
Detects indicators often found in credential dumpers
25.11.2021

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
SUSP_PUA_Splashtop_RemoteControl_Oct21
0.26
27
HKTL_RMM_Client_Aug21_1
0.31
16
HKTL_PY_Bypass_Tool_Aug21_2
0.5
20
SUSP_Tiny_RAR_Mar21_1
0.67
414
SUSP_VBS_Jul21_1
1.76
17
WEBSHELL_PHP_BeginsWith_eval_Sep21
1.8
154
SUSP_RootHelper_Indicators_Jun21_1
2.4
42
HKTL_PUA_ShadowSocks_Simplified_Chinese_Jul21
2.41
17
SUSP_User_Folder_PDB_Dec21_1
2.67
18
SUSP_OBFUSC_JS_Sep21_1
2.98
53
SUSP_Small_EXE_Drive_Ref_May21_1
3.18
11
PUA_TightVNC_Server_Oct21
3.55
31
HKTL_PY_Loader_Feb21_2
3.63
16
SUSP_WEBSHELL_JPEG_PHP_Code_Dec20_1
3.74
23
HKTL_LNX_GenShell_Feb21_1
3.84
19
SUSP_PUA_ScreenConnect_Client_Setup_Oct21_1
3.93
184
HKTL_AMSIBypass_Tool_OpCode_Indicators_May21_1
4.86
28
SUSP_LNX_Reverse_Shell_Indicator_Jun21_2
5.13
16
PUA_SUSP_ScreenConnect_Feb21
5.17
134
SUSP_PyInstaller_Characteristics_Mar21_1
5.3
40
SUSP_HKTL_UltraFileScan_Jan21_1
5.77
13
SUSP_PY_OBFUSC_RevShell_Feb21_1
5.81
21
HKTL_PUA_FRP_FastReverseProxy_Oct21_1
6.03
40
SUSP_Encoded_PowerShell_Policies_Sep21_1
6.26
130
SUSP_BAT_to_EXE_Converter_Jul21_1
6.38
47
SUSP_MAL_Packer_Dec20_1
6.67
48
HKTL_Swind2_Gdrv_Loader_Apr21_1
6.77
26
SUSP_BAT_OBFUSC_ENV_Obfuscation_Apr21_1
6.93
14
SUSP_Recon_Suspicious_Dirs_Sep21_1
7.09
11
SUSP_PS1_Loader_Indicators_Nov21_1
7.38
119

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_Base64_Encoded_Hex_Encoded_Code
8
3aadf60885df941e7f33137f60dea94d3dfc379abfdcaecb2ca291a06cbe9ad3
SUSP_Golang_Loader_Bypass_Generic_Keywords_Apr21
8
3aadf60885df941e7f33137f60dea94d3dfc379abfdcaecb2ca291a06cbe9ad3
SUSP_Go_ShellCode_Injector_Jul21_1
8
3aadf60885df941e7f33137f60dea94d3dfc379abfdcaecb2ca291a06cbe9ad3
SUSP_ELF_LNX_UPX_Compressed_File
7
8d23f06667dac1a41f9868fc73911ccef675526d86943156b130a83cb99617c7
PUA_SUSP_ScreenConnect_Feb21
5
b9c4865a8e3b90120eb01acd3a1e5a99cf651dceac7fa6c2cf163c697e2351c0
SUSP_PUA_ScreenConnect_Client_Setup_Oct21_1
5
b9c4865a8e3b90120eb01acd3a1e5a99cf651dceac7fa6c2cf163c697e2351c0
SUSP_LNX_Small_UPX_File_Jun21
7
8d23f06667dac1a41f9868fc73911ccef675526d86943156b130a83cb99617c7
SUSP_Small_Loader_Characteristics_Apr21_1
5
a98cd8e237260a343b47f28ffb220f9ffa0bcdcc810e7710a64dcd37290183ec
SUSP_Administrator_Desktop_Reference
13
8733968d7feeb424c8171f5605fc215ec29d15dd0664f29b242596829a3a3264
Mal_Doc_Mar18_1_Mundial
13
24ceb474d2d9e388ce6e31f674ff15cdd5fe925e9b7220a29a953e45cd61dace
DOC_VBA_EXE_Strings_Content
13
24ceb474d2d9e388ce6e31f674ff15cdd5fe925e9b7220a29a953e45cd61dace
SUSP_Base64_Encoded_UserAgent_String
1
fb96669387c5a23d82245ffafd1753cc292a7e0719e8a209a6982176c5df019c
SUSP_VBA_Rundll32_Reference_Mar21_1
13
24ceb474d2d9e388ce6e31f674ff15cdd5fe925e9b7220a29a953e45cd61dace
SUSP_WordDoc_VBA_EXE_Methods_Combo
13
24ceb474d2d9e388ce6e31f674ff15cdd5fe925e9b7220a29a953e45cd61dace
Office_AutoOpen_Macro
13
24ceb474d2d9e388ce6e31f674ff15cdd5fe925e9b7220a29a953e45cd61dace
SUSP_IMG_Small_Exe_Content_Apr21
12
363f8729e4c8bd9ca16471ba2ab3e1820a936f424fb54801ba58bb4117e541eb
SUSP_PS1_PowerShell_Expression_Jul21_1
3
6185aad53aeb7afee62ecaa9d9135cc53fa26f790335816745f68722b3777dd7
SUSP_Script_PS1_Indicators_Mar21_2
3
6185aad53aeb7afee62ecaa9d9135cc53fa26f790335816745f68722b3777dd7
SUSP_Bash_PortScanner_Characteristics_Apr21
7
43da4897c714e2b897a51db14adacfd9cea38001cb448b6e875ec60f9267c692
SUSP_LNX_Reverse_Shell_Exec_Indicator_Jun21_2
7
43da4897c714e2b897a51db14adacfd9cea38001cb448b6e875ec60f9267c692

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
4501
APT
3960
Hacktools
3393
Threat Hunting
2720
Webshells
2085
Exploits
377

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2020