Valhalla Logo
currently serving 19860 YARA rules and 3345 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
WEBSHELL_OBFUSC_PHP_Indicators_Sep23
Detects base64 obfuscated indicators of obfuscation in a web shell
27.09.2023
HKTL_EXPL_POC_CVE_2022_21882_Sept23
Detects exploit POCs for CVE-2022-21882
27.09.2023
MAL_NetSpawn_Implant_Sep23
Detects NetSpawn malware implants
27.09.2023
SUSP_Implant_Indicators_Sep23_1
Detects unknown implants noticed in September 2023
27.09.2023
SUSP_HTML_JS_Encoded_Pattern_Sep23
Detects pattern found in malicious HTML files that contain embedded JavaScript code
27.09.2023
SUSP_OBFUSC_JS_Encoded_Pattern_Sep23
Detects pattern found in files that contain embedded and obfuscated JavaScript code
27.09.2023
WEBSHELL_PHP_Rootkitninja_Sep23
Detects string found in different web shells
25.09.2023
MAL_RANSOM_Snatch_Sep23
Detects Snatch ransomware
25.09.2023
MAL_CVE_2023_36884_Characteristics_Sep23_1
Detects characteristics seen in CVE-2023-36884
25.09.2023
MAL_CVE_2023_36884_Characteristics_Sep23_2
Detects characteristics seen in CVE-2023-36884
25.09.2023
MAL_PS1_Bbtok_Banker_Sep23_2
Detects PowerShell script that controls the payload distribution of Bbtok banker malware
24.09.2023
MAL_Bbtok_Banker_Loader_Downloader_Sep23
Detects Bbtok banker loader downloader
24.09.2023
MAL_PS1_Bbtok_Sep23_1
Detects PowerShell script executing the next stage payload of Bbtok banker
24.09.2023
SUSP_LNK_MSBuild_Usage_Sep23
Detects LNK building an application using MSBuild
24.09.2023
MAL_Mango_Backdoor_Sep23
Detects Mango backdoor seen used by the OilRig APT group
24.09.2023
HKTL_Browser_Data_Dumper_Sep23
Detects browser data dumper/hack tool seen used by the OilRig APT group
24.09.2023
MAL_JS_Dropping_ZIP_File_Sep23
Detects a JavaScript file that drops a ZIP file
22.09.2023
APT_MAL_Malstaticnoise_Downloader_Sep23
Detects Malstaticnoise downloader related to APT29
22.09.2023
MAL_SprySOCKS_Backdoor_Sep23
Detects SprySOCKS backdoor seen used by Earth Lusca TA
22.09.2023
MAL_Mandibule_Loader_Sep23
Detects Mandibule loader seen used by Earth Lusca TA
22.09.2023
MAL_QAssist_Rootkit_Sep23
Detects QAssist rootkit
22.09.2023
MAL_Rust_Implant_Sep23
Detects a Rust implant that gathers system information
22.09.2023
MAL_HTTPSnoop_Backdoor_Sep23
Detects HTTPSnoop backdoor
20.09.2023
MAL_HTTPSnoop_DLL_Loader_Sep23
Detects HTTPSnoop loader
20.09.2023
SUSP_RDP_Suspicious_Indicators_Sep23
Detects suspicious .rdp file content, which could indicate a phishing attempt
19.09.2023
EXPL_SUSP_Juniper_FW_CVE_2023_36845_Sep23
Detects URI pattern found in log files of exploited Juniper appliances
19.09.2023
SUSP_ClassID_Pattern_Sep23_1
Detects suspicious CLSID as used in malicious scripts
18.09.2023
SUSP_ClassID_Pattern_Sep23_2
Detects suspicious CLSID as used in malicious scripts
18.09.2023
SUSP_Keylogger_Decoder_Sep23
Detects potential decoder that decrypts the content recorded by a keylogger, seen used by APT-C-60
17.09.2023
SUSP_Installer_Sep23
Detects potential malware that copies specific files and registering them in the registry, seen used by APT-C-60
17.09.2023

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_Destructive_Indicators_May21_1
13
f94736223bd2288083686c392d4ae22b709b2a25eba58eb9cb8ba3bdcb6851b3
SUSP_PE_Discord_Attachment_Oct21_1
13
f94736223bd2288083686c392d4ae22b709b2a25eba58eb9cb8ba3bdcb6851b3
SUSP_OBFUSC_JS_May22_1
11
93a2114240c13f52ef7d944ae248aebb1f2b0a08e3e7954cb0d6c6af4c879b35
SUSP_Ngrok_Tunnel_Endpoint_Nov22_1
1
85044b7c47405bf3e74364fefb5f95cde97235766bbd5cef9db65e3e6eef804e
HKTL_Ngrok_PUA_May21
1
85044b7c47405bf3e74364fefb5f95cde97235766bbd5cef9db65e3e6eef804e
HKTL_PUA_PE_Ngrok
1
85044b7c47405bf3e74364fefb5f95cde97235766bbd5cef9db65e3e6eef804e
SUSP_CharCode_Obfuscation
1
5c3b8af1c0d8636e90278eb97a42fab0352379446709c2083be5aa6f34f1ea8f
SUSP_OBFUSC_JS_May22_1
2
ae1d404f2fdbf70315f098a0c8604b015a48f9a13b59bc069777ad9f9573d294
SUSP_Go_Process_Injection_Indicators_Jan23
7
aa3f0f3c0439690011c076e27e9d648605ba6d3a927ca8c19747e9d4952180a7
SUSP_Go_Loader_Indicators_Mar23_1
7
aa3f0f3c0439690011c076e27e9d648605ba6d3a927ca8c19747e9d4952180a7
SUSP_Go_Binject_PE_Lib_Mar23
7
aa3f0f3c0439690011c076e27e9d648605ba6d3a927ca8c19747e9d4952180a7
SUSP_OBFUSC_JS_May22_1
9
388c621a48c53758cd1baa4825ff09d4301dd66b091c0be097103176b595be68
SUSP_Go_Process_Injection_Indicators_Jan23
9
cd3c3efc856ad895baf915ba4f38438d0231c6eeba36c5f4a1fe283250c66631
SUSP_PE_Discord_Attachment_Oct21_1
12
6f6da76bed1eb6da4ec56619b0527b59a11b9f9b6130d11fc8e74e65e6a98297
SUSP_Go_Loader_Indicators_Mar23_1
9
cd3c3efc856ad895baf915ba4f38438d0231c6eeba36c5f4a1fe283250c66631
SUSP_Go_Binject_PE_Lib_Mar23
9
cd3c3efc856ad895baf915ba4f38438d0231c6eeba36c5f4a1fe283250c66631
SUSP_B64_Atob_Aug23
4
22ce52cbb6538a6c01f02b097517ef44ed1b7434c5fed68aeb1ec56e2be922e4
SUSP_Go_Binject_PE_Lib_Mar23
6
ad5bc511b2e734e80acd8b7690d0029a82886135b23dbf90efedd017d67329d5
SUSP_Go_Process_Injection_Indicators_Jan23
6
ad5bc511b2e734e80acd8b7690d0029a82886135b23dbf90efedd017d67329d5
SUSP_Go_Loader_Indicators_Mar23_1
6
ad5bc511b2e734e80acd8b7690d0029a82886135b23dbf90efedd017d67329d5

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
5640
APT
4743
Threat Hunting (not subscribable, only in THOR scanner)
4723
Hacktools
4328
Webshells
2258
Exploits
587

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Disabling Multi Factor Authentication
Detects disabling of Multi Factor Authentication.
18.09.2023
New Federated Domain Added
Detects the addition of a new Federated Domain.
18.09.2023
Access To .Reg/.Hive Files By Uncommon Application
Detects file access requests to files ending with either the ".hive"/".reg" extension, usally associated with Windows Registry backups.
15.09.2023
Diskshadow Script Mode - Execution From Potential Suspicious Location
Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.
15.09.2023
Diskshadow Script Mode - Uncommon Script Extension Execution
Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.
15.09.2023
Potentially Suspicious Child Process Of DiskShadow.EXE
Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
15.09.2023
Invalid PIM License
Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
14.09.2023
Roles Assigned Outside PIM
Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
14.09.2023
Roles Activated Too Frequently
Identifies when the same privilege role has multiple activations by the same user.
14.09.2023
Roles Activation Doesn't Require MFA
Identifies when a privilege role can be activated without performing mfa.
14.09.2023
Roles Are Not Being Used
Identifies when a user has been assigned a privilege role and are not using that role.
14.09.2023
Too Many Global Admins
Identifies an event where there are there are too many accounts assigned the Global Administrator role.
14.09.2023
Stale Accounts In A Privileged Role
Identifies when an account hasn't signed in during the past n number of days.
14.09.2023
Malicious IP Address Sign-In Suspicious
Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
07.09.2023
Okta Identity Provider Created
Detects when a new identity provider is created for Okta.
07.09.2023
Okta New Admin Console Behaviours
Detects when Okta identifies new activity in the Admin Console.
07.09.2023
Okta Suspicious Activity Reported by End-user
Detects when an Okta end-user reports activity by their account as being potentially suspicious.
07.09.2023
Okta User Session Start Via An Anonymising Proxy Service
Detects when an Okta user session starts where the user is behind an anonymising proxy service.
07.09.2023
Primary Refresh Token Access Attempt
Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft
07.09.2023
Azure AD Threat Intelligence
Indicates user activity that is unusual for the user or consistent with known attack patterns.
07.09.2023
Malicious IP Address Sign-In Failure Rate
Indicates sign-in from a malicious IP address based on high failure rates.
07.09.2023
Potentially Suspicious Electron Application CommandLine
Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
05.09.2023
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
05.09.2023
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
05.09.2023
VMMap Signed Dbghelp.DLL Potential Sideloading
Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.
05.09.2023
Old TLS1.0/TLS1.1 Protocol Version Enabled
Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
05.09.2023
ADS Zone.Identifier Deleted By Uncommon Application
Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
04.09.2023
ESXi Admin Permission Assigned To Account Via ESXCLI
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
04.09.2023
ESXi Network Configuration Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
04.09.2023
ESXi Storage Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
04.09.2023

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2935
16925
Sigma
3022
323

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1146
windows / registry_set
176
windows / file_event
168
windows / ps_script
165
windows / security
145
linux / process_creation
104
windows / image_load
94
windows / system
70
webserver
68
macos / process_creation
49
proxy
49
linux / auditd
49
windows / network_connection
44
azure / activitylogs
38
windows / registry_event
37
azure / auditlogs
33
windows / ps_module
32
aws / cloudtrail
32
windows / process_access
27
windows / application
24
azure / signinlogs
24
okta / okta
19
azure / riskdetection
19
windows / pipe_created
18
linux
17
rpc_firewall / application
17
windows / driver_load
16
windows / dns_query
14
gcp / gcp.audit
14
windows / create_remote_thread
13
m365 / threat_management
13
windows / windefend
12
cisco / aaa
12
windows / file_delete
12
windows / ps_classic_start
11
windows / codeintegrity-operational
10
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
antivirus
7
windows / appxdeployment-server
7
azure / pim
7
windows / bits-client
7
github / audit
7
zeek / smb_files
7
windows / registry_delete
6
google_workspace / google_workspace.admin
6
azure / azureactivity
5
jvm / application
5
windows / file_access
5
windows / dns-client
5
zeek / dce_rpc
4
zeek / dns
4
windows / taskscheduler
3
windows / wmi_event
3
linux / network_connection
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
windows / sysmon
3
zeek / http
3
windows / dns-server
2
apache
2
onelogin / onelogin.events
2
macos / file_event
2
qualys
2
windows / file_change
2
firewall
2
windows / security-mitigations
2
linux / syslog
2
spring / application
2
m365 / audit
2
windows / file_rename
2
zeek / rdp
1
windows / diagnosis-scripted
1
sql / application
1
m365 / threat_detection
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
windows / process_tampering
1
database
1
windows / driver-framework
1
windows
1
windows / sysmon_error
1
nginx
1
windows / printservice-operational
1
windows / dns-server-analytic
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
windows / lsa-server
1
windows / wmi
1
windows / smbclient-connectivity
1
netflow
1
cisco / ldp
1
linux / auth
1
cisco / bgp
1
windows / ldap_debug
1
linux / cron
1
windows / appmodel-runtime
1
windows / openssh
1
windows / raw_access_thread
1
linux / guacamole
1
huawei / bgp
1
windows / applocker
1
nodejs / application
1
juniper / bgp
1
windows / appxpackaging-om
1
python / application
1
linux / clamav
1
django / application
1
windows / capi2
1
windows / shell-core
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
zeek / x509
1
windows / file_block
1
velocity / application
1
linux / sudo
1
windows / smbclient-security
1
windows / sysmon_status
1
ruby_on_rails / application
1
m365 / exchange
1
linux / vsftpd
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
141
windows / ps_script
42
windows / wmi
29
windows / registry_set
20
windows / file_event
12
proxy
11
windows / system
9
windows / image_load
7
windows / security
6
windows / network_connection
5
windows / create_remote_thread
4
linux / process_creation
3
webserver
3
windows / pipe_created
3
windows / ps_classic_script
3
windows / ps_module
3
windows / vhd
3
windows / registry_event
3
windows / driver_load
2
windows / bits-client
2
windows / taskscheduler
2
windows / dns_query
1
windows / registry-setinformation
1
macos / process_creation
1
windows / file_access
1
windows / file_delete
1
windows / amsi
1
windows / application
1
windows / audit-cve
1
windows / process_access
1
windows / registry_delete
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022