Valhalla Logo
currently serving 17891 YARA rules and 2910 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
SUSP_RANSOM_ESX_Indicators_Feb23_1
Detects characteristics found in ransomware scripts or binaries affecting the VMWare ESX/ESXi platform
06.02.2023
SUSP_LNX_Compression_Artifact_Feb23
Detects a compression artifact often found when a Linux ELF binary with malicious content gets UPX compressed
06.02.2023
MAL_RANSOM_SH_ESXi_Attacks_Feb23_2
Detects script used in ransomware attacks exploiting and encrypting ESXi servers
06.02.2023
HKTL_LPE_RasmanPotato_Feb23_1
Detects RasmanPotato local privilege escalation (LPE) tool
06.02.2023
EXPL_PY_ManageEngine_CVE_2022_47966_Feb23_1
Detects Python code that exploits CVE-2022-4796 in ManageEngine
06.02.2023
SUSP_PY_Tool_Feb23_1
Detects Python code that imports a set of suspicious modules
06.02.2023
WEBSHELL_JAVA_Reverse_Shell_Feb23_1
Detects indicators found in JAVA reverse shells
06.02.2023
HKTL_JAVA_Reverse_Shell_Feb23_1
Detects indicators found in JAVA based keyloggers
06.02.2023
SUSP_JAVA_Class_Loader_Indicators_Feb23_1
Detects loader indicators found in JAR files
06.02.2023
SUSP_ShellStorm_Shell_Feb23
Detects ShellStorm shells - different short reverse shells
04.02.2023
SUSP_Shell_Pipe_Redirect_Feb23
Detects suspicious pipe redirect often used in scripts that tunnel connections
04.02.2023
SUSP_Ngrok_Indicators_Feb23_1
Detects suspicious ngrok.io reference often used in tunneling scripts
04.02.2023
SUSP_RANSOM_ELF_Indicators_Feb23_1
Detects suspicious characteristics found in obfuscated JavaScript code
04.02.2023
SUSP_Webhook_Site_URL_Feb23_1
Detects suspicious URL pointing to webhook.site domain
04.02.2023
SUSP_BlowFish_Online_DomainTools_URL_Feb23_1
Detects suspicious URL pointing to Blowfish.Online-DomainTools domain
04.02.2023
SUSP_Donut_ShellCode_Characteristics_Feb23
Detects characteristics found in loader.bin files generated by Donut
04.02.2023
SUSP_ShellCode_Indicator_Feb23
Detects bytes sequences found in shellcode
04.02.2023
SUSP_Rust_Stealer_Feb23_1
Detects characteristics found in Rust based credential stealers
04.02.2023
SUSP_LPE_Indicators_Feb23_1
Detects suspicious indicator often found in local privilege escalation(LPE) tools
04.02.2023
MAL_RANSOM_SH_ESXi_Attacks_Feb23_1
Detects script used in ransomware attacks exploiting and encrypting ESXi servers - file encrypt.sh
04.02.2023
MAL_RANSOM_ELF_ESXi_Attacks_Feb23_1
Detects ransomware exploiting and encrypting ESXi servers
04.02.2023
HKTL_DynamicAssemblyLoader_Feb23_2
Detects characteristics found in DynamicAssemblyLoader
04.02.2023
HKTL_CLion_Feb23_1
Detects unknown hack tool named CLion
04.02.2023
HKTL_Rust_Reverse_Shell_Indicators_Feb23_1
Detects small Go based reverse shells
04.02.2023
HKTL_Go_Reverse_Shell_Indicators_Feb23_1
Detects small Go based reverse shells
04.02.2023
HKTL_PUA_THC_IPV6_Enum_Feb23
Detects IPv6 tools written by vanhauser
04.02.2023
HKTL_EXPL_VMWare_2021_21974_Feb23
Detects suspicious pipe redirect often used in scripts that tunnel connections
04.02.2023
HKTL_TINY_Reverse_Shell_Feb23_1
Detects characteristics found in small reverse shell PE files
04.02.2023
HKTL_RToolZ_Process_Dumpers_Feb23_1
Detects process dumper using the Sysinternals Process Explorer driver
04.02.2023
MAL_RANSOM_WIN_Nevada_Indicators_Feb23_1
Detects indicators found in Nevada ransomware
04.02.2023

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
5260
HKTL_BrowserInBrowser_Phishing_PoC_Mar22_1
0.38
16
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
0.87
23
SUSP_PY_OBFUSC_Hyperion_Aug22_1
1.2
30
SUSP_RAR_With_File_MacroEnabled_MsOffice_Content_Jun22
1.24
33
HKTL_PUA_SystemInformer_Nov22_1
1.32
22
SUSP_PS1_Loader_Indicators_Jul22_6
1.5
54
HKTL_Clash_Tunneling_Tool_Aug22_2
1.5
22
SUSP_OBFUSC_obfs4_May22
1.52
115
HKTL_PUA_SystemInformer_Nov22_2
1.57
65
PUA_NetSupport_Apr22
1.66
552
SUSP_PS1_OBFUSC_Backtick_Add_MpPreference_Jan23_1
1.82
11
SUSP_PS1_OBFUSC_Backtick_Invoke_WebRequest_Jan23_1
1.82
11
HKTL_CS_BOF_AMD_Ryzen_Exploit_Jan23_1
1.91
11
SUSP_PY_Exec_Import_Aug22_1
1.95
21
SUSP_Dropper_Indicator_Jan23
2.0
11
WEBSHELL_PHP_Jul22_4
2.0
25
SUSP_ISO_PhishAttachment_Password_In_Body_Jun22_1
2.1
78
SUSP_BAT_Rundll32_May22_1
2.17
12
SUSP_ISO_In_ZIP_Small_May22_1
2.44
43
SUSP_Encoded_IWR_Jun22
2.69
619
SUSP_JS_OBFUSC_Base64_Combo_Jul22_1
3.04
139
SUSP_VBA_Kernel32_Imports_Jun22_1
3.24
79
SUSP_CertUtil_Encode_Feb22_1
3.69
13
SUSP_MSF_MSFVenom_Indicator_Jan23_1
3.76
17
SUSP_MkFifo_Tmp_Jul22
4.07
15
SUSP_Compromised_Cert_DarkUtilities_Aug22
4.21
57
SUSP_LNX_Reverse_Shell_Indicators_Jul22
4.25
12
SUSP_ZIP_LNK_PhishAttachment_Pattern_Jun22_2
4.28
46
SUSP_PS1_Loader_Indicators_Dec22_2
4.44
34

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
Casing_Anomaly_SystemRoot
7
9ccc9966349fc3b4cf9d04023f74fffe092d07e2958f98d23def9a1a90750bb1
SUSP_OBFUSC_May21_1
11
b15c7d36249795c513624db09307e4742e7443c770688122b2e442f2bad2bbd3
SUSP_Malicious_Doc_Template_Dropper_Settings_Xml
4
0396b095254dc1f74b7afb90bfdedd67330701a3b667fa0205ca65855a60377c
EXPL_Office_TemplateInjection
4
0396b095254dc1f74b7afb90bfdedd67330701a3b667fa0205ca65855a60377c
SUSP_Malicious_Doc_Template_Dropper_Settings_Xml
4
29111bdb87cfb8daaa073b5871c77cc978620e6df500d0874de5fc9ff0a3bb26
EXPL_Office_TemplateInjection
4
29111bdb87cfb8daaa073b5871c77cc978620e6df500d0874de5fc9ff0a3bb26
SUSP_JS_WScriptShell_Folder_Combo_May22_1
4
26679388d8e4f4f52f1f272a6b423ba7ab40882eaa77735a1a63f7e2927e368c
SUSP_JS_OBFUSC_Base64_Combo_Jul22_1
3
cb7e50865c4325c228093d7a7b7db9920648d137692a8d0a377c2d67f3fd84c3
SUSP_Encoded_AppData
8
56c42ca147f861544eace1d482a1636586842ec0e0b5cdb7228e673daa56bfa9
SUSP_Encoded_Schtasks_Create
8
56c42ca147f861544eace1d482a1636586842ec0e0b5cdb7228e673daa56bfa9
SUSP_Encoded_GetProcAddress
8
56c42ca147f861544eace1d482a1636586842ec0e0b5cdb7228e673daa56bfa9
SUSP_7zSFX_Packed_EXE_with_Microsoft_Copyright
6
1f1c604ce2cee2168400eb264e549b4fa099b40a3b83c329ed1032170f1fab25
SUSP_PE_Themida_Packed_Nov22
6
6959fc1fd7627df62bf9db508dc479520b8123fd624aefbc487c77ce83cc8c02
SUSP_7zSFX_Packed_EXE_with_Microsoft_Copyright
6
4b96284bed9bca1112d7cdf217ff3a9006f80c660bc92ea7c8a6c36a1ba1a5d1
SUSP_Protector_Themida_Packed_Samples_Mar21_1
5
7bf32fa7944dd1df67c74960c3dd4d64570abd26e02b539bde9cfc522080628e
SUSP_PE_Themida_Packed_Nov22
5
7bf32fa7944dd1df67c74960c3dd4d64570abd26e02b539bde9cfc522080628e
SUSP_PE_Themida_Packed_Nov22
5
32f938d81188473aad58d05ce9c95ce589d42a9619a1b6e47ab6e98f4e879969
SUSP_LNX_Reverse_Shell_Indicator_PowerShell_Jun21_1
4
42a970d5fd0e956d58bdb74dafc44a59c53a1d8709a3dda01fe4f90d0a2c395f
SUSP_Hacktool_Authors_Mar21_1
4
42a970d5fd0e956d58bdb74dafc44a59c53a1d8709a3dda01fe4f90d0a2c395f
SUSP_PS1_IEX_Pattern_Oct21_1
4
42a970d5fd0e956d58bdb74dafc44a59c53a1d8709a3dda01fe4f90d0a2c395f

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6881
APT
4614
Hacktools
4585
Threat Hunting (not subscribable, only in THOR scanner)
4184
Webshells
2210
Exploits
782

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Nltest.EXE Execution
Detects nltest commands that can be used for information discovery
03.02.2023
New Generic Credentials Added Via Cmdkey.EXE
Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.
03.02.2023
Windows Share Mounted Via Net.EXE
Detects when a share is mounted using the "net.exe" utility
02.02.2023
New Process Created In Context Of AppX Package - PsScript
Detects the usage of the "Invoke-CommandInDesktopPackage" cmdlet to spawn processes in the context of an AppX package. In order to gain access to it's virtualized file system and registry
01.02.2023
Potential Suspicious PowerShell Script Executed
Detects the execution of potential suspicious PowerShell scripts residing in suspicious paths
01.02.2023
New Assemblies Installed Via Gacutil.EXE
Detects the addition of new assemblies to the global assembly cache (GAC) via the the "Gacutil" utility
01.02.2023
New Suspicious Assemblies Installed Via Gacutil.EXE
Detects the addition of new assemblies to the global assembly cache (GAC) via the the "Gacutil" utility from suspicious locations
01.02.2023
New Process Created In Context Of AppX Package - ProcCreation
Detects the usage of the "Invoke-CommandInDesktopPackage" cmdlet to spawn processes in the context of an AppX package. In order to gain access to it's virtualized file system and registry
01.02.2023
AllowProtectedRenames Registry Value Enabled
Detect enabling of the "AllowProtectedRenames" registry value. Which gives a program the ability to replace protected files.
01.02.2023
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
31.01.2023
Copy Passwd Or Shadow From TMP Path
Detects when the file "passwd" or "shadow" is copied from tmp path
31.01.2023
Unsigned AppX Installation Attempt Using Add-AppxPackage
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
31.01.2023
Clipboard Data Collection Via OSAScript
Detects possible collection of data from the clipboard via execution of the osascript binary
31.01.2023
JXA In-memory Execution Via OSAScript
Detects possible malicious execution of JXA in-memory via OSAScript
31.01.2023
OSACompile Run-Only Execution
Detects potential suspicious run-only executions compiled using OSACompile
31.01.2023
Suspicious Microsoft Office Child Process - MacOS
Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
31.01.2023
PowerShell Base64 Encoded WMI Classes
Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", ""...etc.
30.01.2023
New Github Organization Member Added
Detects when a new member is added or invited to a github organization.
29.01.2023
Github High Risk Configuration Disabled
Detects when a user disables a critical security feature for an organization.
29.01.2023
Potential PendingFileRenameOperations Tamper
Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.
27.01.2023
Github Self Hosted Runner Changes Detected
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
27.01.2023
Outdated Dependency Or Vulnerability Alert Disabled
Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
27.01.2023
Rhadamanthys Stealer Module Launch Via Rundll32.EXE
Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
26.01.2023
VsCode Child Process Anomaly
Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
26.01.2023
Potential Suspicious BPF Activity - Linux
Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
25.01.2023
Enable BPF Kprobes Tracing
Detects common command used to enable bpf kprobes tracing
25.01.2023
Enigma Stealer Traffic
Detects Enigma stealer GET requests used to retrieve data from the C2
23.01.2023
Black Basta Ransomware Patterns
Detects suspicious deletion patterns as observed in Black Basta intrusions
23.01.2023
WSL Child Process Anomaly
Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
23.01.2023
Malicious PowerShell Scripts - PoshModule
Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
23.01.2023

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1017
windows / ps_script
158
windows / registry_set
150
windows / security
150
windows / file_event
128
linux / process_creation
67
windows / system
63
webserver
62
windows / image_load
61
linux / auditd
52
azure / activitylogs
38
macos / process_creation
37
proxy
37
aws / cloudtrail
37
windows / network_connection
36
windows / registry_event
35
azure / auditlogs
33
windows / ps_module
32
windows / process_access
26
azure / signinlogs
24
windows / application
21
linux
18
rpc_firewall / application
17
windows / pipe_created
17
windows / driver_load
15
gcp / gcp.audit
14
m365 / threat_management
13
okta / okta
13
windows / create_remote_thread
13
windows / dns_query
13
dns
12
windows / ps_classic_start
11
windows / windefend
11
cisco / aaa
11
windows / registry_add
10
windows / file_delete
8
windows / msexchange-management
8
zeek / smb_files
7
windows / firewall-as
7
antivirus
7
windows / create_stream_hash
7
windows / appxdeployment-server
7
windows / bits-client
7
github / audit
7
windows / registry_delete
6
google_workspace / google_workspace.admin
6
firewall
6
linux / file_event
5
windows / dns-client
5
azure / azureactivity
5
zeek / dce_rpc
5
zeek / dns
4
windows / file_access
4
windows / codeintegrity-operational
3
linux / network_connection
3
zeek / http
3
windows / taskscheduler
3
apache
3
windows / powershell-classic
3
windows / wmi_event
3
windows / ntlm
3
windows / security-mitigations
2
windows / file_rename
2
windows / smbclient-security
2
onelogin / onelogin.events
2
macos / file_event
2
qualys
2
linux / auth
2
windows / powershell
2
linux / sshd
2
windows / file_change
2
linux / syslog
2
windows / appxpackaging-om
1
python / application
1
windows / microsoft-servicebus-client
1
django / application
1
linux / sudo
1
windows / diagnosis-scripted
1
windows / shell-core
1
m365 / exchange
1
zeek / x509
1
windows / sysmon
1
spring / application
1
m365 / threat_detection
1
linux / vsftpd
1
windows / sysmon_error
1
sql / application
1
zeek / rdp
1
windows / driver-framework
1
windows / terminalservices-localsessionmanager
1
windows / file_block
1
ruby_on_rails / application
1
zeek / kerberos
1
windows / dns-server-analytic
1
windows / process_tampering
1
modsecurity
1
windows / dns-server
1
database
1
cisco / accounting / aaa
1
windows / lsa-server
1
windows
1
windows / sysmon_status
1
netflow
1
windows / ps_classic_provider_start
1
cisco / ldp
1
windows / iis
1
windows / ldap_debug
1
windows / wmi
1
linux / cron
1
cisco / bgp
1
linux / clamav
1
windows / appmodel-runtime
1
windows / openssh
1
huawei / bgp
1
azure / microsoft365portal
1
linux / guacamole
1
windows / applocker
1
windows / printservice-operational
1
juniper / bgp
1
windows / printservice-admin
1
windows / raw_access_thread
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
120
windows / ps_script
30
windows / wmi
27
windows / registry_set
14
proxy
10
windows / file_event
10
windows / system
8
windows / security
4
windows / create_remote_thread
4
linux / process_creation
3
windows / registry_event
3
windows / image_load
3
webserver
2
windows / vhd
2
windows / driver_load
2
windows / pipe_created
2
windows / network_connection
1
windows / process_access
1
windows / application
1
windows / registry_delete
1
windows / registry-setinformation
1
windows / dns_query
1
windows / file_delete
1
windows / file_access
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html