Valhalla Logo
currently serving 20479 YARA rules and 3568 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
MAL_VNC_Viewer_Feb24
Detects a VNC Viewer used by Lazarus APT
20.02.2024
APT_MAL_Lazarus_Backdoor_Feb24
Detects a backdoor related to Lazarus APT
20.02.2024
MAL_RANSOM_Rust_Qilin_Loader_Feb24_1
Detects Rust-based Qilin ransomware loader samples (same as used in the cyber attack on PSI)
19.02.2024
APT_MAL_Tinyturla_Feb24
Detects Tinyturla backdoor, related to Turla APT group
18.02.2024
MAL_Alpha_Ransomware_Loader_Feb24
Detects Alpha ransomware loader
18.02.2024
MAL_LVT_LOCKER_Feb24
Detects LVT LOCKER
18.02.2024
EXPL_CVE_2024_21413_Microsoft_Outlook_RCE_Feb24
Detects emails that contain signs of a method to exploit CVE-2024-21413 in Microsoft Outlook
17.02.2024
MAL_Packer_Feb24
Detects malicious packer usually used to deliver multiple families
16.02.2024
SUSP_Hacktool_Indicators_Feb24_1
Detects strings often found in UAC bypass tools and other hack tools
16.02.2024
HKTL_UAC_Bypass_SspiUacBypass_Feb24_1
Detects UAC bypass tool called SspiUacBypass
16.02.2024
HKTL_BOF_Bonanza_Indicators_Feb24_1
Detects indicators found in UAC-BOF-Bonanza extensions / modules
16.02.2024
SUSP_InflativeLoading_ShellCode_Feb24_1
Detects samples encoded with InflativeLoading tool
16.02.2024
MAL_RANSOM_MrAgent_Feb24_1
Detects MrAgent ransomware samples
16.02.2024
MAL_VShell_Stager_Feb24_1
Detects VShell stagers based on code similarity
16.02.2024
MAL_Packer_PKR_Ce1a_Feb24
Detects a malicious packer usually used to deliver SmokeLoader, Vidar and more
14.02.2024
HKTL_EfiGuard_Feb24_1
Detects EfiGuard a UEFI Bootkit that disables PatchGuard and Driver Signature Enforcement at boot time
14.02.2024
HKTL_EfiGuard_Feb24_2
Detects EfiGuard a UEFI Bootkit that disables PatchGuard and Driver Signature Enforcement at boot time
14.02.2024
HKTL_EfiGuard_Feb24_3
Detects EfiGuard a UEFI Bootkit that disables PatchGuard and Driver Signature Enforcement at boot time
14.02.2024
MAL_Glupteba_Backdoor_Feb24
Detects Glupteba backdoor
14.02.2024
MAL_Synapse_Ransomware_Feb24
Detects Synapse ransomware
12.02.2024
SUSP_Driver_Listing_Feb24
Detects a DLL that produces a list of available drivers
11.02.2024
MAL_Downloader_UNC4990_Feb24_2
Detects a downloader related to UNC4990
11.02.2024
HKTL_Ssocks_Feb24
Detects sSocks - a package with socks5 tools
11.02.2024
MAL_Fortinet_COATHANGER_Rel_Feb24
Detects samples related to COATHANGER malware samples found on Fortinet devices
09.02.2024
SUSP_PS1_IEX_Loader_Indicators_Feb24_1
Detects suspicious characteristics as found in malicious PowerShell samples
09.02.2024
SUSP_OBFUSC_Base64_Char_Feb24
Detects suspicious characteristics as found in obfuscated PowerShell samples
09.02.2024
SUSP_SMALL_Loader_Indicators_Feb24_1
Detects suspicious characteristics as found in small script loaders that use PowerShell
09.02.2024
SUSP_SMALL_Loader_Indicators_Feb24_2
Detects suspicious characteristics as found in small script loaders that use PowerShell
09.02.2024
HKTL_ATM_Loup_Feb24
Detects Loup - a small cli-tool to cash out NCR devices (ATM)
09.02.2024
SUSP_OBFUSC_PS1_Loader_Feb24_1
Detects suspicious characteristics as found in obfuscated PowerShell loaders
09.02.2024

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_Wextract_Anomaly_Unsigned_May23
4
26c6be3edd9b4f20b3f1ded225c99cfdf6105a5af781e2ba49aff6904ddaf111
SUSP_Base64_Encoded_ISO_Image_Marker_Jan22
4
3f9b4feb4e1873482d13239dda6856c93052d0d595b93b1d342621a21f747133
SUSP_OBFUSC_JS_Oct23_4
1
ec72dd1d1652a5bc42e5702f54c94356560c87d5103796e8b7cd0a43b203845e
SUSP_JS_OBFUSC_Feb23_2
1
ec72dd1d1652a5bc42e5702f54c94356560c87d5103796e8b7cd0a43b203845e
HKTL_P0wnedShell_Strings_Jan17
1
d5d21d8c766bb08a82a185145cf407e12a093b988e9e392816ef2f15f17003eb
SUSP_Hacktool_Output_Strings_Feb16
1
d5d21d8c766bb08a82a185145cf407e12a093b988e9e392816ef2f15f17003eb
SUSP_LNX_BASH_Discord_POST_Jun23
1
1cd4c7d1da3f25a4185f4c549fe2490fe6511b23699df596ce7de95d98c0f457
SUSP_Encoded_GetProcAddress_Mar19
11
15cd356a3fdd3bffa2a568870bd13f12fbdeeeab490a09f2b6b39fef858c47e4
SUSP_Defense_Evasion_Known_Hostnames_Jun23
11
cdae73fc417f1662e7a9ef271eafab4231b976b2348c8c42e64ab041334c1a8a
SUSP_Defense_Evasion_Known_Usernames_Jun23
11
cdae73fc417f1662e7a9ef271eafab4231b976b2348c8c42e64ab041334c1a8a
SUSP_MSIL_NET_ConfuserEx_Module_Encryption_Sep23
2
2fa0ae9909b196beeaffc46903a9c0ca96f3556453bf73918919a734301c6ebf
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
4
f12ab48d41cd5e5e9b138d7bddf53266c070b7b5b7d09834cfdb82d1d718c08a
SUSP_B64_Atob_Aug23
4
f12ab48d41cd5e5e9b138d7bddf53266c070b7b5b7d09834cfdb82d1d718c08a
SUSP_MSIL_NET_OBF_ConfuserEx_Constants_Jul23
4
526d35d2b47a3181ab964d7977d4ce039d0a25bb3a8184b85660c72dde1a86a8
SUSP_EnigmaProtected_PE_Files_Jun22
13
6b5e2037dd90f87049201a2f44a8503ebcea7a715687073ce29818d4c4750a36
SUSP_Enigma_Protector
13
6b5e2037dd90f87049201a2f44a8503ebcea7a715687073ce29818d4c4750a36
SUSP_OBFUSC_JS_Oct23_4
4
8c2eaccbcefddb919cc58d1949bd8339a9208f7f163e9b66083219cde713681a
SUSP_W32tm_StripChart_Cmdline_Oct22_1
8
5b1c6b560d0d5048485627c6d877447519011c016830dac9bdcaf7f730ef177f
SUSP_W32tm_StripChart_Cmdline_Oct22_1
9
7f9e8923b79211be228c7fe07f05a2915fa1a04e2be8624c44ff0ba51c22565a
SUSP_W32tm_StripChart_Cmdline_Oct22_1
9
4502e7af4f44441829570b4494edc680f92c0c1b96284441ea99ad398d8c5793

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
5951
Threat Hunting (not subscribable, only in THOR scanner)
4902
APT
4810
Hacktools
4427
Webshells
2302
Exploits
609

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Local User Deleted Via Net.EXE
Detects deletion of a local user via "Net.EXE"
30.01.2024
Renamed Scilc.EXE Execution
Detects the execution of a renamed "Scilc.EXE" binary - a native utility that's part of the MicroSCADA software suite. This utility allows for the execution of SCIL commands. Investigate any suspicious files or commands being passed in the command line in order to determine suspicious activity.
30.01.2024
Scilc.EXE Execution From Non-Default Path
Detects the execution of the "Scilc.EXE" binary - a native utility that's part of the MicroSCADA software suite from a non-default location. This utility allows for the execution of SCIL commands. Investigate any suspicious files or commands being passed in the command line in order to determine suspicious activity.
30.01.2024
Scilc.EXE Execution
Detects the execution of the "Scilc.EXE" binary - a native utility that's part of the MicroSCADA software suite. This utility allows for the execution of SCIL commands. Investigate any suspicious files or commands being passed in the command line in order to determine suspicious activity.
30.01.2024
Scilc.EXE Uncommon File Extension Execution
Detects the execution of the "Scilc.EXE" binary - a native utility that's part of the MicroSCADA software suite with an uncommon extension. This utility allows for the execution of SCIL commands. Investigate any suspicious files or commands being passed in the command line in order to determine suspicious activity.
30.01.2024
Large Number Of Files Deleted From Popular Known Folders
Detects deletion of a large number of files from popular known folders (i.e. Desktop, Documents, Downloads, Music, Pictures, Videos, etc.). Occurrence of such an event from an uncommon application can be a sign of ransomware
30.01.2024
Service Stopped Via TDSSKiller.EXE
Detects the execution of TDSSKiller in order to stop and terminate Windows services.
30.01.2024
Tzutil.EXE Execution
Detects execution of tzutil for time zone information reconnaissance.
30.01.2024
TDSSKiller Execution To Terminate Critical Services
Detects the execution of TDSSKiller in order to stop and terminate critical Windows services such as Antivirus and EDRs.
30.01.2024
Current Time Zone Changed Via Tzutil.EXE
Detects execution of tzutil in order to change the time zone configuration.
30.01.2024
Potential Ldvpocx.DLL Sideloading
Detects potential DLL sideloading of "ldvpocx.dll"
30.01.2024
HackTool - SharpMove Tool Execution
Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
29.01.2024
HackTool - EDRSilencer Execution - Filter Added
Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
29.01.2024
Pikabot Fake DLL Extension Execution Via Rundll32.EXE
Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
26.01.2024
Dev Drive Attach Policy Registry Key Deleted
Detects the deletion of a registry value related to "Dev Drive" filter drivers attach policy. An attacker might delete this in order to avoid security monitoring in dev drives.
25.01.2024
Antivirus Filter Driver Disallowed On Dev Drive - Deleted Key
Detects the deletion of a registry value related to "Dev Drive" Antivirus monitoring. An attacker might delete this in order to avoid security monitoring in dev drives.
25.01.2024
ETW Trace Session Reached Maximum Size
Detects events where an ETW session has reached its maximum size. A session reaching its maximum size could lead to events being lost and a temporary blind spot on the system.
24.01.2024
USN Journal Deleted By Uncommon Process
Detects the deletion of a USN journal by an uncommon process.
24.01.2024
Volume Shadow Copy Unmounted
Detects unmounting of an NTFS volume shadow copy instance. While this can occur in normal cleaning activity, its a sign of VolumeShadowCopy deletion.
24.01.2024
Volume Shadow Copy Unmounted By Uncommon Process
Detects unmounting of an NTFS volume shadow copy instance by an uncommon process. This could be a sign of someone using the VSS API directly in order to possibly avoid detection.
24.01.2024
Sensitive Trace Session Reached Maximum Size
Detects events where an critical or important ETW session has reached its maximum size. A session reaching its maximum size could lead to events being lost and a temporary blind spot on the system.
24.01.2024
Volume Shadow Copy Mounted
Detects mounting of an NTFS volume shadow copy instance including creation.
24.01.2024
Process Execution From Within Recycle.Bin
Detects uncommon file execution activity from the recycle bin directory. This directory is often used to stage malware.
24.01.2024
Antivirus Filter Driver Disallowed On Dev Drive
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
24.01.2024
Dev Drive Enabled
Detects activity that indicates enabling the "Dev Drive" feature.
24.01.2024
CKCL Log Disabled
Detects tampering attempts to disable performance CKCL logs. These logs often contain useful information about the boot and shutdown process. Attackers might want to disable them in order to hinder a forensic investigation.
24.01.2024
Uncommon File Creation Activity In Recycle.Bin
Detects uncommon file creation activity in the recycle bin directory. This directory is often used to stage malware.
24.01.2024
ELAM Driver Load Policy Changed
Detects any change to the setting of the ELAM driver load policy.
24.01.2024
ELAM Driver Load Policy Tampering - Allow All Drivers
Detects a change in the setting of the driver load policy in order to allows the loading of any or known bad drivers.
24.01.2024
ELAM Driver Load Policy Weakened - Allow Known Bad Critical Drivers
Detects a change in the setting of the driver load policy in order to allows the loading of known critical bad drivers. While this is the default setting, a machine might have had a more stricter configuration before and this is trying to weaken it.
24.01.2024

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2948
17531
Sigma
3139
429

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1197
windows / registry_set
186
windows / file_event
178
windows / ps_script
163
windows / security
151
linux / process_creation
106
windows / image_load
98
webserver
76
windows / system
70
proxy
56
macos / process_creation
55
windows / network_connection
49
linux / auditd
49
azure / activitylogs
43
windows / registry_event
38
aws / cloudtrail
34
azure / auditlogs
33
windows / ps_module
32
windows / application
28
azure / signinlogs
24
windows / process_access
23
okta / okta
22
azure / riskdetection
19
windows / pipe_created
18
windows / dns_query
18
linux
17
rpc_firewall / application
17
gcp / gcp.audit
16
windows / windefend
16
m365 / threat_management
13
windows / file_delete
12
windows / create_remote_thread
12
cisco / aaa
12
windows / driver_load
10
windows / codeintegrity-operational
10
windows / ps_classic_start
10
windows / registry_add
9
linux / file_event
9
windows / create_stream_hash
9
dns
8
windows / msexchange-management
8
windows / appxdeployment-server
7
azure / pim
7
gcp / google_workspace.admin
7
windows / bits-client
7
github / audit
7
zeek / smb_files
7
windows / firewall-as
7
antivirus
7
windows / file_access
6
windows / registry_delete
6
jvm / application
5
windows / dns-client
5
zeek / dce_rpc
4
zeek / dns
4
windows / sysmon
4
windows / taskscheduler
4
windows / ntlm
3
linux / sshd
3
zeek / http
3
linux / network_connection
3
windows / wmi_event
3
windows / powershell-classic
3
windows / file_change
2
firewall
2
windows / security-mitigations
2
linux / syslog
2
m365 / audit
2
spring / application
2
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
linux / cron
1
windows / process_tampering
1
linux / guacamole
1
juniper / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
huawei / bgp
1
windows / applocker
1
windows / raw_access_thread
1
linux / clamav
1
windows / appxpackaging-om
1
windows / shell-core
1
nodejs / application
1
python / application
1
windows / capi2
1
windows / microsoft-servicebus-client
1
django / application
1
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
windows / file_rename
1
linux / sudo
1
windows / smbclient-security
1
windows / sysmon_error
1
m365 / exchange
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_status
1
velocity / application
1
m365 / threat_detection
1
zeek / rdp
1
ruby_on_rails / application
1
zeek / kerberos
1
windows / dns-server-analytic
1
sql / application
1
windows
1
windows / printservice-admin
1
nginx
1
windows / driver-framework
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
database
1
windows / lsa-server
1
windows / wmi
1
cisco / syslog
1
netflow
1
cisco / bgp
1
windows / smbclient-connectivity
1
linux / auth
1
cisco / ldp
1
windows / ldap
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
174
windows / ps_script
49
windows / registry_set
48
windows / wmi
29
windows / file_event
19
windows / image_load
12
proxy
11
windows / security
10
windows / system
10
windows / network_connection
5
windows / ntfs
5
windows / create_remote_thread
4
windows / registry_event
4
windows / ps_module
4
linux / process_creation
3
windows / vhd
3
windows / registry_delete
3
windows / application-experience
3
webserver
3
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / pipe_created
3
windows / driver_load
2
windows / bits-client
2
windows / kernel-shimengine
2
windows / kernel-event-tracing
2
windows / taskscheduler
2
windows / process_access
1
macos / process_creation
1
windows / codeintegrity-operational
1
windows / application
1
windows / dns_query
1
windows / registry-setinformation
1
windows / audit-cve
1
windows / file_access
1
windows / file_delete
1
windows / amsi
1
windows / file_rename
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html