Valhalla Logo
currently serving 14859 YARA rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
SUPS_PS1_Tiny_Loader_Characteristics_Jan22
Detects indicators often found in suspicious small PowerShell downloaders
21.01.2022
SUPS_PS1_Backdoor_Jan22_1
Detects indicators found in suspicious small PowerShell backdoor
21.01.2022
SUPS_PS1_AES_Managed_Jan22_1
Detects suspicious use of System.Security.Cryptography.AesManaged in PowerShell scripts
21.01.2022
SUPS_PS1_Encryption_Jan22_2
Detects suspicious indicators found in malicious scripts that use encryption
21.01.2022
SUSP_OBFUSC_Base64_String_Split_Jan22
Detects split base64 string often found in obfuscated scripts
21.01.2022
WEBSHELL_PHP_Wordpress_Backdoors_Jan22_1
Detects PHP webshell implants used in Wordpress supply chain attacks
21.01.2022
MAL_RANSOM_LockBit_Jan22_1
Detects LockBit ransomware samples
21.01.2022
LOG_CodeIntegrity_Blocked_Driver_Load
Detects events in the CodeIntegrity event log that indicate driver loads that were blocked due to unmet signing level requirements
20.01.2022
HKTL_EXPL_LNX_Indicators_Jan22_1
Detects strings often found in Linux exploit code
20.01.2022
HKTL_EXPL_LNX_Indicators_Jan22_2
Detects strings often found in Linux exploit code
20.01.2022
HKTL_EXPL_LNX_Indicators_Jan22_3
Detects strings often found in Linux exploit code
20.01.2022
HKTL_EXPL_LNX_Indicators_Jan22_4
Detects strings often found in Linux exploit code
20.01.2022
WEBSHELL_EXPL_VMWare_Horizon_JS_Shells_Jan22_1
Detects VMWare Horizon JS shells planted after successful Log4Shell exploitation
20.01.2022
APT_MAL_RU_Turla_ComLook_Jan22_1
Detects ComLook backdoor used by Turla group
20.01.2022
SUSP_IAppIdPolicyHandler_GUID_EXE_Jan22
Detects suspicious IAppIdPolicyHandler GUID in executable files
19.01.2022
SUSP_PS1_OBFUSC_Jan22_1
Detects suspicious PowerShell obfuscation noticed in malicious scripts
19.01.2022
SUSP_VBS_OBFUSC_Jan22_1
Detects suspicious PowerShell obfuscation noticed in malicious scripts
19.01.2022
SUSP_VBS_WScript_IPC_Combo_Jan22_2
Detects suspicious VBS scripts that comine WScript.Shell directives with the IPC$ keyword
19.01.2022
SUSP_PS1_OBFUSC_Base64String_Jan22_1
Detects suspicious split up and obfuscated Base64String value
19.01.2022
SUSP_Bitsadmin_Pattern_Jan22_1
Detects suspicious bitsadmin pattern often found in malicious dropper scripts
19.01.2022
SUPS_HKTL_WinPEAS_Output_Jan22
Detects output generated by WinPEAS which is a tool that searchs for possible paths to escalate privileges on Windows hosts
19.01.2022
HKTL_WinPEAS_Jan22
Detects WinPEAS which is a script that searchs for possible paths to escalate privileges on Windows hosts
19.01.2022
HKTL_LinPEAS_Jan22
Detects LinPEAS which is a tool that searchs for possible paths to escalate privileges on Linux/MacOS hosts
19.01.2022
MAL_RANSOM_Wiper_Jan22_1
Detects Ransomware or Wiper malware related to campaign against Ukrainian targets
19.01.2022
MAL_Unknown_Loader_Jan22_1
Detects suspicious samples that contain indicators as found in ransomware samples noticed in January 2022
19.01.2022
APT_WEBSHELL_PHP_Prometheus_Jan22_1
Detects suspicious samples that contain indicators as found in ransomware samples noticed in January 2022
19.01.2022
APT_CampoLoader_Jan22_1
Detects suspicious samples that contain indicators as found in ransomware samples noticed in January 2022
19.01.2022
SUSP_HKTL_SharpAppLocker_JSON_Output_Jan22
Detects output files of SharpAppLocker which is a C# port of the Get-AppLockerPolicy PS cmdlet with extended features
18.01.2022
HKTL_SHARPFILES_Jan22
Detects Sharpfiles which is a tool to search for files based on SharpShares
18.01.2022
HKTL_SHARPLAPS_Jan22
Detects SharpLAPS which is a tool to retrieve LAPS passwords from LDAP
18.01.2022
HKTL_WMIREG_Jan22
Detects WMIReg which is a tool used to read and write to local and remote registry keys
18.01.2022
HKTL_SEARCH_OUTLOOK_Jan22
Detects SearchOutlook which is a tool used to search through a running instance of Outlook for keywords
18.01.2022
HKTL_SharpAppLocker_Jan22
Detects SharpAppLocker which is a C# port of the Get-AppLockerPolicy PS cmdlet with extended features
18.01.2022
APT_HKTL_FRP_ME_Indicators_Jan22_1
Detects indicators found in Go based samples used by Charming Kitten
18.01.2022
APT_ME_Artefacts_Jan22_1
Detects artefacts found in Charming Kitten intrusions
18.01.2022
SUSP_PS1_CReplace_Casing_Anomaly
Detects suspicious casing in -creplace command used in PowerShell scripts
17.01.2022
SUSP_PS1_PowerShell_Uncommon_Flags_Jan22_1
Detects an uncommon PowerShell flag combination often found in malicious samples
17.01.2022
SUSP_PUA_CommandPatterns_Jan22_1
Detects command patterns found in bash_history of compromised systems
17.01.2022
SUSP_HKTL_CommandPatterns_Jan22_1
Detects command patterns found in bash_history of compromised systems
17.01.2022
SUSP_HKTL_JAVA_MarshalSec_Jan22_1
Detects MarshalSec JAVA deserialization toolkit indicators
17.01.2022

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
HKTL_PUA_SharpPcap_DLL_Library_May21
0.0
15
SUSP_PUA_SoftEther_VPNGate_Sftware_Dec21_1
0.03
58
HKTL_RMM_Client_Aug21_1
0.18
34
SUSP_PUA_Splashtop_RemoteControl_Oct21
0.24
17
SUSP_OBFUSC_JS_Sep21_1
0.6
55
SUSP_Tiny_RAR_Mar21_1
0.83
738
SUSP_LMHash_Empty_Jul21_1
0.91
44
HKTL_PY_Loader_Feb21_2
1.2
41
WEBSHELL_PHP_Obfuscation_Functions_Sep21
1.91
140
WEBSHELL_PHP_BeginsWith_eval_Sep21
2.03
165
SUSP_Download_Githubcontent_Shell
2.08
12
SUSP_PS1_Indicators_Loader_Gen_Dec21_2
2.39
18
EXPL_Log4j_CVE_2021_44228_Pattern_Dec21_1
2.63
19
HKTL_PY_Bypass_Tool_Aug21_2
2.66
32
SUSP_CryptoCoin_Miner_Keywords_Dec21_1
3.15
13
SUSP_LNX_Back_Connect_Shell_Indicator_Jun21_1
3.55
11
SUSP_Small_Compiled_Nim_Executable_Jun21_1
3.75
12
SUSP_PS1_OBFUSC_Jan22_1
3.93
15
SUSP_OBFUSC_VBS_Dec21
4.08
13
SUSP_BAT_OBFUSC_ENV_Obfuscation_Apr21_1
4.4
35
SUSP_PS1_Loader_Jan22_4
4.46
28
EXPL_Log4j_CVE_2021_44228_Dec21_Soft
4.68
19
HKTL_PUA_FRP_FastReverseProxy_Oct21_1
4.71
28
HKTL_AMSIBypass_Tool_OpCode_Indicators_May21_1
4.83
12
SUSP_MSHTA_Invocation_Dec21_1
5.18
11
SUSP_PS1_PowerShell_Loader_May21_1
5.59
22
SUSP_PUA_ScreenConnect_Client_Setup_Oct21_1
5.66
109
SUSP_PS1_Kernel32_User32_Imports_May21_1
5.67
24
SUSP_PS1_Loader_Generic_Feb21
5.79
14
PUA_SUSP_ScreenConnect_Feb21
5.9
196

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_LNX_Small_UPX_File_Jun21
14
e5065a5ae8b0fa5220d09db24e5c6b18c96ea7be6d1607e45ec11593f2213429
SUSP_LNX_Small_UPX_File_Jun21
14
8758f3ed2b56ae7bd4e5254672e57e72d167437ba9eac26edff1111741b00c3b
MAL_MSI_PurpleFox_Mar21
13
ff1f1c9952b627b8e1c16f4b095b366151a682f6cb370fa0a8de3b68d33e34c1
SUSP_PowerShell_Agent_Characteristics_Jun21_1
12
3e72d82987b88609b5ede57d334865973225ada3cf0351f8d1a3683a1a806adb
SUSP_Enigma_Protector
5
9221321fe0ea7e24a872c14917fec6c6b1296268fae38838b5106f56ece618d5
apt_CN_Tetrisplugins_JS
11
984e2c0e254b52849a5de0eeeffabe2b059fa9cc0043122d2e8918d9ccbfcc61
apt_CN_Tetrisplugins_JS
9
9494f44dd1e51a3e2dacd86570c99848183f88369b8c9f60e714396b57362bfe
apt_CN_Tetrisplugins_JS
9
527f4893bcb01414015bb6f27f7df201120d1c2ea0ea69332a75e59fc6ba3be7
apt_CN_Tetrisplugins_JS
9
a63e0f955a3f9b201ce8bdcab56425e42664720d2e22b0e01908ba5ecd399ca8
apt_CN_Tetrisplugins_JS
9
7fe2e2db25fde07b029af31cc68e13b73e5e3565c4d5cb6bd37205c27f1f04aa
apt_CN_Tetrisplugins_JS
10
42c5952050980f8a0e9c8e1a65e11b24a0f52b406314b6f34c75152b918a2bf0
SUSP_UPX_Compressed_Go_Binary_Dec21_1
12
7960721ebc18c60510ebcc6dfd27766560174588952d67f1699175bf89a9337c
SUSP_PE_Discord_Attachment_Oct21_1
8
1101244026b613dcc52185943c02f51727784bd7631c4da7d3cdf2ee0ce9e896
SUSP_PUA_ScreenConnect_Client_Setup_Oct21_1
7
048127e1f8dcaa183bb9895208d283692d38dd5a1fc0400adee639de8b9f810b
ProcessInjector_Gen
1
a1c5b8bee139f68db8750714e0363302544359a69d89b598e03d47accb7f2be7
SUSP_Enigma_Protector
8
82de76d32bfa81e1ed62f91a3612a055aa10005ab9d2bd0778ab232cd09e8b24
SPEC_COVID19_Phish_Hunting
4
c0e722663ccba5b1ca3d4612f9389b0099f3eec7aea64039c2d425832112f848
Suspicious_AutoIt_by_Microsoft
9
d5017f72448afa8957ebe06f07c8e06d12475b50e437c957615f49702bbc7a11
HackTool_Samples
1
771e6eda69e9c105eb3dcdcef3a56b592fcf743111e07e33e248a79d64ea86bf
Suspicious_Strings_Hacktool_Output
1
771e6eda69e9c105eb3dcdcef3a56b592fcf743111e07e33e248a79d64ea86bf

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
4601
APT
4022
Hacktools
3478
Threat Hunting
2907
Webshells
2097
Exploits
402

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html