New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule

Description

Date

Ref

HKTL_Meterpreter_XORED_Shellcode_Jun20_1

Detects Meterpreter samples

04.06.2020

APT_MAL_CN_GoblinPanda_USBCulprit_Jun20_1

Detects Goblin Panda USBCuplrit malware

04.06.2020

SUSP_Recon_Outputs_Jun20_1

Detects outputs of many different commands often used for reconnaissance purposes

04.06.2020

APT_MAL_CN_GoblinPanda_BlueCore_Jun20_1

Detects Goblin Panda BlueCore malware

04.06.2020

APT_MAL_CN_GoblinPanda_USBCulprit_Jun20_2

Detects Goblin Panda malware USBCulprit

04.06.2020

APT_MAL_CN_GoblinPanda_ChromePass_Jun20_2

Detects Goblin Panda ChromePass hacktool

04.06.2020

APT_MAL_CN_GoblinPanda_BlueCore_Jun20_2

Detects Goblin Panda BlueCore malware

04.06.2020

APT_MAL_CN_GoblinPanda_USBCulprit_Jun20_3

Detects Goblin Panda USBCulprit malware

04.06.2020

APT_MAL_JS_Higasia_Jun20_1

Detects Higasia group JavaScript helper file

04.06.2020

APT_MAL_Higasia_Jun20_1

Detects Higasia group JavaScript helper file

04.06.2020

WEBSHELL_ASPX_SadBoy_Jun20_1

Detects SadBoy webshell related to activity in ACSC report

03.06.2020

WEBSHELL_ASPX_OBFUSC_Jun20_5

Detects obfuscated ASPX webshell

03.06.2020

WEBSHELL_ASPX_Jun20_4

Detects ASPX webshell

03.06.2020

WEBSHELL_ASPX_Jun20_3

Detects ASPX webshell

03.06.2020

WEBSHELL_ASPX_Jun20_2

Detects ASPX webshell

03.06.2020

WEBSHELL_ASPX_Jun20_1

Detects ASPX webshell

03.06.2020

APT_MAL_CN_MustangPanda_Loader_Jun20_1

Detects Mustang Panda loader

03.06.2020

APT_MAL_ACSC_Report_Forensic_Artefacts_Jun20_1

Detects forensic artefacts mentioned in ACSC report for 2019 and 2020

03.06.2020

HKTL_Mimikatz_Indicators_Jun20_1

Detects strings found in Mimikatz hacktool - even in modified versions

02.06.2020

APT_MAL_DNSTunnel_RAT_Jun20_1

Detects DNSTunnel RAT

02.06.2020

APT_MAL_CN_Chimera_BaseClient_Jun20_1

Detects malware mentioned in Chimera report on attacks against Taiwanese high tech sector

02.06.2020

APT_MAL_CN_Chimera_SkeletonKeyInjector_Jun20_2

Detects malware mentioned in Chimera report on attacks against Taiwanese high tech sector

02.06.2020

APT_MAL_CN_Chimera_CobaltStrike_Beacon_Jun20_1

Detects malware mentioned in Chimera report on attacks against Taiwanese high tech sector

02.06.2020

APT_MAL_CN_Chimera_PDB_Jun20_1

Detects malware mentioned in Chimera report on attacks against Taiwanese high tech sector

02.06.2020

APT_MAL_CN_Chimera_CmdLine_Jun20_1

Detects specific command line mentioned in Chimera report on attacks against Taiwanese high tech sector

02.06.2020

EXPL_HKTL_SMBGhost_RCE_PoC_Jun20_1

Detects Proof of Concept code for exploits against CVE-2020-0796 SMBGhost vulnerability

02.06.2020

MAL_Unknown_Jun20_1

Detects indicators found in malware used by an unknown Middle Eastern actor

02.06.2020

MAL_Unknown_Jun20_2

Detects indicators found in malware used by an unknown Middle Eastern actor

02.06.2020

APT_Unknown_RemoteProcess_Injector_Jun20_1

Detects unknown process injector found in a campaign against an Isreali victim

01.06.2020

APT_MAL_Turla_Implant_Jun20_1

Detects Turla implants

01.06.2020

SUSP_MAL_ProcessInjector_May20_1

Detects suspicious indicators often used in hack tools and malware

01.06.2020

APT_MAL_CobaltStrike_May20_2

Detects CobaltStrike beacon used in activity noticed in May 2020 - likely related to Chinese actor

29.05.2020

APT_MAL_ReverseShell_May20_1

Detects reverse shell used in activity noticed in May 2020 - likely related to Chinese actor

29.05.2020

APT_MAL_NTTCom_Campaign_Script_Keywords_May20_1

Detects scripts as used in campaign against NTTCom

29.05.2020

HKTL_PS1_PowerSploit_Encrypted_Script_May20_1

Detects encrypted scripts as used in PowerSploit

29.05.2020

APT_MAL_NTTCom_Campaign_SERKDES_May20_1

Detects malware as used in campaign against NTTCom

29.05.2020

APT_MAL_Unknown_ReverseShell_May20_2

Detects Chinese threat actor activity

29.05.2020

MAL_Agent_May20_1

Detects malware used in activity noticed in May 2020 - likely related to Chinese actor

29.05.2020

MAL_LNK_May20_2

Detects malware used in activity noticed in May 2020 - likely related to Chinese actor

29.05.2020

MAL_SERKDES_May20_1

Detects SERKDES malware

29.05.2020

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule

Average AV Detection Rate

Sample Count

SUSP_Encrypted_Excel_With_Macros

0.19

303

HKTL_Meterpreter_InMemory_Rule

0.29

MAL_ToTok_Android_APK

1.53

HKTL_SilentTrinity_PS1_Posh_Stager

2.13

HKTL_PS1_Hacktool_Indicator_Feb20_1

3.77

SUSP_OBFUSC_TrippleDash_Replace

4.44

SUSP_JS_WindowChange_Dec19

4.8

3886

SUSP_URL_Persistence

5.19

WEBSHELL_PHP_Apr20_2

5.82

SUSP_Base64_Encoded_GithubUserContent_URL

5.92

SUSP_LNX_Base64_Decode_CommandLine

6.07

113

SUSP_GrabBrowsingHistory_Jan20

6.64

EXPL_Office_TemplateInjection

7.02

SUSP_Encoded_Convert_ToInt16

7.64

SUSP_MZ_PE_Header_Anomaly

7.85

MAL_LNX_SH_SaltStack_Campaigns_May20_1

7.91

HKTL_Empire_Win_MSWord_Dec19_1

8.27

SUSP_Double_IEX

8.4

SUSP_Shellcode_Keyword_Mar20

8.77

WEBSHELL_Obfuscator_PHP_OverflowZone

9.24

SUSP_Encoded_Set_Alias

9.58

136

SUSP_Encoded_StartSleep

9.63

SUSP_Hex_Encoded_Executable_with_Padding

9.88

SUSP_ShellCommands_Oct19

10.56

SUSP_Shellcode_Keyword_Mar20_2

10.83

APT_MAL_CN_BronzeUnion_Apr20_3

11.76

SUSP_JS_String_Keyword_Combo_Apr20_1

12.08

SUSP_Reversed_Base64_Encoded_EXE

12.64

242

SUSP_WinScriptHost_MyScript_Combo

12.92

SUSP_PS2EXE_PowerShell2Exe_2

13.36

113

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule

AVs

Hash

HKTL_screencap

9b282864268dc306bb5f6ef8ca7025790814e3d20c34f954da7a6036afa033f8

SUSP_ConfuserEx_Obfuscated_Gen

7417a57c814b5adde725f747a1e27384e22388bcc39248e98b72e1be3859a7bb

SUSP_ConfuserEx_Obfuscated_Gen

b05f893d7afd2e458ad3bd6777e0a8ff73ca19aa59497d523fa6f14d5d7f4784

MAL_AutoIt_Malware_Indicator_1

c137ca3614a08a22a5f214da9bb929297a7379b0b374d0569ad254d97cb6e026

SUSP_AutoIt_Indicators_Feb19_4

c137ca3614a08a22a5f214da9bb929297a7379b0b374d0569ad254d97cb6e026

SUSP_OfficeDoc_Macro_Indicator_Jun19_1

7705cec2a6cbf51ddaa8b4da0c97e323bc5aaf3ce3dbf35e62b53ef466db6851

PEFILE_Header_but_no_DOS_Header

6a0ddfc05976ae1e314f46018b498f24c011da5eaacb7a087b8fc8e832696aed

SUSP_JS_WindowChange_Dec19

e7bb0559ddfc8c46a04f1b495494e8a77a1ffc61c15afa5eb63a56172c90817e

SUSP_Schtasks_TaskName_Short

e55c983d2d6c7ee93203346286ffc8a41d378a35b5bbd8e6a520645a8963200e

PEFILE_Header_but_no_DOS_Header

10d64de2606158c860a71aca483f8d44956bd34d2bd298b78182afd73742ba0a

SUSP_AutoIt_Indicators_Feb19_4

3c50504ed37ca451020ab96618082678d6239e17c65dd4f99295f9d4e67f97e8

MAL_AutoIt_Malware_Indicator_1

3c50504ed37ca451020ab96618082678d6239e17c65dd4f99295f9d4e67f97e8

APT_Sofacy_Rel_Sep18_2

c1ecbae875dbca680a9cc5d16b394a82a451cda76096ec47dfc4221c21246d0a

SUSP_OfficeDoc_Macro_Indicator_Jun19_1

5d6fb1e51019b9a324d6993f5dc40560cef183411c980ed0df7989a19b36f9c8

SUSP_Reversed_LOLBAS

2c2a9a35182152623a1566c867b9af5c2d17e9c4f38840a2240951d22466db7f

SUSP_Linux_Hacktool_Keywords_SCTEST

9a7601dca121462e9cbfa6c323259fd78398026516a2e3e7cdb51a353632d292

SUSP_JS_WindowChange_Dec19

9c9e87ed926880766a4ec2572703994327f64f3943c437c09bac67ec98a07f9e

Suspicious_PowerShell_Code_1

88852df90fd87a8a5e31f802c2754fa42a17ced8b4b8bb5934d8b8aa9ebd778b

Suspicious_PowerShell_WebDownload_1

88852df90fd87a8a5e31f802c2754fa42a17ced8b4b8bb5934d8b8aa9ebd778b

SUSP_JS_WindowChange_Dec19

5bab394954ab4f8cfaed2c46bad156e8f6125f2cfb9d59db74e35096b54398a6

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag

Count

FILE

7100

EXE

5082

APT

3068

MAL

2962

HKTL

2682

DEMO

2468

T1100

1926

WEBSHELL

1895

SUSP

1501

CHINA

1093

SCRIPT

728

T1086

430

RUSSIA

417

MIDDLE_EAST

369

T1027

358

T1064

313

GEN

313

T1003

289

T1193

270

T1203

270

T1075

232

G0044

216

OBFUS

193

T1132

190

EXPLOIT

183

G0007

176

LINUX

171

T1085

162

T1097

145

T1178

145

Tenable Nessus

Requirement: Privileged Scan

YARA Scanning with Nessus works only when scanning with credentials (privileged scan)

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

You can only upload a single .yar file
Filesystem scan has to be activated
You have to define the target locations
The Nessus plugin ID will be 91990
Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html