Valhalla Logo
currently serving 20158 YARA rules and 3445 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
HKTL_Whitechocolatemacademianut_Dec23
Detects cookie stealer WhiteChocolateMacademiaNut
04.12.2023
MAL_RAT_Nov23_1
Detects a RAT that allows remote control, autorun registration, execution of scripts, downloading additional files, executing these downloaded files through Regsvcs.exe, and performing reverse connections.
30.11.2023
MAL_Raccoon_Agent_Backdoor_Nov23
Detects Agent Raccoon backdoor
30.11.2023
MAL_Mimilite_Nov23
Detects Mimilite - a customized version of Mimikatz
30.11.2023
MAL_Ntospy_Nov23
Detects Ntospy DLL Module, a Network Provider DLL module designed to steal user credentials
30.11.2023
MAL_RANSOM_Turtle_Nov23
Detects Turtle ransomware
30.11.2023
APT_MAL_Kimsuky_Backdoor_Nov23
Detects Kimsuky APT backdoor
30.11.2023
MAL_ParaSiteSnatcher_Downloader_Nov23
Detects ParaSiteSnatcher downloader, a framework that allows threat actors to monitor, manipulate, and exfiltrate highly sensitive information from multiple sources
28.11.2023
MAL_Downloader_Nov23_1
Detects a MacOS downloader - seen being used by North Korean threat actors
27.11.2023
MAL_Downloader_Nov23_2
Detects a MacOS downloader - seen being used by North Korean threat actors
27.11.2023
MAL_AppleScript_Downloader_Nov23
Detects a suspicious AppleScript downloader
27.11.2023
APT_MAL_IronWind_Downloader_Nov23_1
Detects IronWind downloader - seen being used by TA402
27.11.2023
APT_MAL_IronWind_Downloader_Nov23_2
Detects IronWind downloader - seen being used by TA402
27.11.2023
MAL_Downloader_DLL_Nov23_2
Detects a DLL that downloads a malicious Google Chrome extension with similarities to Genesis Market's infostealer
27.11.2023
MAL_Guntior_Rootkit_Dropper_Nov23
Detects Guntior rootkit dropper
25.11.2023
MAL_Payload_DLL_Nov23
Detects a DLL that hijacks one of Windows standard services by rewriting its executable with the malware DLL
25.11.2023
MAL_Guntior_Rootkit_Nov23
Detects Guntior rootkit
25.11.2023
MAL_Backdoor_DLL_Nov23_2
Detects a backdoor DLL that collects system info, executes C2 commands and downloads/uploads files - seen being used in Konni RAT campaign
24.11.2023
MAL_UAC_Bypass_Module_Nov23
Detects a DLL that bypasses UAC - seen being used in Konni RAT campaign
24.11.2023
MAL_Socks5Systemz_Proxy_Bot_Loader_Nov23
Detects Socks5Systemz proxy bot loader
24.11.2023
MAL_Socks5Systemz_Proxy_Bot_Nov23
Detects Socks5Systemz proxy bot
24.11.2023
MAL_Backdoor_DLL_Nov23_1
Detects a backdoor DLL, that was seen being used by LockBit 3.0 affiliates exploiting CVE-2023-4966
23.11.2023
MAL_Trojan_DLL_Nov23
Detects a trojan DLL that installs other components - was seen being used by LockBit 3.0 affiliates exploiting CVE-2023-4966
23.11.2023
MAL_DLL_Stealer_Nov23
Detects a DLL that steals authentication credentials - was seen being used by LockBit 3.0 affiliates exploiting CVE-2023-4966
23.11.2023
MAL_Python_Backdoor_Script_Nov23
Detects a trojan (written in Python) that communicates with c2 - was seen being used by LockBit 3.0 affiliates exploiting CVE-2023-4966
23.11.2023
APT_MAL_DLL_Nov23
Detects a DLL file, which is a previously unknown web shell exhibiting sophisticated features such as custom encoding methods for client communication and in-memory execution
23.11.2023
MAL_Backdoor_Diamond_Sleet_Nov23
Detects a backdoor that was seen being used by Diamond Sleet
22.11.2023
MAL_LambLoad_Nov23
Detects LambLoad a weaponized downloader and loader containing malicious code added to a legitimate CyberLink application
22.11.2023
APT_RANSOM_Lockbit_ForensicArtifacts_Nov23
Detects patterns found in Lockbit TA attacks exploiting Citrixbleed vulnerability CVE 2023-4966
22.11.2023
SUSP_Plink_CommandLine_Flag_Combo_Nov23_1
Detects plink port forwarding pattern found in malicious scripts and forensic artifacts
22.11.2023

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_Four_Byte_XOR_PE_And_MZ
1
3ae234ec1adbc5e133e9aa67c28b92abccb1d7b009594c34d46dd94070361ee3
SUSP_OBFUSC_JS_Execute_Base64_Mar23
6
5cb2fea799a84db8d70b3dcc36dfaab4fc921152f93da3af314ef210e59780b7
SUSP_RANSOM_Note_Aug22
6
8ec4cdb106a2bd44e745af32beb2c158071d3e000cadf28e862d8cfba6fdf7b8
SUSP_B64_Atob_Aug23
3
c79b97e4ba6bb2f204190e11759706dfb5fa492908f9c11adbf7688f66755020
SUSP_Base64_Encoded_Hex_Encoded_Code
3
c79b97e4ba6bb2f204190e11759706dfb5fa492908f9c11adbf7688f66755020
SUSP_Reversed_Base64_Encoded_EXE
5
fd3f7b0f6817f02f18ee637deb8ea79590c1f3c5152c8e202b66881c5cac1d51
SUSP_OBFUSC_Reversed_Encoded_Executable_Mar22
5
fd3f7b0f6817f02f18ee637deb8ea79590c1f3c5152c8e202b66881c5cac1d51
SUSP_B64_Atob_Aug23
1
a71fd494ef054b690054c13e4cddf653c3e587d5d555ee5d5a9a54ba2437cf4d
SUSP_Base64_Encoded_Hex_Encoded_Code
1
a71fd494ef054b690054c13e4cddf653c3e587d5d555ee5d5a9a54ba2437cf4d
SUSP_GO_Screenshot_Capable_Oct22
2
ceba49f65fa244833b10f0da3a4ec106fc91a632a1a0bf45afe01919525ac6d0
SUSP_PE_Discord_Attachment_Oct21_1
7
d0daeb50f1313435def687a13b36586586ff53a77948b1bbc45bae78db1f1ebc
SUSP_Dir_Ref_in_File_ProgramData
7
d0daeb50f1313435def687a13b36586586ff53a77948b1bbc45bae78db1f1ebc
SUSP_Base64_Encoded_Hex_Encoded_Code
3
46eb4d1be07950cfcab90166650f5e263e707fec5e252f0c5c2c596768600ec4
SUSP_B64_Atob_Aug23
3
46eb4d1be07950cfcab90166650f5e263e707fec5e252f0c5c2c596768600ec4
SUSP_Base64_Encoded_ISO_Image_Marker_Jan22
7
22bb9d0f69440fd8e7ed3c84669eefc0557560d7c28467a42c98ae36decc27ae
SUSP_HTML_Embedded_ISO_Includes_EXE_Apr21_1
7
22bb9d0f69440fd8e7ed3c84669eefc0557560d7c28467a42c98ae36decc27ae
SUSP_Encoded_GetProcAddress
7
22bb9d0f69440fd8e7ed3c84669eefc0557560d7c28467a42c98ae36decc27ae
SUSP_VBS_WScript_Combo_May22_2
1
0285c9d1d485fd10156dba1aa0a21b2fa85f53908692b4952f8eb065e3d120f6
SUSP_JS_Regwrite_RUN_Key
1
0285c9d1d485fd10156dba1aa0a21b2fa85f53908692b4952f8eb065e3d120f6
SUSP_Base64_Encoded_Hex_Encoded_Code
1
20c7c542307b9e27359237e8b9a69d1ed14d44afa327f55c84c88b92e315effc

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
5781
Threat Hunting (not subscribable, only in THOR scanner)
4809
APT
4781
Hacktools
4371
Webshells
2299
Exploits
604

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Potential CVE-2023-46214 Exploitation Attempt
Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
27.11.2023
Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
27.11.2023
Network Connection Initiated To DevTunnels Domain
Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
20.11.2023
Network Connection Initiated To Visual Studio Code Tunnels Domain
Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
20.11.2023
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
14.11.2023
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
14.11.2023
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
14.11.2023
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
14.11.2023
Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
13.11.2023
Non-Executable Extension File Renamed With Executable Extension
Detects rename operations of files with a non-executable extension such as (.txt, .pdf, etc.) to files with an executable extension such as (.exe, .dll, etc.). This is often performed by malware in order to avoid initial detections based on extensions.
11.11.2023
Arbitrary File Download Via IMEWDBLD.EXE
Detects usage of "IMEWDBLD.exe" to download arbitrary files
09.11.2023
Lace Tempest File Indicators
Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
09.11.2023
Lace Tempest PowerShell Evidence Eraser
Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
09.11.2023
Lace Tempest PowerShell Launcher
Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
09.11.2023
Lace Tempest Cobalt Strike Download
Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
09.11.2023
Lace Tempest Malware Loader Execution
Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
09.11.2023
Potential File Download Via MS-AppInstaller Protocol Handler
Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"
09.11.2023
Arbitrary File Download Via MSEDGE_PROXY.EXE
Detects usage of "msedge_proxy.exe" to download arbitrary files
09.11.2023
Remote XSL Execution Via Msxsl.EXE
Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
09.11.2023
CVE-2023-46747 Exploitation Activity - Webserver
Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
08.11.2023
CVE-2023-46747 Exploitation Activity - Proxy
Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
08.11.2023
F5 BIG-IP iControl Rest API Command Execution - Proxy
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
08.11.2023
F5 BIG-IP iControl Rest API Command Execution - Webserver
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
08.11.2023
Suspicious File Execution From Mounted ISO
Detects the execution of a file with a suspicious or double extension from a mounted ISO
07.11.2023
Uncommon Delegation Console Set
Detects uncommon delegation console values
03.11.2023
Uncommon Delegation Terminal Set
Detects uncommon delegation console values
03.11.2023
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
03.11.2023
Suspicious Unsigned Thor Scanner Execution
Detects loading and execution of an unsigned thor scanner binary.
29.10.2023
Backdoored Thor Scanner Execution
Detects the execution of a known malicious version of the thor scanner binary
29.10.2023
Backdoored Thor Scanner Load
Detects the loading and execution of a known malicious thor scanner version.
29.10.2023

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2946
17212
Sigma
3101
344

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1178
windows / file_event
179
windows / registry_set
179
windows / ps_script
167
windows / security
149
linux / process_creation
105
windows / image_load
97
webserver
74
windows / system
71
proxy
53
macos / process_creation
49
linux / auditd
49
windows / network_connection
48
azure / activitylogs
43
windows / registry_event
38
aws / cloudtrail
34
azure / auditlogs
33
windows / ps_module
32
windows / application
28
windows / process_access
27
azure / signinlogs
24
okta / okta
22
azure / riskdetection
19
windows / pipe_created
18
windows / dns_query
17
linux
17
rpc_firewall / application
17
gcp / gcp.audit
14
m365 / threat_management
13
windows / create_remote_thread
12
cisco / aaa
12
windows / driver_load
12
windows / file_delete
12
windows / windefend
12
windows / ps_classic_start
11
windows / codeintegrity-operational
10
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
dns
8
antivirus
7
windows / appxdeployment-server
7
azure / pim
7
zeek / smb_files
7
windows / bits-client
7
github / audit
7
windows / registry_delete
6
gcp / google_workspace.admin
6
windows / file_access
5
jvm / application
5
windows / dns-client
5
zeek / dce_rpc
4
zeek / dns
4
windows / sysmon
4
windows / ntlm
3
linux / sshd
3
windows / wmi_event
3
zeek / http
3
windows / taskscheduler
3
linux / network_connection
3
windows / powershell-classic
3
apache
2
onelogin / onelogin.events
2
macos / file_event
2
qualys
2
firewall
2
windows / security-mitigations
2
windows / file_change
2
m365 / audit
2
spring / application
2
linux / syslog
2
windows / dns-server
2
windows
1
windows / printservice-admin
1
sql / application
1
nginx
1
windows / driver-framework
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
windows / lsa-server
1
windows / wmi
1
cisco / syslog
1
cisco / ldp
1
windows / smbclient-connectivity
1
netflow
1
cisco / bgp
1
windows / ldap
1
linux / auth
1
windows / openssh
1
windows / process_tampering
1
linux / cron
1
huawei / bgp
1
windows / applocker
1
windows / raw_access_thread
1
linux / guacamole
1
juniper / bgp
1
windows / appmodel-runtime
1
linux / clamav
1
windows / appxpackaging-om
1
nodejs / application
1
windows / shell-core
1
python / application
1
windows / capi2
1
windows / microsoft-servicebus-client
1
django / application
1
windows / certificateservicesclient-lifecycle-system
1
windows / file_rename
1
linux / sudo
1
zeek / x509
1
windows / smbclient-security
1
m365 / exchange
1
windows / diagnosis-scripted
1
windows / sysmon_status
1
velocity / application
1
linux / vsftpd
1
zeek / rdp
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
ruby_on_rails / application
1
m365 / threat_detection
1
zeek / kerberos
1
windows / dns-server-analytic
1
database
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
154
windows / ps_script
42
windows / wmi
29
windows / registry_set
22
windows / file_event
15
proxy
11
windows / system
9
windows / image_load
8
windows / security
7
windows / network_connection
5
windows / create_remote_thread
4
linux / process_creation
3
webserver
3
windows / pipe_created
3
windows / ps_classic_script
3
windows / vhd
3
windows / ps_module
3
windows / registry_event
3
windows / driver_load
2
windows / taskscheduler
2
windows / bits-client
2
windows / dns_query
1
windows / file_access
1
windows / registry-setinformation
1
macos / process_creation
1
windows / file_delete
1
windows / file_rename
1
windows / amsi
1
windows / process_access
1
windows / audit-cve
1
windows / application
1
windows / registry_delete
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html