Valhalla Logo
currently serving 9527 rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
HKTL_Empire_Multi_Bash_Dec19_1
Detects Empire Bash launcher
09.12.2019
HKTL_Empire_Multi_Macro_Dec19_1
Detects Empire Macro launcher
09.12.2019
HKTL_Empire_Multi_PyInstaller_Dec19_1
Detects Empire PyInstaller launcher
09.12.2019
HKTL_Empire_Multi_WAR_Dec19_1
Detects Empire WAR launcher
09.12.2019
HKTL_Empire_Multi_JSP_Dec19_1
Detects Empire JSP code in WAR launcher
09.12.2019
HKTL_Empire_ShellCodeRDI_Dec19_1
Detects Empire shellcode RDI
09.12.2019
HKTL_Empire_Bypasses_Dec19_1
Detects Empire bypasses
09.12.2019
HKTL_Empire_Stagers_Gen_Dec19_1
Detects Empire stagers generic characteristics
09.12.2019
HKTL_Empire_Payload_Gen_Dec19_1
Detects Empire payloads - from files x64_slim.dll, x86_slim.dll
09.12.2019
HKTL_Empire_Payload_Gen_Dec19_2
Detects Empire payloads
09.12.2019
HKTL_Empire_PHP_Hop_Dec19_1
Detects Empire payloads
09.12.2019
HKTL_Empire_Payload_macho_Gen_Dec19_1
Detects Empire payloads
09.12.2019
HKTL_Empire_Payload_Run_JAVA_Dec19_2
Detects Empire payloads - file Run.java
09.12.2019
HKTL_Empire_macOS_Shellcode_Dec19_1
Detects Empire Shellcode
09.12.2019
HKTL_Empire_macOS_Teensy_Dec19_1
Detects Empire Teensy script launcher
09.12.2019
HKTL_Empire_macOS_SafariLauncher_Dec19_1
Detects Empire Safari launcher
09.12.2019
HKTL_Empire_macOS_pkg_Dec19_1
Detects Empire Pkg launcher
09.12.2019
HKTL_Empire_macOS_Macro_Dec19_1
Detects Empire macro launcher
09.12.2019
HKTL_Empire_macOS_JAR_Dec19_1
Detects Empire JAR launcher
09.12.2019
HKTL_Empire_macOS_Ducky_Dec19_1
Detects Empire Ducky launcher
09.12.2019
HKTL_Empire_Win_LNK_Macro_Dec19_1
Detects Empire LNK macro script launcher
09.12.2019
HKTL_Empire_Win_Bunny_Macro_Dec19_1
Detects Empire Bunny script launcher
09.12.2019
HKTL_Empire_Win_CSharp_Dec19_1
Detects Empire CSharp launcher
09.12.2019
HKTL_Empire_Win_DuckyLauncher_Dec19_1
Detects Empire DuckyLauncher launcher
09.12.2019
HKTL_Empire_Win_HTA_Dec19_1
Detects Empire HTA launcher
09.12.2019
HKTL_Empire_Win_BAT_Dec19_1
Detects Empire BAT launcher
09.12.2019
HKTL_Empire_Win_LNK_Dec19_1
Detects Empire LNK launcher
09.12.2019
HKTL_Empire_Win_SCT_Dec19_1
Detects Empire SCT launcher
09.12.2019
HKTL_Empire_Win_VBS_Dec19_1
Detects Empire VBS launcher
09.12.2019
HKTL_Empire_Win_XML_Dec19_1
Detects Empire XML launcher
09.12.2019
HKTL_Empire_Win_Macro_Dec19_1
Detects Empire Macro launcher
09.12.2019
HKTL_Empire_Win_MSWord_Dec19_1
Detects Empire MSWord launcher
09.12.2019
HKTL_Empire_Win_WMIC_Dec19_1
Detects Empire WMIC launcher
09.12.2019
APT_Winnti_MAL_Sysmon_Implant_Imphash
Detects Winnti Sysmon implants
06.12.2019
APT_MAL_JS_Code_Dec19_1
Detects Berserk Bear watering hole JS content in HTML
05.12.2019
APT_Lazarus_macOS_MAL_UnionCrypto_Dec19_1
Detects Lazarus macOS malware
05.12.2019
APT_OilRig_ZeroClear_Dec19_1
Detects OilRig malware
04.12.2019
APT_OilRig_BAT_Dec19_1
Detects OilRig batch script
04.12.2019
APT_OilRig_PS1_Dec19_1
Detects OilRig PowerShell scripts
04.12.2019
APT_UNC1194_MacroGuardRails_Dec19_1
Detects UNC1194 MacroGuardRails sample
04.12.2019

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Casing_Anomaly_ExecuteRequest
0.04
24
SUSP_PS_Base64_CWB_String
0.06
36
SUSP_LNX_Base64_Decode_CommandLine
1.44
18
SUSP_SwearWord_in_Code
1.89
83
SUSP_Netsh_PortProxy_Command
2.75
12
SUSP_Linux_Hacktool_Keywords_SCTEST
4.74
19
SUSP_Base64_Encoded_C_Powershell
5.89
44
MAL_NET_MeterPreter_Payload_1
6.36
11
SUSP_Embedded_Decoy_Doc_Sep19
7.44
25
SUSP_PS2EXE_PowerShell2Exe_2
9.41
27
SUSP_JS_StartupFolder_Ref
9.41
17
SUSP_Encoded_StartSleep
9.55
11
SUSP_PHP_Obfuscation_GZ_Base64
9.82
11
SUSP_Base64_Encoded_Hex_Encoded_Code
9.86
14
SUSP_JS_ChrW_Obfuscation
11.06
18
SUSP_CryptoObfuscator
11.42
24
SUSP_JS_Run_Chr_Code
11.86
21
SUSP_Encoded_VBE
12.14
37
SUSP_Base64_Encoded_AppData
12.52
23
MAL_macOS_PY_Agent_Jul19_1
12.68
38
SUSP_JS_Obfuscation_Oct19_1
12.73
1421
SUSP_JS_Window_MoveTo_NegativeValue
12.87
15
SUSP_Go_ShellCode_Indicator
13.0
11
SUSP_ANOMALY_Calc_Strings
13.02
54
SUSP_Encoded_IO_Decompress
13.92
38
SUSP_PS1_Obfuscated_Payload_Feb19_1
14.58
24
SUSP_PDB_Path_Keywords
14.62
21
SUSP_Encoded_IEX_1
14.74
34
SUSP_Base64_Encoded_W_Hidden
14.75
85
SUSP_RAR_with_PDF_Script_Obfuscation
14.77
53

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
devilzShell_12
8
dffee53dad4e9a6e8f2912fd74538b97f385f42f694ce296b5cf179512cb6efa
CN_Shell_ASPX_Dec16
7
0d6de5aea4afae706e79521fdd5f945825191ecf9c93a2670bb0b9a6d82682c2
Webshell_PerlKit_139
7
0d6de5aea4afae706e79521fdd5f945825191ecf9c93a2670bb0b9a6d82682c2
ASPX_WebShell_OpE
7
0d6de5aea4afae706e79521fdd5f945825191ecf9c93a2670bb0b9a6d82682c2
SUSP_Svchost_Variation
14
61f6c845174d27e4d74db39dcdda36f929786a98dec68ace69eefd876db2170f
PUA_CryptoMiner_Jan19_1
12
c984da00152b0bc7ff8b7752cd1a628812749c6444e866b85def831eb134def7
PUA_CCMiner_CryptoMiner
12
c984da00152b0bc7ff8b7752cd1a628812749c6444e866b85def831eb134def7
SUSP_AutoIt_CompScript_NET_Combo
7
825530f094186924b2d607b910ce1d5e3d207b4eb73d6bcdc15c23ad5c3c7877
SUSP_AutoIt_Malware_Indicator_1
7
825530f094186924b2d607b910ce1d5e3d207b4eb73d6bcdc15c23ad5c3c7877
SUSP_Base64_Encoded_AppDataLocal
10
bd2b00425cf42c6b76df71992d70cb0960f8ccde87acf245b279d2c3262d6ac5
SUSP_AutoIt_Malware_Indicator_1
8
bf28faec4212d794a822465a02bf01a5fd20f643aae0acfbdf01d3dc8e3d80aa
SUSP_Base64_Encoded_AppDataLocal
10
c65e6180402a48f93b7521e20190705f562b55da2b2791d48f6f47ed95e9733d
SUSP_AutoIt_CompScript_NET_Combo
10
311c360f00f642a4b184c9067fd3debb5ebc593bb93fd43410738d947e9f21ca
SUSP_AutoIt_Malware_Indicator_1
10
311c360f00f642a4b184c9067fd3debb5ebc593bb93fd43410738d947e9f21ca
SUSP_VBA_Project_Keyword_Feb19_1
9
564594b78d061705b840edc6419bf24cce9f9f6ac3912369d64cecca2fba6182
SUSP_Base64_Encoded_PowerShellCommand
9
564594b78d061705b840edc6419bf24cce9f9f6ac3912369d64cecca2fba6182
SUSP_XORed_MSDOS_Stub_Message
12
23f7798ccd4670076817c3206db4d3d4961250a11cef3ab4ad86d981679f708a
SUSP_XORed_MSDOS_Stub_Message
12
23f51080c2c79f46d880f32849c258b9ae99873860388f9fb1dba434ea26cfce
SUSP_XORed_MSDOS_Stub_Message
12
23f43e268162bc88348fd433b6a810b44c326af1068b07b03beb8fb6f74baf14
SUSP_XORed_MSDOS_Stub_Message
12
23f3754a35828f4fde4aadb4f34580077eea845d7188fce88c1f88f223116cbf

Top Tags in YARA Rule Set

This list shows the top tags used in our database, which are used for the subscribable categories

Tag
Count
FILE
6337
EXE
4564
APT
2717
MAL
2700
DEMO
2442
HKTL
2418
T1100
1814
WEBSHELL
1790
SUSP
1256
CHINA
1012
SCRIPT
648
RUSSIA
408
T1086
349
MIDDLE_EAST
343
T1064
308
T1027
308
GEN
305
T1003
271
T1193
250
T1203
250
T1075
197
T1132
158
OBFUS
157
T1085
150
EXPLOIT
148
LINUX
144
T1178
134
T1097
134
METASPLOIT
112
T1050
110

Tenable Nessus

Requirement: Privileged Scan

Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html