Valhalla Logo
currently serving 13989 YARA rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
MAL_MalDoc_SquirrelWaffle_Sep21_1
Detects SquirrleWaffle samples
21.09.2021
APT_MAL_Turla_TinyTurla_DLL_Sep21_1
Detects Tiny Turla backdoor DLL
21.09.2021
LOG_EXPL_ADSelfService_CVE_2021_40539_WebLog_Sep21_1
Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539
20.09.2021
SUSP_MalDoc_OBFUSCT_HTMLEntity_Sep21_1
Detects suspicious office reference files including obfuscated http references
18.09.2021
SUSP_MalDoc_OBFUSCT_HTMLEntity_Sep21_2
Detects suspicious office reference files including obfuscated http references
18.09.2021
SUSP_MalDoc_OBFUSCT_Spaces_Sep21_1
Detects suspicious office reference files including obfuscation based on multiple spaces
18.09.2021
SUSP_MalDoc_NetworkShare_Reference_Sep21_1
Detects suspicious office reference files including a template reference on a network share
18.09.2021
SUSP_OBFUSC_Indiators_XML_OfficeDoc_Sep21_2
Detects suspicious encodings in fields used in reference files found in weaponized MS Office documents
18.09.2021
EXPL_MAL_MalDoc_OBFUSCT_MHTML_Sep21_1
Detects suspicious office reference files including an obfuscated MHTML reference exploiting CVE-2021-40444
18.09.2021
APT_MAL_PlugX_OperationHarvest_Sep21
Detects a PlugX sample found in Operation Harvest
16.09.2021
VULN_LNX_OMI_RCE_CVE_2021_386471_Sep21
Detects a Linux OMI version vulnerable to CVE-2021-38647 (OMIGOD) which enables an unauthenticated RCE
16.09.2021
HKTL_VermilionStrike_Sep21_1
Detects VermilionStrike, a CobaltStrike beacon reimplementation
14.09.2021
HKTL_VermilionStrike_Sep21_2
Detects VermilionStrike, a CobaltStrike beacon reimplementation
14.09.2021
HKTL_VermilionStrike_Stager_Sep21_1
Detects a Stager for VermilionStrike, a CobaltStrike beacon reimplementation
14.09.2021
SUSP_LNK_InvokeMshtaUrl_Sep21
Detects a LNK file invoking mshta with an URL
14.09.2021
WEBSHELL_PHP_Base64_Obfuscation_Sep21
Detects Base64 variants of suspicious combinations of functions used for obfuscated webshells
14.09.2021
WEBSHELL_PHP_BeginsWith_eval_Sep21
Detects Files that begin with eval(
14.09.2021
WEBSHELL_PS1_ConPtyShell_Sep21
Detects a suspicious reverse Shell called ConPtyShell
13.09.2021
WEBSHELL_PHP_Obfuscation_Functions_Sep21
Detects suspicious use of functions often used in obfuscated webshells
13.09.2021
SUSP_WriteLdSoPreload_Sep21
Detects a command to write a preloader library
10.09.2021
MAL_XmRig_Invocation_Sep21
Detects a command to invoke XmRig to mine Monero
10.09.2021
MAL_ELF_Prism_Sep21
Detects PRISM samples found by Alien Labs
10.09.2021
HKTL_ADFS_Dump_Sep21_1
Detects ADFS Dump, a tool used to dump all sorts of information from AD FS
10.09.2021
SUSP_VHDX_Files_Sep21_1
Detects suspicious VHDX files with similarities noticed in files used by TransparentTribe in September 2021
09.09.2021
SUSP_VHDX_Files_Indicators_Sep21
Detects suspicious VHDX files with suspicious contents in their filesystem
09.09.2021
APT_MAL_TransparentTribe_Indicators_Sep21_1
Detects samples related to TransparentTribe
09.09.2021
SUSP_ManualHttpRequest_Sep21
Detects a script that manually builds an HTTP request (instead of e.g. using curl)
08.09.2021
SUSP_BashPiping_Sep21
Detects a shell script executing a script file that was likely processed or downloaded by another executable
08.09.2021
SUSP_DisableAppArmor_Sep21
Detects a command for the deactivation of AppArmor
08.09.2021
SUSP_DisableSeLinux_Sep21
Detects a command to persistently deactivate SELinux
08.09.2021
SUSP_PS1_IEX_Pattern_Sep21_1
Detects suspicious PowerShell IEX pattern in files
08.09.2021
SUSP_OBFUSC_JS_Sep21_1
Detects suspicious abfuscated JavaScript codes
08.09.2021
SUSP_CAB_INF_Pattern_Sep21_1
Detects suspicious CAB files as used in attacks exploiting CVE-2021-40444
08.09.2021
SUSP_ClassID_Combo_Sep21_1
Detects suspicious strings found in JavaScript code used in attacks exploiting CVE-2021-40444
08.09.2021
EXPL_SUSP_MalDoc_TemplatInjection_Sep21_1
Detects suspicious template injections including an x-usc instruction - as seen in CVE-2021-40444 exploitation
08.09.2021
EXPL_ITW_CVE_2021_40444_Sep21_1
Detects obfuscated JavaScript in HTML files as used in CVE-2021-40444 exploitation noticed in September 2021
08.09.2021
SUSP_MalDoc_TemplatInjection_MHTML_Sep21_1
Detects attempts to exploit CVE-2021-40444 in MS Office template references
08.09.2021
HKTL_Khepri_Beacon_Sep21_1
Detects Khepri C2 framework beacons
08.09.2021
SUSP_SCRIPT_FlushIptables_Sep21
Detects a command to remove all iptables rules
08.09.2021
SUSP_ELF_FlushIptables_Sep21
Detects a command to remove all iptables rules
08.09.2021

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
WEBSHELL_ASPX_Exchange_Encoded_Mailbox_Attachment_Aug21
0.0
13
HKTL_CobaltStrike_BingMaps_Malleable_C2_Profile_Indicator_May21
0.0
14
HKTL_AMSIBypass_Tool_OpCode_Indicators_May21_1
0.58
57
HKTL_Amsi_DLL_AMSI_Bypass_May21_1
0.62
13
SUSP_Tiny_RAR_Mar21_1
0.7
507
HKTL_AntiAV_Indicators_Jul21_1
0.77
26
HKTL_RMM_Client_Aug21_1
0.97
39
HKTL_PY_Loader_Feb21_2
2.08
26
HKTL_CobaltStrike_Custom_ShellCode_Aug21_2
2.15
40
SUSP_MalDoc_Indicator_VBA_Nov20_1
2.53
19
SUSP_PS1_Loader_Generic_Feb21
2.85
47
SUSP_COM_Object_Hijacking_Base64_Indicator_Dec20
3.17
12
HKTL_DLL_ReflectiveLoader_Oct20_5
4.23
13
SUSP_PHP_Base64Encoded_Nov20
4.45
20
SUSP_Script_PS1_Indicators_Mar21_1
4.45
20
HKTL_PY_Bypass_Tool_Aug21_2
4.47
15
SUSP_LNX_RevShell_Payloads_Jun21_1
4.85
71
HKTL_PUA_SharpPcap_DLL_Library_May21
4.86
14
SUSP_ASPX_PossibleDropperArtifact_Aug21
5.0
29
WEBSHELL_ASPX_ProxyShell_Aug21_2
5.28
25
HKTL_PUA_Chisel_TCP_Tunneling_Oct20_1
5.29
17
WEBSHELL_ReGeorg_Variant_Jul21_1
5.47
17
SUSP_String_Base64_Jun21
5.59
17
HKTL_Bypass_Tamper_Protection_Reference_Apr21_1
5.61
33
SUSP_OBFUSC_JS_Sep21_1
6.29
112
PUA_SUSP_ScreenConnect_Feb21
6.67
79
SUSP_Small_ISO_Includes_Rundll32_Apr21_1
6.68
19
SUSP_VBA_Lib_Kernel32_Import_Oct20
6.85
46
SUSP_CAB_INF_Pattern_Sep21_1
6.94
50
SUSP_LNX_Malware_Indicators_Aug21_1
7.35
17

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
MAL_LNK_Astaroth_Aug19
1
57ce97f13338305afd94cef46b843b41b3b01b5bc46a4853c799c40548689063
SUSP_CAB_INF_Pattern_Sep21_1
10
9e44a49613f64233d3d032362e709b1605a93fbba835d176a886b523afb12e73
Unspecified_Dropper_Mar17_2
10
01749ca47ac5b15534ce84b7f4fc03bef968d6994eecc5b44534843bfe7f7512
MAL_Loaderx86_Feb18_1
10
01749ca47ac5b15534ce84b7f4fc03bef968d6994eecc5b44534843bfe7f7512
MAL_Backdoor_Rifle_Feb19_1
10
01749ca47ac5b15534ce84b7f4fc03bef968d6994eecc5b44534843bfe7f7512
MAL_Unknown_Loader_Mar20_1
10
01749ca47ac5b15534ce84b7f4fc03bef968d6994eecc5b44534843bfe7f7512
SUSP_LNX_Rootkit_Indicators_Aug21_1
14
f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6
SUSP_LNX_Rootkit_Indicators_Aug21_2
14
f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6
SUSP_NET_NAME_ConfuserEx
1
54c7af982d6d9d036c6610514e3adada8bc047b46455913fb61e9e6ab218e4a0
APT_CN_Chinoxy_Downloader_Oct20_1
9
75dca5658bb3a054f1ade5f9f5d7315326ccb0afed92e888490d6223660e3b73
JSFuck_Obfuscation
3
b8de1b260a5a7033e26970e724be9bda0fc78ab06bfcd6a000bc269b01a52c87
JSFuck_Obfuscation
2
f405e77765c4fdbca8dc302f8b757d0c03cc68414fe9ace029640bb9c3860ccd
JSFuck_Obfuscation
8
fede0755a2538c1dfe6139a65a26509b101a4a9d319fa0ce3b0c372ecf883792
MAL_PurpleFox_ExploitKit_PS1_Loader_Apr21
12
a1cf6f10a700c70d95941497164b03b08ea63eb3b8f67d88255bf775aa564d1f
MAL_Artemis_Rootkit_Aug21_1
7
46fb636bf6de587d92e60fefb6dd5e025191aff757c10ded5d9f84af8c85771c
Unspecified_Dropper_Mar17_2
4
f30c35d4df292ccde1e2df06715102a598f96291cc8f48f6e73ebdfabd65c30e
Unspecified_Dropper_Mar17_2
4
4b54650f73aa2270b583e59275171c7b6375648d587c5c706186106f33ab3a36
MAL_Loaderx86_Feb18_1
4
f30c35d4df292ccde1e2df06715102a598f96291cc8f48f6e73ebdfabd65c30e
MAL_Loaderx86_Feb18_1
4
4b54650f73aa2270b583e59275171c7b6375648d587c5c706186106f33ab3a36
MAL_Unknown_Loader_Mar20_1
4
f30c35d4df292ccde1e2df06715102a598f96291cc8f48f6e73ebdfabd65c30e

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
4378
APT
3852
Hacktools
3294
Threat Hunting
2502
Webshells
2067
Exploits
344

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2020