Valhalla Logo
currently serving 15778 YARA rules
API Key

New YARA Rules per Day

Newest YARA Rules

This table shows the newest additions to the rule set

Rule
Description
Date
Ref
SUSP_Vulnerabilty_Scanning_Indicators_May22_1
Detects suspicious indicators that are often found in samples that check for certain vulnerabilities (remotely or locally)
21.05.2022
SUSP_WEBSHELL_Indicators_May22_1
Detects indicators often found in PHP webshells
21.05.2022
HKTL_Mortar_Loader_DLL_May22_1
Detects Mortar DLL loaders
21.05.2022
HKTL_Mortar_Loader_May22_1
Detects Mortar loaders
21.05.2022
HKTL_0xsp_Tools_May22_1
Detects Revenant hacktool
21.05.2022
HKTL_Revenant_May22_1
Detects Revenant hacktool
21.05.2022
WEBSHELL_PHP_TinyShell_May22_1
Detects TinyShell PHP webshell
21.05.2022
HKTL_AdFly_May22_1
Detects Adfly hacktool - active directory query tool using LDAP Protocol, helps red teamer / penetration testers to validate users credentials, retrieve information about AD users, AD groups
21.05.2022
HKTL_Untrace_May22_1
Detects Untracer hacktool
21.05.2022
HKTL_0xsp_Mongoose_Agents_May22_1
Detects 0xsp Mongoose agents
21.05.2022
HKTL_TChopper_May22_1
Detects TChopper tool used to perform lateral movement using windows services display name and WMI by smuggling the malicious binary as base64 chunks - file chopper.exe
21.05.2022
HKTL_DNS_BlackCat_May22_1
Detects DNS Black Cat clients
21.05.2022
HKTL_PS1_DNS_BlackCat_May22_1
Detects DNS Black Cat clients
21.05.2022
HKTL_Author_Lawrence_Amer_Indicators_May22_1
Detects tools produced by Lawrence Amer
21.05.2022
EXPL_PDF_CVE_2018_9958_May22_1
Detects PDF files exploiting CVE-2018-9958
20.05.2022
SUSP_PSExec_EULA_Accept_Registry_Add_May22
Detects suspicious automatic way to accept PsExecs EULA
20.05.2022
SUSP_VBA_Indicators_May22_1
Detects indicators found in malicious VBA code
20.05.2022
SUSP_PDF_JavaScript_OpenAction_Combo_May22_1
Detects PDF files with suspicious JavaScript and OpenAction function
20.05.2022
SUSP_OBFUSC_JS_May22_1
Detects obfuscted JavaScript codes
20.05.2022
SUSP_JS_Unescape_Unicode_May22_1
Detects JavaScript codes often used in malcious samples
20.05.2022
SUSP_JS_WScriptShell_Folder_Combo_May22_1
Detects suspicious JavaScript files that combine a WScript.Shell with a suspicious folder
20.05.2022
SUSP_Script_Indicators_May22_1
Detects JavaScript code that contains indicators as found in many malicious samples
20.05.2022
APT_CN_TwistedPanda_ForensicArtefacts_May22_1
Detects forensic artefacts found in Twisted Panda campaigns
20.05.2022
APT_CN_TwistedPanda_Loader_May22_1
Detects loaders found in Twisted Panda campaigns
20.05.2022
APT_CN_TwistedPanda_Indicators_May22_1
Detects indicators found in Mustang Panda samples
20.05.2022
APT_JS_MUstangPanda_May22_1
Detects patterns found in JavaScript code as used by Mustang Panda threat actor (could be found in other malicious scripts as well)
20.05.2022
APT_JS_MUstangPanda_May22_2
Detects JavaScript used by Mustang Panda threat actor
20.05.2022
MAL_BlackByte_ForensicArtefacts_May22_1
Detects forensic artefacts found in BlackByte campaigns
20.05.2022
SUSP_ELF_Malware_Indicators_May22_1
Detects characteristics found in malicious Linux samples
19.05.2022
SUSP_ELF_Rootkit_Indicators_May22_1
Detects characteristics found in malicious Linux samples
19.05.2022
MAL_LNX_LinaDungeon_May22_1
Detects LinaDungeon Linux malware used by UNC1945 LightBasin
19.05.2022
MAL_LNX_LinaDoor_Rootkit_May22
Detects LinaDoor Linux Rootkit
19.05.2022
MAL_LNX_LinaDoor_Malware_May22
Detects LinaDoor Lion Linux malware
19.05.2022
HKTL_LNX_PostShell_May22_1
Detects PostShell back connect shell for Linux
19.05.2022
SUSP_WUSA_Uninstall_KB_May22_1
Detects the use of wusa to uninstall a certain KB patch
18.05.2022
SUSP_PS1_BdeHdCfg_May22
Detects suspicious invocation of BdeHdCfg via powershell
17.05.2022
SUSP_SMALL_VBS_Invoke_Windows_May22
Detects suspicious small VBS script that runs something within the Windows folder
17.05.2022
APT_IR_COBALT_MIRAGE_ForensicArtefacts_May22_1
Detects forensic artefacts or samples found in COBALT MIRAGE intrusions
17.05.2022
APT_IR_COBALT_MIRAGE_PS1_May22_1
Detects scripts used by COBALT MIRAGE
17.05.2022
APT_APTQ29_Malware_May22_1
Detects samples used by APT-Q-29
17.05.2022

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
SUSP_RootHelper_Indicators_Jun21_1
0.0
11
HKTL_PUA_WinTun_Jan22
0.0
12
SUSP_PUA_LNX_macOS_AnyDesk_Feb22_1
0.0
12
SUSP_MalDoc_TemplatInjection_MHTML_Sep21_1
0.0
11
WEBSHELL_PHP_BeginsWith_eval_Sep21
0.65
211
SUSP_PY_Exploit_BackDoor_Indicators_Mar22_1
0.77
22
EXPL_SUSP_MalDoc_TemplateInjection_Dec21_1
0.87
67
SUSP_Eval_Base64_Indicators_Feb22_1
1.74
258
SUSP_PS1_Loader_Jan22_4
1.8
15
HKTL_LNX_LibProcessHider_Jan22_1
1.81
21
SUSP_PS1_OBFUSC_FormatString_Mar22
2.85
33
SUSP_UPX_Packed_Macho_Feb22_1
2.85
26
SUSP_OBFUSC_PowerShell_Format_String_Jan22_1
3.27
26
SUSP_Linux_Crontab_Entry_Oct21_2
3.5
12
SUSP_PUA_SoftEther_VPNGate_Sftware_Dec21_1
3.63
16
SUSP_ISO_In_ZIP_Small_May22_1
3.81
98
SUSP_WinPCap_Nov21
3.86
768
SUSP_PowerShell_Caret_OBFUSC_Dec21_1
4.13
16
HKTL_LNX_ProcessHider_Characteristics_Jun21_2
4.16
19
SUSP_ZIP_LNK_Small_Apr22_1
4.18
3396
SUSP_Combo_DOMDocument_Base64Data_May22
4.31
51
SUSP_OBFUSC_Encoded_Firewall_Disable_Commands_Apr22_1
4.82
11
SUSP_CertUtil_Encode_Feb22_1
4.93
14
SUSP_OBFUSC_Reversed_Encoded_PowerShell_Code_Mar22
5.12
17
PUA_NetSupport_Apr22
5.23
192
SUSP_PUA_AteraAgent_RemoteControl_Oct21
5.29
21
SUSP_EXPL_ExploitCode_Indicators_Jun21_LowCert_1
5.32
19
SUSP_PS1_OBFUSC_Pattern_Feb22_1
5.42
24
SUSP_OBFUSC_PS1_Jan22_1
5.45
11
HKTL_PY_Bypass_Tool_Aug21_2
5.5
16

Latest Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_Download_Cradles_Feb22_1
4
a3591ed3dbcefccb5b6cbb1d474a7c3f08f4196b55e5a8496ac020e2ace782b6
HKTL_CobaltStrike_Beacon_Gen_2
4
bdd67ab5068d9ba0cb0630883202ba24848851c6dda7b4ba3076c87bc5b43fec
HKTL_CobaltStrike_Beacon_Gen
4
cf8cfb5f1b21a432c88965565d441c8e73cce14ee046485ed5d689a94e5b1668
CobaltStrike_ReflectiveLoader
5
9a5abbcdfebb205c40d26cc85ecfdc091db50b84354b84a65b57222c567d2a74
SUSP_Beacon_Indicator_Jun20_1
4
fe36771400be15fb315969e0a1d6071ffbbd90cde9642a70342f40cf4420ec80
HKTL_CobaltStrike_Beacon_Strings
3
0811fe41d78887001d5c02bb06e6687ce07de44e439918b122226e3ce653e53d
MSF_CobaltStrike_Beacon
4
3b9674dc0d2508199fd0bef749117084dc38a7bd2d05c19c6c146fb7af467378
HKTL_Metasploit_Shellcode_Aug20_1
3
7c70f474b1d1891d2911c32a10a04712463e9559cb380279e1ff509813e59e24
HKTL_Gen_Reflective_Loader
3
e21726ffb27bb7b1d425b77fbf6d1384b34bc5ff28589a168916572306ef880d
HKTL_Win_CobaltStrike
3
e143850a818a3a89124ec6d6c969453cdb414729b7f1f5aafbe3664b44d028e7
MSF_CobaltStrike_Beacon
4
a3591ed3dbcefccb5b6cbb1d474a7c3f08f4196b55e5a8496ac020e2ace782b6
CobaltStrike_ReflectiveLoader
5
b6b93354e240a3dd4431803ffb021712b56458197a1ccfa351a03353fc839a77
SUSP_PS1_Pattern_Combo_Feb22_1
3
4f141eafcc9ba7906fc26bd63f25cdcd50cc0f5cdd61456782ce8c8424d44ed2
CobaltStrike_Unmodifed_Beacon
4
ee6268d3c96d97ee4ae63e33bc1c05d22a844cebde772e32d6681cbe4adce8e4
SUSP_XORed_Mozilla
4
fe36771400be15fb315969e0a1d6071ffbbd90cde9642a70342f40cf4420ec80
HKTL_Win_CobaltStrike
4
825dfe18bbea941e34f38d9b34237a5cb63db81985170bd1e81103dbe9945165
SUSP_Download_Cradles_Feb22_1
4
d85f4ba0ea89547cf59fb12c28646de0f75288b90607886cd5caec3b6aafec38
HKTL_CobaltStrike_Beacon_Gen_2
4
14ebe6d80735fad86a57f0bc07c200f4c0ccf6442f1b7d527997390b0b96eea4
HKTL_Win_CobaltStrike
4
bdd67ab5068d9ba0cb0630883202ba24848851c6dda7b4ba3076c87bc5b43fec
CobaltStrike_Unmodifed_Beacon
4
6fb3d97fc93d0a9a75ec5994096c854320bd4cce8441f9dc9cda8e283890f421

Rules Per Category

This list shows the number of rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
4846
APT
4233
Hacktools
3688
Threat Hunting
3302
Webshells
2114
Exploits
457

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html