valhalla.nextron-systems.com
Open in
urlscan Pro
84.200.5.156
Private Scan
Submitted URL: http://valhalla.nextron-systems.com/
Effective URL: https://valhalla.nextron-systems.com/
Submission: On March 29 via api from DE — Scanned from DE
Effective URL: https://valhalla.nextron-systems.com/
Submission: On March 29 via api from DE — Scanned from DE
Form analysis
3 forms found in the DOMPOST /info/search
<form action="/info/search" method="post" id="search">
<span class="form_key">Query</span>
<input type="submit" value="Search" title="Search the Valhalla database for keyword">
<span class="apikey_span"><input type="text" id="keyword" name="keyword" class="apikey_input" placeholder="Keyword, tag, ATT&CK technique, sha256 or rule name"></span>
</form>
POST /api/v1/getsigma
<form id="getsigma" method="post" action="/api/v1/getsigma">
<input type="hidden" id="apikey_sigma" name="apikey">
<input type="hidden" id="format_sigma" name="format" value="zip">
<input type="submit" value="Get Sigma Rules" title="Retrieve the Sigma rules as ZIP or JSON">
</form>
POST /api/v1/get
<form id="getyara" method="post" action="/api/v1/get">
<input type="submit" value="Get YARA Rules" title="Retrieve the YARA rules as plain text or JSON">
<span class="checkbox_span">
<label class="container">DEMO<input type="checkbox" id="demo" name="demo" value="demo" onclick="clickDemo()">
<span class="checkmark" id="demo_check"></span>
</label>
</span>
<span class="checkbox_span">
<label class="container">JSON<input type="checkbox" id="jsonformat">
<span class="checkmark"></span>
</label>
</span>
<span class="apikey_span"><input type="text" id="apikey" class="apikey_input" placeholder="Your API key or select demo API key"></span>
<input type="hidden" id="apikey_yara" name="apikey">
<input type="hidden" id="format_yara" name="format" value="text">
</form>
Text Content
currently serving 18178 YARA rules and 2968 Sigma rules Query API Key DEMO JSON Statistics API Integration Get Access NEW RULES PER DAY NEWEST YARA RULES This table shows the newest additions to the YARA rule set Rule Description Date Ref HKTL_MacOS_Loader_Mar23_1 Detects indicators found in custom loader for macOS 23.03.2023 APT_MAL_MSI_BadMagic_PowerMagic_Mar23_1 Detects PowerMagic samples mentioned in Bad Magic report 23.03.2023 APT_MAL_PS1_BadMagic_PowerMagic_Mar23_1 Detects encoded PowerMagic samples mentioned in Bad Magic report 23.03.2023 HKTL_SecretsDump_Mar23_1 Detects unknown hack tool named SecretsDump 4 23.03.2023 HKTL_EXPL_POC_Veeam_Backup_CVE_2023_27532_Mar23_1 Detects POC to Veeam backup vulnerability CVE-2023-27532 23.03.2023 HKTL_EXE_Runner_Mar23_1 Detects unknown loader named Exe-Runner 23.03.2023 HKTL_XorArgon_Injector_Mar23_1 Detects xorargon process injector 23.03.2023 HKTL_ProcessInjector_Mar23_1 Detects various process injectors 23.03.2023 SUSP_HKTL_Indicators_Mar23_1 Detects suspicious files based on imports and other characteristics 23.03.2023 SUSP_HKTL_Indicators_Mar23_2 Detects suspicious files based on imports and other characteristics 23.03.2023 SUSP_RDP_RemoteIcon_UNC_Mar23 Detects suspicious RDP files, which use remote icons on SMB shares to leak NTLM hashes 23.03.2023 HKTL_EXPL_LPE_AFD_SYS_CVE_2023_21768_Mar23_1 Detects local privilege escalation exploits for CVE-2023-21768 in afd.sys 22.03.2023 SUSP_EXPL_LPE_AFD_SYS_CVE_2023_21768_Mar23_1 Detects samples with similarities to local privilege escalation exploits for CVE-2023-21768 in afd.sys 22.03.2023 SUSP_EXPL_LPE_AFD_SYS_CVE_2023_21768_Mar23_2 Detects indicators as described to be found in an in-the-wild sample exploiting CVE-2023-21768 in afd.sys for LPE 22.03.2023 APT_BadMagic_ForensicArtifacts_Mar23_1 Detects forensic artifacts found in attacks by Bad Magic TA 22.03.2023 APT_PS1_BadMagic_PowerMagic_Mar23_1 Detects PowerShell script as used by Bad Magic TA 22.03.2023 SUSP_LNK_MsiExec_Internet_Mar23_ Detects suspicious link files that contain msiexec invocations that install an MSI package from the Internet 22.03.2023 SUSP_EXPL_Indicators_Mar23_1 Detects indicators found in hacktools and privilege escalation exploits 22.03.2023 SUSP_Exploit_Indicators_Mar23_1 Detects binaries with indicators found in POCs for common exploits 22.03.2023 SUSP_PE_Nim_Based_Mar23_1 Detects suspicious Nim based executables (doesn't have to be a hack tool or malware - it's just very likely) 22.03.2023 HKTL_PUA_FireKylin_Agent_Mar23_1 Detects FireKylin agents - incident response tool, but also used by threat actors 21.03.2023 SUSP_HKTL_Shell_Mar23_1 Detects unknown shell found in open dir with other hack tools 21.03.2023 SUSP_PUA_Tor_Cmdline_Flags_Mar23_1 Detects suspicious indicators that point to the use of Tor (The Onion Router) 21.03.2023 SUSP_LockDownProtectProcessById_Function_Mar23_1 Detects 21.03.2023 WEBSHELL_ASP_Unknown_Mar23_1 Detects an ASP webshell 21.03.2023 WEBSHELL_ASP_Unknown_Mar23_2 Detects an ASP webshell 21.03.2023 SUSP_PY_OBFUSC_Base64_RevShell_Indicators_Mar23_1 Detects Python reverse shell indicators in encoded form 20.03.2023 SUSP_PY_OBFUSC_RevShell_Indicators_Mar23_1 Detects Python reverse shell indicators 20.03.2023 SUSP_PY_OBFUSC_RevShell_Indicators_Mar23_2 Detects Python reverse shell indicators 20.03.2023 LOG_SUSP_LNX_Commands_AuditD_Mar23_1 Detects a command to print /etc/shadow in the auditd log format 20.03.2023 SUCCESSFUL YARA RULES IN SET This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days) Rule Average AV Detection Rate Sample Count Info VT SUSP_AppData_PathTraversal_Nov22_1 0.64 14 WEBSHELL_PHP_Jul22_4 0.72 18 SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1 0.72 47 SUSP_OBFUSC_BAT_Mar23_1 0.82 38 SUSP_PY_Exec_Import_Aug22_1 1.0 18 SUSP_PS1_Invoke_Expression_May22_1 1.0 13 HKTL_Clash_Tunneling_Tool_Aug22_2 1.03 29 SUSP_PY_Reverse_Shell_Indicators_Jan23_1 1.19 16 SUSP_PUA_Outlook_Redemtpion_Mar23_1 1.26 19 SUSP_JS_Redirector_Mar23 1.35 217 SUSP_OBFUSC_JS_Execute_Base64_Mar23 1.45 133 SUSP_RAR_With_File_MacroEnabled_MsOffice_Content_Jun22 1.93 28 HKTL_PUA_SystemInformer_Nov22_1 2.24 17 SUSP_ISO_PhishAttachment_Password_In_Body_Jun22_1 2.39 148 EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23 2.69 54 SUSP_VBA_Kernel32_Imports_Jun22_1 2.83 58 SUSP_WEvtUtil_ClearLogs_Sep22_1 2.86 73 SUSP_JS_OBFUSC_Feb23_2 2.99 1966 HKTL_PS1_HoaxShell_Pattern_Aug22_1 3.11 18 MAL_Hoaxshell_PS1_Encoded_Payload_Oct22 3.15 20 HKTL_PS1_HoaxShell_Payloads_Nov22_1 3.25 20 SUSP_Start_Min_Temp_Jan23_1 3.47 17 SUSP_PS1_Loader_Indicators_Dec22_2 3.5 30 SUSP_ISO_In_ZIP_Small_May22_1 3.51 92 SUSP_PY_OBFUSC_Hyperion_Aug22_1 3.55 20 SUSP_PS1_PowerShell_Recon_Mar23_1 3.56 27 SUSP_VBS_DownloadCradles_Jul22_1 3.89 19 SUSP_OBFUSC_obfs4_May22 4.06 68 SUSP_MSF_MSFVenom_Indicator_Jan23_1 4.32 22 SUSP_Encoded_Registry_Key_Paths_Sep22_1 4.44 16 LATEST YARA MATCHES WITH LOW AV DETECTION RATE This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched) Rule AVs Hash VT Casing_Anomaly_CreateObject 12 deff53ff95af97742083746152426035c2867825a16791af577c03fdda3d8e8b Casing_Anomaly_ExecuteGlobal 12 deff53ff95af97742083746152426035c2867825a16791af577c03fdda3d8e8b SUSP_VB6CHS_Indicator_Dec19_1 11 537677b30d59180060267696b5b8dd89d97e7a03d51f7cc99351494c5dae31cb SUSP_NullSoftInst_Combo_Oct20_1 1 1ce355bc9f077264273960cc17653a263eac9bdd79ccb7547c2970a3b27b6330 SUSP_VB6CHS_Indicator_Dec19_1 12 11c61a4dd41abc21f7b19cea06c059c399dcfe8daa36e3abf0f85f443c2eedd5 HKTL_EXPL_POC_Veeam_Backup_CVE_2023_27532_Mar23_1 1 eb34720caa04185b7727cddac2b5d27ef62495e333b1f44ef082b0a1e368ef14 SUSP_EMAIL_Embedded_ISO_Feb22_1 5 2629d0123e51202210abdc74a7101f5d5919836d4761a36f93bd83aaa09a8f33 HKTL_EXPL_POC_Veeam_Backup_CVE_2023_27532_Mar23_1 2 6f63ee88eec26d1bce5732b1052fde27faa8e156d1ff221fb87bb0851288300f SUSP_OBFUSC_JS_Base64_Encoded_Var_Feb23 5 7b6ce4da3ed8fe0e616b4ebbc50d714b89d02bd0599aabf2a4d141e1993bd147 SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2 5 7b6ce4da3ed8fe0e616b4ebbc50d714b89d02bd0599aabf2a4d141e1993bd147 HKTL_EXPL_POC_Veeam_Backup_CVE_2023_27532_Mar23_1 1 b32b93385f5aef68a66dd989bbc22c004cf39416c19c2bea16253eaf9842cdb5 SUSP_Process_Dumper_Nov22_1 4 69917f2c87a602be0194a151f70d107d337e2b2f8b98dbe1d01669976b866738 HKTL_EXPL_POC_Veeam_Backup_CVE_2023_27532_Mar23_1 1 1ec3bc0b25ee5171202de3f00532ed6a0283d4df2f471345ea7abed4a27270bc SUSP_PE_VMProtect_Nov21 12 c1537cae24bb17df71acfdc3a29bcafe93375d2dea07e9d64b349bc8f6b2a9cb SUSP_EMAIL_Embedded_ISO_Feb22_1 6 e70a1c0d8f01be3d363480e00eb88d6dfdf70bbeaf8321c2bf434d6bea691ea8 SUSP_EMAIL_Embedded_ISO_Feb22_1 5 b081e9b49fdf345627e97f198236de10b1afbdca80ed2e009d94768664317aec SUSP_JS_OnEvent_Eval_Base64_Gen_Feb23 2 b2c1785f4a40874a95fa2eceff5990e2f1c71c052db63c7c773c7f72945b88df SUSP_EMAIL_Embedded_ISO_Feb22_1 5 65aff9f14c56952bd63cde820502f838ae22129b306ae1359950c90869dd92d8 SUSP_JS_OnEvent_Eval_Base64_Gen_Feb23 3 164236ad37735bc1dab9f22a569bfba3e9252dfcea2ff466f269cd3f2bcc2c82 SUSP_EMAIL_Embedded_ISO_Feb22_1 5 090a4688890826d1d8ad0e43cccd9f0b40426c71326cc6dad45bd3dc8d763ec8 YARA RULES PER CATEGORY This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories) Tag Count Malware 4956 APT 4522 Threat Hunting (not subscribable, only in THOR scanner) 4246 Hacktools 4142 Webshells 2213 Exploits 554 NEWEST SIGMA RULES This table shows the newest additions to the Sigma rule set Rule Description Date Ref Info CVE POC Execution Pattern Detects the execution of a file or script that matches a filename pattern often used in Proof-of-Concept code 22.03.2023 Potential Iviewers.DLL Sideloading Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer) 21.03.2023 Potential MFA Bypass Using Legacy Client Authentication Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack. 20.03.2023 User Added To Admin Group - MacOS Detects attempts to create and/or add an account to the admin group, thus granting admin privileges. 19.03.2023 Potential Binary Or Script Dropper Via PowerShell.EXE Detects PowerShell creating a binary executable or script file. 17.03.2023 Terminate Linux Process Via Kill Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process. 16.03.2023 Suspicious WebDav Client Execution Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397 16.03.2023 CVE-2023-23397 Exploitation Attempt Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation. 16.03.2023 Hypervisor Enforced Code Integrity Disabled Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel 14.03.2023 Active Directory Structure Export Via Csvde.EXE Detects the execution of "csvde.exe" in order to export organizational Active Directory structure. 14.03.2023 Disable Key Protectors Via WMI Detects calls to the "DisableKeyProtectors" method that's part of the "Win32_EncryptableVolume" class in order to disable or suspends all key protectors associated with a volume. Often used to disable Bitlocker 14.03.2023 Query Protection Status Via WMI Detects potential protection status reconnaissance via calls to "GetProtectionStatus" method that's part of the "Win32_EncryptableVolume" class. Often use to get Bitlocker status. 14.03.2023 Active Directory Database Snapshot Via ADExplorer Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. 14.03.2023 Suspicious Active Directory Database Snapshot Via ADExplorer Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. 14.03.2023 Active Directory Structure Export Via Ldifde.EXE Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure. 14.03.2023 Process Memory Dump Via Dotnet-Dump Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS 14.03.2023 Credential Guard Disabled Detects changes to the CredentialGuard registry key and the "Enabled" value being set to 0 in order to disable the Credential Guard feature. This allows an attacker to access secrets such as credentials stored in LSASS 14.03.2023 Potential Rcdll.DLL Sideloading Detects potential DLL sideloading of rcdll.dll 13.03.2023 Potential Wazuh Security Platform DLL Sideloading Detects potential DLL sideloading of DLLs that are part of the Wazuh security platform 13.03.2023 Suspicious Rundll32 Execution With Image Extension Detects the execution of Rundll32.exe with DLL files masquerading as image files 13.03.2023 Gzip Archive Decode Via PowerShell Detects attempts of decoding encoded Gzip archives via PowerShell. 13.03.2023 Potential DLL File Download Via PowerShell Invoke-WebRequest Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet 13.03.2023 Potential Qakbot Registry Activity Detects a registry key used by IceID in a campaign that distributes malicious OneNote files 13.03.2023 Amsi.DLL Load By Uncommon Process Detects loading of Amsi.dll by uncommon processes 12.03.2023 Password Protected Compressed File Extraction Via 7Zip Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files. 10.03.2023 Potential MuddyWater APT Activity Detects potential Muddywater APT activity 10.03.2023 Sysmon Configuration Update Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely 09.03.2023 Griffon Malware Attack Pattern Detects process execution patterns related to Griffon malware as reported by Kaspersky 09.03.2023 Linux Package Uninstall Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg". 09.03.2023 HackTool - Wmiexec Default Powershell Command Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script 08.03.2023 YARA/SIGMA RULE COUNT Rule Type Community Feed Nextron Private Feed Yara 2587 15591 Sigma 2694 274 SIGMA RULES PER CATEGORY (COMMUNITY) Type Count windows / process_creation 1032 windows / ps_script 156 windows / registry_set 153 windows / security 139 windows / file_event 134 linux / process_creation 69 windows / image_load 65 webserver 64 windows / system 62 linux / auditd 52 macos / process_creation 41 azure / activitylogs 38 windows / network_connection 37 aws / cloudtrail 37 proxy 37 windows / registry_event 36 azure / auditlogs 33 windows / ps_module 32 windows / process_access 27 azure / signinlogs 25 windows / application 21 linux 18 rpc_firewall / application 17 windows / pipe_created 17 windows / driver_load 15 gcp / gcp.audit 14 m365 / threat_management 13 okta / okta 13 windows / create_remote_thread 13 windows / dns_query 13 dns 12 windows / file_delete 11 windows / ps_classic_start 11 windows / windefend 11 cisco / aaa 11 windows / registry_add 9 windows / firewall-as 8 windows / msexchange-management 8 windows / appxdeployment-server 7 windows / bits-client 7 github / audit 7 zeek / smb_files 7 antivirus 7 windows / create_stream_hash 7 firewall 6 windows / registry_delete 6 google_workspace / google_workspace.admin 6 jvm / application 5 zeek / dce_rpc 5 linux / file_event 5 windows / dns-client 5 azure / azureactivity 5 windows / file_access 4 zeek / dns 4 linux / network_connection 3 windows / codeintegrity-operational 3 zeek / http 3 windows / taskscheduler 3 windows / powershell-classic 3 windows / wmi_event 3 apache 3 windows / ntlm 3 linux / sshd 2 windows / file_change 2 linux / syslog 2 windows / security-mitigations 2 spring / application 2 windows / file_rename 2 onelogin / onelogin.events 2 macos / file_event 2 qualys 2 linux / auth 2 windows / powershell 2 azure / microsoft365portal 1 linux / clamav 1 windows / applocker 1 windows / printservice-operational 1 windows / raw_access_thread 1 nodejs / application 1 huawei / bgp 1 windows / printservice-admin 1 python / application 1 windows / appxpackaging-om 1 django / application 1 windows / shell-core 1 windows / diagnosis-scripted 1 windows / microsoft-servicebus-client 1 m365 / exchange 1 linux / sudo 1 zeek / x509 1 windows / file_block 1 velocity / application 1 m365 / threat_detection 1 linux / vsftpd 1 windows / smbclient-security 1 windows / sysmon 1 ruby_on_rails / application 1 zeek / rdp 1 windows / driver-framework 1 windows / sysmon_status 1 database 1 zeek / kerberos 1 windows / dns-server 1 windows / terminalservices-localsessionmanager 1 windows / sysmon_error 1 sql / application 1 modsecurity 1 windows / dns-server-analytic 1 windows / lsa-server 1 windows 1 windows / process_tampering 1 netflow 1 cisco / accounting / aaa 1 windows / ps_classic_provider_start 1 cisco / bgp 1 windows / ldap_debug 1 windows / wmi 1 linux / cron 1 cisco / ldp 1 windows / iis 1 windows / appmodel-runtime 1 windows / openssh 1 linux / guacamole 1 juniper / bgp 1 SIGMA RULES PER CATEGORY (NEXTRON PRIVATE FEED) Type Count windows / process_creation 130 windows / ps_script 31 windows / wmi 29 windows / registry_set 17 proxy 11 windows / file_event 10 windows / system 8 windows / security 5 windows / create_remote_thread 4 linux / process_creation 3 windows / registry_event 3 windows / image_load 3 windows / pipe_created 3 webserver 2 windows / vhd 2 windows / driver_load 2 windows / taskscheduler 2 windows / network_connection 1 macos / process_creation 1 windows / application 1 windows / dns_query 1 windows / process_access 1 windows / registry_delete 1 windows / file_access 1 windows / registry-setinformation 1 windows / file_delete 1 TENABLE NESSUS REQUIREMENT: PRIVILEGED SCAN * YARA Scanning with Nessus works only when scanning with credentials (privileged scan) Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm YARA SCANNING WITH NESSUS * You can only upload a single .yar file * Filesystem scan has to be activated * You have to define the target locations * The Nessus plugin ID will be 91990 * Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus -------------------------------------------------------------------------------- CARBON BLACK Tutorial: https://github.com/carbonblack/cb-yara-connector -------------------------------------------------------------------------------- FIREEYE EX Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html Scan your endpoints, forensic images or collected files with our portable scanner THOR Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied Nextron Systems 2022