Performs rapid malware triage and classification using YARA rules to match file patterns, strings, byte sequences, and structural characteristics against known malware families and suspicious indicators. Covers rule writing, scanning, and integration with analysis pipelines. Activates for requests involving YARA rule creation, malware classification, pattern matching, sample triage, or signature-based detection.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionperforming-malware-triage-with-yaraExecute the skills CLI command in your project's root directory to begin installation:
Fetches performing-malware-triage-with-yara from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate performing-malware-triage-with-yara. Access via /performing-malware-triage-with-yara in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | performing-malware-triage-with-yara |
| description | 'Performs rapid malware triage and classification using YARA rules to match file patterns, strings, byte sequences, and structural characteristics against known malware families and suspicious indicators. Covers rule writing, scanning, and integration with analysis pipelines. Activates for requests involving YARA rule creation, malware classification, pattern matching, sample triage, or signature-based detection. ' |
| domain | cybersecurity |
| subdomain | malware-analysis |
| tags | - malware - YARA - triage - classification - pattern-matching |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - DE.AE-02 - RS.AN-03 - ID.RA-01 - DE.CM-01 |
Do not use as the sole analysis method; YARA triage identifies known patterns but does not reveal new or unknown malware behaviors.
apt install yara or pip install yara-python)yara-python for scripted scanningApply community and commercial YARA rules to classify samples:
# Scan a single file
yara -s malware_rules.yar suspect.exe
# Scan a directory of samples
yara -r malware_rules.yar /path/to/samples/
# Scan with multiple rule files
yara -r rules/apt_rules.yar rules/ransomware_rules.yar rules/trojan_rules.yar suspect.exe
# Scan with timeout (prevent hanging on large files)
yara -t 30 malware_rules.yar suspect.exe
# Scan and show matching strings
yara -s -r malware_rules.yar suspect.exe
# Scan with compiled rules (faster for repeated scans)
yarac malware_rules.yar compiled_rules.yarc
yara compiled_rules.yarc suspect.exe
# Download community rule sets
git clone https://github.com/Yara-Rules/rules.git yara-community-rules
git clone https://github.com/Neo23x0/signature-base.git signature-base
# Scan with signature-base
yara -r signature-base/yara/*.yar suspect.exe
Create YARA rules based on strings extracted during malware analysis:
rule MalwareX_Strings {
meta:
description = "Detects MalwareX based on unique strings"
author = "analyst"
date = "2025-09-15"
reference = "Internal Analysis Report #1547"
hash = "e3b0c44298fc1c149afbf4c8996fb924"
tlp = "WHITE"
strings:
// C2 URL pattern
$url1 = "/gate.php?id=" ascii
$url2 = "/panel/connect.php" ascii
// Unique mutex name
$mutex = "Global\\CryptLocker_2025" ascii wide
// User-Agent string
$ua = "Mozilla/5.0 (compatible; MSIE 10.0)" ascii
// Registry persistence path
$reg = "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate" ascii
// Campaign identifier
$campaign = "campaign_2025_q3" ascii
condition:
uint16(0) == 0x5A4D and // PE file (MZ header)
filesize < 500KB and // Size constraint
($url1 or $url2) and // At least one C2 URL
($mutex or $campaign) and // Campaign identifier
$ua // Specific User-Agent
}
Create rules matching specific code sequences:
rule MalwareX_Decryptor {
meta:
description = "Detects MalwareX XOR decryption routine"
author = "analyst"
date = "2025-09-15"
strings:
// XOR decryption loop (x86 assembly)
// mov al, [esi+ecx]
// xor al, [edi+ecx]
// mov [esi+ecx], al
// inc ecx
// cmp ecx, edx
// jl loop
$xor_loop = { 8A 04 0E 32 04 0F 88 04 0E 41 3B CA 7C F3 }
// RC4 KSA initialization (256-byte loop)
$rc4_ksa = { 33 C0 88 04 ?8 40 3D 00 01 00 00 7? }
// Embedded RSA public key marker
$rsa_key = { 06 02 00 00 00 A4 00 00 52 53 41 31 } // PUBLICKEYBLOB
condition:
uint16(0) == 0x5A4D and
($xor_loop or $rc4_ksa) and
$rsa_key
}
Leverage YARA's PE module for structural detection:
import "pe"
import "hash"
import "math"
rule MalwareX_PE_Characteristics {
meta:
description = "Detects MalwareX by PE structure and imports"
author = "analyst"
condition:
pe.is_pe and
// Compiled within specific timeframe
pe.timestamp > 1693526400 and // After 2023-09-01
pe.timestamp < 1727740800 and // Before 2024-10-01
// Specific import hash
pe.imphash() == "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6" or
// Suspicious import combination
(
pe.imports("kernel32.dll", "VirtualAllocEx") and
pe.imports("kernel32.dll", "WriteProcessMemory") and
pe.imports("kernel32.dll", "CreateRemoteThread") and
pe.imports("wininet.dll", "InternetOpenA")
) or
// High entropy .text section (packed)
(
for any section in pe.sections : (
section.name == ".text" and
math.entropy(section.raw_data_offset, section.raw_data_size) > 7.0
)
)
}
rule MalwareX_Rich_Header {
meta:
description = "Detects MalwareX by Rich header hash"
condition:
pe.is_pe and
hash.md5(pe.rich_signature.clear_data) == "abc123def456abc123def456abc123de"
}
Automate scanning of sample collections:
import yara
import os
import json
import hashlib
from datetime import datetime
# Compile all rule files
rule_files = {
"apt": "rules/apt_rules.yar",
"ransomware": "rules/ransomware_rules.yar",
"trojan": "rules/trojan_rules.yar",
"custom": "rules/custom_rules.yar",
}
rules = yara.compile(filepaths=rule_files)
# Scan sample directory
results = []
sample_dir = "/path/to/samples"
for filename in os.listdir(sample_dir):
filepath = os.path.join(sample_dir, filename)
if not os.path.isfile(filepath):
continue
with open(filepath, "rb") as f:
data = f.read()
sha256 = hashlib.sha256(data).hexdigest()
matches = rules.match(filepath)
result = {
"filename": filename,
"sha256": sha256,
"size": len(data),
"matches": [],
"classification": "UNKNOWN",
}
for match in matches:
result["matches"].append({
"rule": match.rule,
"namespace": match.namespace,
"tags": match.tags,
"strings": [(hex(s[0]), s[1], s[2].decode("utf-8", errors="replace")[:100])
for s in match.strings] if match.strings else []
})
if result["matches"]:
result["classification"] = result["matches"][0]["namespace"].upper()
results.append(result)
# Summary
classified = sum(1 for r in results if r["classification"] != "UNKNOWN")
print(f"Scanned: {len(results)} samples")
print(f"Classified: {classified} ({classified/len(results)*100:.1f}%)")
print(f"Unknown: {len(results)-classified}")
# Export results
with open("triage_results.json", "w") as f:
json.dump(results, f, indent=2)
Test rules for false positives and performance:
# Test rule syntax
yara -C custom_rules.yar
# Scan known-clean directory to check false positives
yara -r custom_rules.yar /path/to/clean_files/ > false_positives.txt
wc -l false_positives.txt
# Benchmark rule performance
time yara -r custom_rules.yar /path/to/large_sample_collection/
# Profile individual rule performance
yara -p custom_rules.yar suspect.exe
| Term | Definition |
|---|---|
| YARA Rule | Pattern matching rule defining strings, byte sequences, and conditions that identify a specific file or malware family |
| Condition | Boolean expression combining string matches, file properties, and module functions to determine if a rule matches |
| Hex String | Byte pattern with optional wildcards (??) and jumps ([N-M]) for matching machine code or binary data |
| PE Module | YARA module providing access to PE file properties (imports, sections, timestamps, resources) for structural matching |
| Imphash | MD5 hash of a PE file's import table; samples from the same family often share import hashes |
| Rich Header | Undocumented PE structure containing compiler/linker metadata; consistent within malware build environments |
| YARA-C | Compiled YARA rule format enabling faster scanning by pre-compiling rules for repeated use |
Context: Reverse engineering of a new malware sample has identified unique strings, byte patterns, and PE characteristics. YARA rules are needed for enterprise-wide hunting and ongoing detection.
Approach:
Pitfalls:
YARA TRIAGE RESULTS
=====================
Scan Date: 2025-09-15
Rule Sets: apt_rules (847 rules), ransomware_rules (312 rules),
trojan_rules (1,204 rules), custom_rules (45 rules)
Samples Scanned: 2,500
Processing Time: 47 seconds
CLASSIFICATION SUMMARY
APT: 12 samples (0.5%)
Ransomware: 187 samples (7.5%)
Trojan: 423 samples (16.9%)
Unknown: 1,878 samples (75.1%)
TOP MATCHING RULES
Rule Matches Family
MalwareX_C2_Beacon 45 MalwareX
LockBit3_Ransom_Note 38 LockBit 3.0
Emotet_Epoch5_Loader 32 Emotet
CobaltStrike_Beacon_Config 28 Cobalt Strike
QakBot_DLL_Loader 25 QakBot
SAMPLE DETAIL
File: suspect.exe
SHA-256: e3b0c44298fc1c149afbf4c8996fb924...
Matches:
[1] MalwareX_Strings (custom)
- $url1 at 0x4A20: "/gate.php?id="
- $mutex at 0x5100: "Global\\CryptLocker_2025"
[2] MalwareX_Decryptor (custom)
- $xor_loop at 0x401200: { 8A 04 0E 32 04 0F ... }
[3] MalwareX_PE_Characteristics (custom)
- PE import combination matched
Classification: MALWAREX (HIGH CONFIDENCE)
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Keeps context tight: performing-malware-triage-with-yara is the kind of skill you can hand to a new teammate without a long onboarding doc.
I recommend performing-malware-triage-with-yara for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Keeps context tight: performing-malware-triage-with-yara is the kind of skill you can hand to a new teammate without a long onboarding doc.
Useful defaults in performing-malware-triage-with-yara — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Registry listing for performing-malware-triage-with-yara matched our evaluation — installs cleanly and behaves as described in the markdown.
Registry listing for performing-malware-triage-with-yara matched our evaluation — installs cleanly and behaves as described in the markdown.
Registry listing for performing-malware-triage-with-yara matched our evaluation — installs cleanly and behaves as described in the markdown.
Useful defaults in performing-malware-triage-with-yara — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Useful defaults in performing-malware-triage-with-yara — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
performing-malware-triage-with-yara reduced setup friction for our internal harness; good balance of opinion and flexibility.
showing 1-10 of 63