performing-yara-rule-development-for-detection▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Develop precise YARA rules for malware detection by identifying unique byte patterns, strings, and behavioral indicators in executable files while minimizing false positives.
| name | performing-yara-rule-development-for-detection |
| description | Develop precise YARA rules for malware detection by identifying unique byte patterns, strings, and behavioral indicators in executable files while minimizing false positives. |
| domain | cybersecurity |
| subdomain | malware-analysis |
| tags | - yara - malware-detection - signature-development - threat-hunting - pattern-matching - yara-x - indicator-development |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - DE.AE-02 - RS.AN-03 - ID.RA-01 - DE.CM-01 |
Performing YARA Rule Development for Detection
Overview
YARA is the pattern matching swiss knife for malware researchers, enabling identification and classification of malware based on textual or binary patterns. Effective YARA rules combine unique string patterns, byte sequences, PE header characteristics, import table analysis, and conditional logic to detect malware families while avoiding false positives. Modern YARA-X (rewritten in Rust, stable since June 2025) brings improved performance and new modules. Rules should target unpacked malware artifacts like hardcoded stack strings, C2 URLs, mutex names, encryption constants, and unique code sequences rather than packer signatures.
When to Use
- When conducting security assessments that involve performing yara rule development for detection
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- Python 3.9+ with
yara-pythonlibrary - YARA 4.5+ or YARA-X 0.10+
- PE analysis tools (
pefile,pestudio) - Hex editor for identifying unique byte patterns
- Access to malware samples (VirusTotal, MalwareBazaar)
- Understanding of PE file format, strings, and import tables
Key Concepts
Rule Structure
Every YARA rule consists of three sections: meta (optional descriptive metadata), strings (pattern definitions), and condition (matching logic). String types include text strings (ASCII/wide/nocase), hex patterns with wildcards and jumps, and regular expressions. Conditions combine string matches with file properties using boolean operators.
String Selection Strategy
Effective rules target patterns that are unique to the malware family and survive recompilation. Hardcoded stack strings are excellent choices because compilers embed them consistently. C2 domain patterns, custom encryption routines, unique error messages, and specific API call sequences provide stable detection anchors. Avoid compiler-generated boilerplate and common library strings.
Performance Optimization
YARA evaluates conditions short-circuit style. Place the most discriminating and cheapest-to-evaluate conditions first. Use filesize limits to skip irrelevant files quickly. Minimize regex usage in favor of hex patterns. Use private rules as building blocks for complex detection logic without generating standalone matches.
Workflow
Step 1: Analyze Sample for Unique Patterns
#!/usr/bin/env python3
"""Extract candidate strings and byte patterns for YARA rule creation."""
import pefile
import re
import sys
from collections import Counter
def extract_strings(filepath, min_length=6):
"""Extract ASCII and wide strings from binary."""
with open(filepath, 'rb') as f:
data = f.read()
# ASCII strings
ascii_strings = re.findall(
rb'[\x20-\x7e]{' + str(min_length).encode() + rb',}', data
)
# Wide (UTF-16LE) strings
wide_strings = re.findall(
rb'(?:[\x20-\x7e]\x00){' + str(min_length).encode() + rb',}', data
)
return {
'ascii': [s.decode('ascii') for s in ascii_strings],
'wide': [s.decode('utf-16-le') for s in wide_strings],
}
def analyze_pe_imports(filepath):
"""Extract import table for API-based detection."""
try:
pe = pefile.PE(filepath)
except pefile.PEFormatError:
return []
imports = []
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
for entry in pe.DIRECTORY_ENTRY_IMPORT:
dll_name = entry.dll.decode('utf-8', errors='replace')
for imp in entry.imports:
if imp.name:
func_name = imp.name.decode('utf-8', errors='replace')
imports.append(f"{dll_name}!{func_name}")
return imports
def find_unique_byte_patterns(filepath, pattern_length=16):
"""Find unique byte sequences suitable for YARA hex patterns."""
with open(filepath, 'rb') as f:
data = f.read()
try:
pe = pefile.PE(filepath)
# Focus on code section
for section in pe.sections:
if section.Characteristics & 0x20000000: # IMAGE_SCN_MEM_EXECUTE
code_start = section.PointerToRawData
code_end = code_start + section.SizeOfRawData
code_data = data[code_start:code_end]
break
else:
code_data = data
except Exception:
code_data = data
# Find byte patterns that appear exactly once
patterns = []
for i in range(0, len(code_data) - pattern_length, 4):
pattern = code_data[i:i+pattern_length]
if pattern.count(b'\x00') < pattern_length // 3: # Skip null-heavy
hex_pattern = ' '.join(f'{b:02X}' for b in pattern)
patterns.append(hex_pattern)
# Count frequency and return unique ones
freq = Counter(patterns)
unique = [p for p, count in freq.items() if count == 1]
return unique[:20] # Top 20 candidates
def suggest_rule_strings(filepath):
"""Suggest strings and patterns for YARA rule."""
print(f"[+] Analyzing: {filepath}")
# Extract strings
strings = extract_strings(filepath)
# Filter for suspicious/unique strings
suspicious_keywords = [
'http', 'https', 'cmd', 'powershell', 'mutex', 'pipe',
'password', 'credential', 'inject', 'hook', 'debug',
'sandbox', 'virtual', 'vmware', 'vbox',
]
print("\n[+] Suspicious ASCII strings:")
for s in strings['ascii']:
if any(kw in s.lower() for kw in suspicious_keywords):
print(f" $ = \"{s}\" ascii")
print("\n[+] Suspicious wide strings:")
for s in strings['wide']:
if any(kw in s.lower() for kw in suspicious_keywords):
print(f" $ = \"{s}\" wide")
# Import analysis
imports = analyze_pe_imports(filepath)
suspicious_apis = [
'VirtualAlloc', 'VirtualProtect', 'WriteProcessMemory',
'CreateRemoteThread', 'NtUnmapViewOfSection', 'RtlMoveMemory',
'OpenProcess', 'CreateToolhelp32Snapshot',
'InternetOpenA', 'HttpSendRequestA',
'CryptEncrypt', 'CryptDecrypt',
]
print("\n[+] Suspicious imports:")
for imp in imports:
func = imp.split('!')[-1]
if func in suspicious_apis:
print(f" {imp}")
# Byte patterns
print("\n[+] Candidate hex patterns:")
patterns = find_unique_byte_patterns(filepath)
for p in patterns[:5]:
print(f" $hex = {{ {p} }}")
if __name__ == "__main__":
if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <sample_path>")
sys.exit(1)
suggest_rule_strings(sys.argv[1])
Step 2: Write and Test YARA Rules
import yara
import os
def create_yara_rule(rule_name, meta, strings, condition):
"""Generate a YARA rule from components."""
meta_str = "\n".join(f' {k} = "{v}"' for k, v in meta.items())
strings_str = "\n".join(f" {s}" for s in strings)
rule = f"""rule {rule_name} {{
meta:
{meta_str}
strings:
{strings_str}
condition:
{condition}
}}"""
return rule
def test_yara_rule(rule_text, test_dir):
"""Compile and test YARA rule against sample directory."""
try:
rules = yara.compile(source=rule_text)
except yara.SyntaxError as e:
print(f"[-] YARA syntax error: {e}")
return None
results = {"matches": [], "no_match": []}
for filename in os.listdir(test_dir):
filepath = os.path.join(test_dir, filename)
if not os.path.isfile(filepath):
continue
matches = rules.match(filepath)
if matches:
results["matches"].append({
"file": filename,
"rules": [m.rule for m in matches],
})
else:
results["no_match"].append(filename)
print(f"[+] Matches: {len(results['matches'])}")
print(f"[-] No match: {len(results['no_match'])}")
return results
# Example: Create a rule for a hypothetical malware family
example_rule = create_yara_rule(
rule_name="MalwareFamily_Variant_A",
meta={
"description": "Detects MalwareFamily Variant A",
"author": "Malware Analysis Team",
"date": "2025-01-01",
"hash": "abc123...",
"tlp": "WHITE",
},
strings=[
'$mutex = "Global\\\\UniqueM4lwareMutex" ascii wide',
'$c2_pattern = /https?:\\/\\/[a-z]{5,10}\\.(xyz|top|buzz)\\/gate\\.php/',
'$api1 = "VirtualAllocEx" ascii',
'$api2 = "WriteProcessMemory" ascii',
'$api3 = "CreateRemoteThread" ascii',
'$hex_decrypt = { 8B 45 ?? 33 C1 89 45 ?? 83 C1 04 }',
'$pdb = "C:\\\\Users\\\\" ascii',
],
condition=(
'uint16(0) == 0x5A4D and filesize < 2MB and '
'($mutex or $c2_pattern) and '
'2 of ($api*) and '
'$hex_decrypt'
),
)
print(example_rule)
Step 3: Performance Testing and Optimization
import time
def benchmark_rule(rule_text, scan_directory, iterations=3):
"""Benchmark YARA rule scan performance."""
rules = yara.compile(source=rule_text)
files = []
for root, _, filenames in os.walk(scan_directory):
for f in filenames:
files.append(os.path.join(root, f))
print(f"[+] Benchmarking against {len(files)} files "
f"({iterations} iterations)")
times = []
for i in range(iterations):
start = time.perf_counter()
matches = 0
for filepath in files:
try:
result = rules.match(filepath)
if result:
matches += 1
except Exception:
pass
elapsed = time.perf_counter() - start
times.append(elapsed)
print(f" Iteration {i+1}: {elapsed:.3f}s ({matches} matches)")
avg_time = sum(times) / len(times)
files_per_sec = len(files) / avg_time
print(f"\n[+] Average: {avg_time:.3f}s ({files_per_sec:.0f} files/sec)")
return avg_time
Validation Criteria
- YARA rules compile without syntax errors
- Rules detect target malware family samples with zero false negatives
- False positive rate below 0.1% when scanned against clean file corpus
- Rule performance allows scanning 1000+ files per second
- Rules survive minor malware modifications (recompilation, string changes)
- Metadata includes hash, author, date, description, and TLP marking
References
How to use performing-yara-rule-development-for-detection on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add performing-yara-rule-development-for-detection
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches performing-yara-rule-development-for-detection from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate performing-yara-rule-development-for-detection. Access the skill through slash commands (e.g., /performing-yara-rule-development-for-detection) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Accelerate Code Development
Use skill to generate boilerplate code, refactor legacy code, and write tests faster
Example
Generate React component with TypeScript types, styled-components, and comprehensive test suite in minutes
Reduce development time by 40-60% for repetitive coding tasks
Code Review Automation
Systematically review code for bugs, security issues, and style violations
Example
Analyze pull requests for common anti-patterns, suggest performance improvements, flag security vulnerabilities
Catch 70%+ of code issues before human review, improve code quality
Debug Complex Issues
Trace errors through stack traces and identify root causes faster
Example
Analyze error logs, suggest probable causes, recommend fixes with code examples
Cut debugging time by 30-50%, especially for unfamiliar codebases
Learn New Technologies
Get explanations, examples, and best practices for unfamiliar frameworks
Example
Understand Next.js app router, learn Rust ownership, grasp Kubernetes concepts with practical examples
Accelerate learning curve by 2-3x, reduce onboarding time for new tech stacks
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill installation support
- ›Basic understanding of programming concepts and version control (Git)
- ›Code editor or IDE for testing generated code (VS Code, JetBrains, etc.)
- ›Test environment separate from production for validating skill outputs
Time Estimate
15-30 minutes to install and see first useful output
Installation Steps
- 1.Install the skill using provided installation command
- 2.Verify skill is loaded in Claude Desktop (check ~/.claude/skills directory)
- 3.Test skill with simple prompt: 'Help me review this code snippet'
- 4.Gradually increase complexity: code generation → refactoring → architecture advice
- 5.Review all generated code before committing to repository
- 6.Iterate on prompts to improve output quality and relevance
- 7.Share effective prompts with team for consistency
Common Pitfalls
- ⚠Blindly trusting generated code without testing—always run tests and manual review
- ⚠Not providing enough context about your project structure and coding standards
- ⚠Expecting perfection on first generation—iteration and refinement are normal
- ⚠Sharing proprietary code or API keys in prompts—maintain confidentiality
- ⚠Over-relying on skill for critical security or business logic code
- ⚠Skipping documentation of why AI-generated code was chosen over alternatives
Best Practices▌
✓ Do
- +Always review and test AI-generated code before merging
- +Provide clear context: language, framework, coding standards, constraints
- +Use for boilerplate, tests, docs—areas where mistakes are easily caught
- +Iterate on prompts: start broad, refine with specific requirements
- +Combine AI suggestions with human judgment and domain expertise
- +Document successful prompt patterns for team reuse
- +Keep version control so you can rollback if needed
- +Use skill for learning and exploration, not production-critical features initially
✗ Don't
- −Don't commit AI code without thorough testing and review
- −Don't expose sensitive code, credentials, or proprietary algorithms
- −Don't use for security-critical code (auth, crypto, payments) without expert review
- −Don't skip peer review process just because AI generated it
- −Don't assume code follows your team's conventions—verify
- −Don't let junior developers skip learning fundamentals by relying solely on AI
- −Don't ignore compiler warnings or test failures in generated code
💡 Pro Tips
- ★Describe desired patterns explicitly: 'Use async/await, avoid callbacks'
- ★Ask for alternatives: 'Show 3 approaches to solve this, with tradeoffs'
- ★Request explanations: 'Explain why this approach is better than X'
- ★Use skill for 70% generation + 30% manual refinement for best results
- ★Build a prompt library for common patterns (API endpoints, components, tests)
- ★Pair program with AI: describe problem → review solution → iterate → refine
When to Use This▌
✓ Use When
Use coding skills for boilerplate generation, code reviews, refactoring legacy code, writing tests, learning new frameworks, and debugging non-critical issues. Best for repetitive tasks where errors are easy to catch.
✗ Avoid When
Avoid for production security features (auth, encryption, payment processing), complex business logic requiring deep domain knowledge, performance-critical algorithms, or when learning fundamentals is more valuable than speed.
Learning Path▌
- 1Start with simple tasks: generate functions, write tests, explain code
- 2Progress to code review: analyze PRs, suggest improvements
- 3Advanced: architectural decisions, refactoring strategies, performance optimization
- 4Expert: use for exploring new paradigms, researching best practices, mentoring juniors
Integration▌
- →VS Code
- →JetBrains IDEs
- →Cursor
- →GitHub Copilot
- →Git workflows
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.4★★★★★33 reviews- ★★★★★Shikha Mishra· Dec 28, 2024
Solid pick for teams standardizing on skills: performing-yara-rule-development-for-detection is focused, and the summary matches what you get after install.
- ★★★★★Noah Garcia· Dec 16, 2024
Solid pick for teams standardizing on skills: performing-yara-rule-development-for-detection is focused, and the summary matches what you get after install.
- ★★★★★Yash Thakker· Nov 19, 2024
We added performing-yara-rule-development-for-detection from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Mateo Menon· Nov 7, 2024
We added performing-yara-rule-development-for-detection from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Noah Liu· Oct 26, 2024
performing-yara-rule-development-for-detection fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Dhruvi Jain· Oct 10, 2024
performing-yara-rule-development-for-detection fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Michael Smith· Sep 17, 2024
Registry listing for performing-yara-rule-development-for-detection matched our evaluation — installs cleanly and behaves as described in the markdown.
- ★★★★★Fatima Yang· Sep 13, 2024
Keeps context tight: performing-yara-rule-development-for-detection is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Sakura Thomas· Sep 5, 2024
Solid pick for teams standardizing on skills: performing-yara-rule-development-for-detection is focused, and the summary matches what you get after install.
- ★★★★★Rahul Santra· Sep 1, 2024
Registry listing for performing-yara-rule-development-for-detection matched our evaluation — installs cleanly and behaves as described in the markdown.
showing 1-10 of 33