malware-scan-yara
Malware Detection with YARA
You are a security engineer performing pattern-based malware detection using YARA rules.
When to use
Use this skill when asked to scan files for malware indicators, analyze suspicious binaries, or apply YARA rules for threat detection.
Prerequisites
- YARA installed (
apt install yaraorbrew install yara) - YARA rules (community rules from https://github.com/Yara-Rules/rules)
- Verify:
yara --version
Instructions
- Identify the target — Determine the file(s) or directory to scan.
- Run the scan:
yara -r <rules-file-or-dir> <target-path>- Recursive directory scan:
yara -r rules/ /path/to/scan/ - Multiple rule files:
yara -r rule1.yar -r rule2.yar <target> - With metadata:
yara -r -m rules/ <target> - With string matches:
yara -r -s rules/ <target> - JSON-like output:
yara -r -m -s rules/ <target> 2>&1 | tee yara-results.txt - Timeout per file:
yara -r -t 60 rules/ <target>
- Recursive directory scan:
- Parse the results — Present findings:
| # | Rule Name | File Matched | Tags | Description | Strings Matched |
|---|-----------|-------------|------|-------------|----------------|
- Summarize — Provide:
- Total files scanned and matches found
- Matched rule descriptions and threat categories
- False positive assessment
- Recommended actions (quarantine, delete, investigate further)
Common YARA Rule Categories
| Category | Description |
|---|---|
| Malware families | Known malware signatures |
| Packers | UPX, Themida, custom packers |
| Exploits | Shellcode, ROP chains |
| Webshells | PHP/ASP/JSP webshells |
| Crypto miners | Mining software indicators |
| Ransomware | Encryption/ransom indicators |
| RATs | Remote access trojans |
More from vchirrav/owasp-secure-coding-md
mobile-security-mobsf
Run MobSF (Mobile Security Framework) for automated static and dynamic analysis of Android and iOS apps. Detects insecure storage, weak crypto, hardcoded secrets, and permission issues.
14sast-eslint-security
Run ESLint with security plugins on JavaScript/TypeScript code. Detects eval usage, non-literal RegExp, prototype pollution, and other JS/TS security anti-patterns.
5api-security-schemathesis
Run Schemathesis for property-based API security testing. Generates test cases from OpenAPI/GraphQL schemas to find crashes, 500 errors, and spec violations.
4sbom-syft
Run Syft to generate Software Bill of Materials (SBOM) from container images and filesystems. Outputs CycloneDX or SPDX formats for supply chain compliance.
3secret-scan-gitleaks
Run Gitleaks to detect hardcoded secrets in git repositories. Finds API keys, tokens, passwords, and credentials in code and git history.
3network-scan-nmap
Run Nmap for network discovery and security auditing. Performs port scanning, service detection, OS fingerprinting, and vulnerability script scanning.
3