yara-rule-authoring_skill

This skill guides authoring of high quality YARA-X rules for malware detection, focusing on performance, accuracy, and safe migration.
  • Python

3k

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill trailofbits/skills --skill yara-rule-authoring

  • SKILL.md26.1 KB

Overview

This skill guides authoring high-quality YARA-X detection rules for malware identification, focusing on accuracy, performance, and false positive reduction. It covers string selection, condition design, platform-specific considerations, migration from legacy YARA, and practical debugging workflows. Use it when writing, reviewing, or optimizing rules for production threat detection.

How this skill works

The skill inspects rule design choices and recommends changes to strings, conditions, pre-filters, and module usage to improve precision and speed. It evaluates candidate strings for atom quality, suggests bounded regex or hex patterns, recommends magic-byte prechecks, and directs when to pivot from string-based detection to structural or metadata-based checks. It also includes tool recommendations and test workflows for goodware validation.

When to use it

  • Writing new YARA-X rules for a specific malware family or sample set
  • Reviewing or optimizing slow or noisy rules before production deployment
  • Converting legacy YARA rules to YARA-X and validating compatibility
  • Debugging false positives against a goodware corpus
  • Authoring rules for crx (Chrome extensions) or dex (Android) analysis

Best practices

  • Start with cheap pre-filters: filesize, magic bytes, and small numeric checks before expensive searches
  • Choose strings that produce stable 4-byte atoms; avoid repeated bytes, short strings, and common API names alone
  • Test rules against a large goodware corpus (VirusTotal or internal) before deployment
  • Prefer anchored, bounded regex or hex patterns with wildcards rather than unbounded regex
  • Use modifiers (nocase, wide, xor) only with documented sample evidence to avoid atom explosion
  • Split broad detections into focused rules; require multiple correlated indicators rather than a single common string

Example use cases

  • Detecting a LockBit configuration extractor by targeting unique config strings plus a file magic check
  • Migrating an older YARA rule to YARA-X: run yr check, replace fragile regex with anchored patterns, and add filesize pre-filter
  • Reducing FPs from a JavaScript rule by requiring credential path + network call + destination domain instead of any network keyword
  • Creating a Chrome extension rule using the crx module to identify permission abuse and manifest anomalies
  • Authoring Android detections with the dex module that target obfuscated class names and suspicious permissions

FAQ

Ensure it is at least 4 bytes, not a repeated/common token, unique to the family or combined with other markers, and validated against goodware.

When should I pivot away from string-based rules?

If the sample is packed, yarGen returns only API names, or candidate strings match goodware widely, target structure (imports, section metadata, imphash) or the unpacked payload instead.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
yara-rule-authoring skill by trailofbits/skills | VeilStrat