- Home
- Skills
- Trailofbits
- Skills
- Yara Rule Authoring
yara-rule-authoring_skill
- Python
3k
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill trailofbits/skills --skill yara-rule-authoring- SKILL.md26.1 KB
Overview
This skill guides authoring high-quality YARA-X detection rules for malware identification, focusing on accuracy, performance, and false positive reduction. It covers string selection, condition design, platform-specific considerations, migration from legacy YARA, and practical debugging workflows. Use it when writing, reviewing, or optimizing rules for production threat detection.
How this skill works
The skill inspects rule design choices and recommends changes to strings, conditions, pre-filters, and module usage to improve precision and speed. It evaluates candidate strings for atom quality, suggests bounded regex or hex patterns, recommends magic-byte prechecks, and directs when to pivot from string-based detection to structural or metadata-based checks. It also includes tool recommendations and test workflows for goodware validation.
When to use it
- Writing new YARA-X rules for a specific malware family or sample set
- Reviewing or optimizing slow or noisy rules before production deployment
- Converting legacy YARA rules to YARA-X and validating compatibility
- Debugging false positives against a goodware corpus
- Authoring rules for crx (Chrome extensions) or dex (Android) analysis
Best practices
- Start with cheap pre-filters: filesize, magic bytes, and small numeric checks before expensive searches
- Choose strings that produce stable 4-byte atoms; avoid repeated bytes, short strings, and common API names alone
- Test rules against a large goodware corpus (VirusTotal or internal) before deployment
- Prefer anchored, bounded regex or hex patterns with wildcards rather than unbounded regex
- Use modifiers (nocase, wide, xor) only with documented sample evidence to avoid atom explosion
- Split broad detections into focused rules; require multiple correlated indicators rather than a single common string
Example use cases
- Detecting a LockBit configuration extractor by targeting unique config strings plus a file magic check
- Migrating an older YARA rule to YARA-X: run yr check, replace fragile regex with anchored patterns, and add filesize pre-filter
- Reducing FPs from a JavaScript rule by requiring credential path + network call + destination domain instead of any network keyword
- Creating a Chrome extension rule using the crx module to identify permission abuse and manifest anomalies
- Authoring Android detections with the dex module that target obfuscated class names and suspicious permissions
FAQ
Ensure it is at least 4 bytes, not a repeated/common token, unique to the family or combined with other markers, and validated against goodware.
When should I pivot away from string-based rules?
If the sample is packed, yarGen returns only API names, or candidate strings match goodware widely, target structure (imports, section metadata, imphash) or the unpacked payload instead.