Claude skills package for operational malware analysis — covering triage, dynamic analysis, detection engineering, and reporting. Does not cover deep static reverse engineering (e.g., Ghidra/IDA Pro disassembly).
💡 Want to learn the manual analysis techniques behind these skills? Check out the comprehensive Malware Analysis SOP covering traditional analysis methods and tools.
1 Orchestrator + 5 Specialized Skills covering triage, dynamic analysis, detection engineering, and reporting:
- SKILL.md (root) - Orchestrator — single entry point that routes to the right skill, manages analysis state across phases, and supports multi-sample batch workflows. Just describe what you need.
- malware-triage - Initial assessment and prioritization
- malware-dynamic-analysis - Safe execution and behavior monitoring
- specialized-file-analyzer - Non-PE file analysis (.NET, Office, PDF, scripts)
- detection-engineer - Detection rules and IOC management
- malware-report-writer - Professional report creation
Just describe what you need — the orchestrator (SKILL.md) routes automatically. The decision tree below is for reference if you want to invoke a specific sub-skill directly.
START: What do you need to do?
├─ "I need to quickly assess a sample" → Use: malware-triage
│
├─ "I need to execute malware safely and monitor it" → Use: malware-dynamic-analysis
│
├─ "I have a document/script/non-executable" → Use: specialized-file-analyzer
│ ├─ .NET/C# assembly (.exe with .NET)
│ ├─ Office document with macros (.docm, .xlsm)
│ ├─ PDF file
│ ├─ PowerShell/VBS/JavaScript
│ ├─ Archive (.zip, .rar, .7z)
│ ├─ Linux binary (ELF)
│ └─ Shortcut file (.lnk)
│
├─ "I need to create detection rules or defang IOCs" → Use: detection-engineer
│ ├─ YARA rules → Use: malware-report-writer
│ ├─ Sigma rules (SIEM) → Use: detection-engineer
│ ├─ Suricata rules (IDS) → Use: detection-engineer
│ └─ Defang IOCs → Use: detection-engineer
│
└─ "I need to write a malware analysis report" → Use: malware-report-writer
| Skill Name | When to Use | Primary Output |
|---|---|---|
| malware-triage | First look at unknown sample | Classification, priority, initial IOCs |
| malware-dynamic-analysis | Execute and monitor behavior | Behavioral IOCs, process tree, network traffic |
| specialized-file-analyzer | Non-PE files (docs, scripts, etc.) | Deobfuscated code, embedded payloads, IOCs |
| detection-engineer | Create detection rules, defang IOCs | Sigma/Suricata rules, hunting queries |
| malware-report-writer | Document findings professionally | Complete technical report, YARA rules |
-
Upload Skills to Claude
- Open Claude (claude.ai) or Claude Code
- Upload the root
SKILL.md(the orchestrator) along with all 5 sub-skill folders - Skills install automatically
-
Verify Installation
Ask Claude: "What skills do you have?" Should list: malware-analysis (orchestrator) plus the 5 sub-skills -
Start Analyzing
"I have a suspicious .exe file, help me analyze it" "I have 5 samples to triage and prioritize" "Analyze this Office document with macros"The orchestrator routes to the right skill automatically.
MCP servers can automate manual steps like reputation lookups and sandbox execution. These are optional — every skill works without them.
| MCP Server | What It Automates | API Key |
|---|---|---|
| VirusTotal | Hash/URL/domain reputation lookups | Free at virustotal.com |
| Threat.Zone | Automated sandbox execution | threat.zone |
| Threat Intel | abuse.ch, AbuseIPDB, GreyNoise, AlienVault OTX | Per-source |
| MISP | Team-wide IOC sharing | Self-hosted |
| Shodan | C2 infrastructure recon | Free at shodan.io |
| Volatility | Memory forensics via natural language | Local install |
Recommended starting setup: VirusTotal + Threat Intel (abuse.ch). See references/mcp_integrations.md for full setup instructions.
Problem: Malware analysis VMs are commonly isolated with no internet access to prevent malware from communicating with C2 servers or spreading. (Some analysts intentionally allow monitored internet access for C2 traffic capture, but network-isolated VMs are a safer default.) Claude Code requires internet access to function.
Solution: Run Claude Code on your HOST machine, analyze exported evidence from the analysis VM.
┌─────────────────────────────────────────────────────┐
│ HOST MACHINE (Internet-connected) │
│ • Claude Code running here │
│ • Skills loaded and ready │
│ • Analyzes exported evidence │
│ • Creates reports and detection rules │
└──────────────────┬──────────────────────────────────┘
│
│ Evidence Transfer:
│ • Shared folder (read-only)
│ • USB drive
│ • Isolated network file share
│
┌──────────────────▼──────────────────────────────────┐
│ ANALYSIS VM (Isolated - No Internet recommended) │
│ REMnux / FlareVM │
│ • Execute malware here │
│ • Run monitoring tools │
│ • Capture evidence │
│ • Export results only │
└─────────────────────────────────────────────────────┘
Set up on your HOST machine:
/malware-analysis/
├── samples/ # Store original samples (DO NOT share with VM)
├── evidence/ # Evidence exported FROM analysis VM
│ ├── strings/ # strings output
│ ├── procmon/ # Process Monitor logs (CSV)
│ ├── wireshark/ # Network captures (text exports)
│ ├── sysmon/ # Sysmon event logs (JSON/CSV)
│ ├── memory/ # Memory dump analysis results
│ └── screenshots/ # Behavior screenshots
├── analysis/ # Claude Code analysis workspace
│ ├── notes.md
│ └── findings.md
├── detections/ # Detection rules created by Claude Code
│ ├── yara/
│ ├── sigma/
│ └── suricata/
└── reports/ # Final deliverables
└── malware_report.mdOn Analysis VM (REMnux/FlareVM):
# Configure shared folder or USB mount point
mkdir /mnt/evidence_export
# Make it write-only if possibleOn Host Machine:
# Create analysis structure
mkdir -p /malware-analysis/{evidence,analysis,detections,reports}
cd /malware-analysis# Use malware-triage skill
"Help me prepare for analyzing a suspected ransomware sample"
"What Procmon filters should I configure for ransomware?"
"What Wireshark display filters should I use for C2 traffic?"
"What Sysmon events should I focus on for persistence?"Claude Code will guide you through:
- Tool configuration commands
- Filter setup
- Monitoring checklist
In your Analysis VM terminal:
# 1. Take snapshot
virsh snapshot-create malware-analysis-vm
# 2. Start monitoring tools
# - Procmon (with filters from Claude)
# - Wireshark
# - Process Hacker
# - Regshot (1st shot)
# 3. Execute malware
./malware.exe
# 4. Monitor for 15+ minutes
# 5. Stop all captures
# 6. Export evidence to shared folder
cp procmon_filtered.csv /mnt/evidence_export/
cp wireshark_http.txt /mnt/evidence_export/
wevtutil epl Microsoft-Windows-Sysmon/Operational /mnt/evidence_export/sysmon.evtx
# Convert to CSV or JSON for easier analysis
# 7. Take screenshots of any unusual behavior
# 8. Revert to snapshot
virsh snapshot-revert malware-analysis-vm <snapshot-name>Now use Claude Code with your skills:
4a. Triage the Evidence:
cd /malware-analysis/evidence
# In Claude Code:
"Triage this sample based on the evidence I've collected"
Read procmon/malware_activity.csv
Read wireshark/http_traffic.txt
Read sysmon/events.json
"What type of malware is this?"
"What are the key IOCs?"
"What persistence mechanisms were used?"4b. Deep Analysis:
# Use specialized-file-analyzer if needed
"Analyze this PowerShell script extracted from memory"
Read evidence/memory/decoded_script.ps1
# Use malware-dynamic-analysis skill
"Analyze this Procmon output for ransomware encryption behavior"
"What C2 infrastructure was contacted based on this network capture?"4c. Create Detections:
# Use detection-engineer skill
"Create Sigma rules for this malware based on the Sysmon events"
Read evidence/sysmon/events.csv
"Create a Suricata rule for this C2 traffic"
Read evidence/wireshark/c2_communication.txt
"Defang all these IOCs for my report"
# Claude will create rules in detections/ folder4d. Write Report:
# Use malware-report-writer skill
"Create a complete malware analysis report based on my findings"
"Include these Procmon behaviors: [paste key findings]"
"Network indicators: [paste from Wireshark]"
"Persistence mechanisms: [paste from Sysmon]"
# Claude will generate the full report in reports/Analysis of Tool Outputs:
- Read and interpret Procmon CSV exports
- Analyze Wireshark text exports (HTTP objects, DNS queries)
- Parse Sysmon event logs (CSV/JSON)
- Interpret strings output
- Analyze PE header info from tools
- Review memory dump analysis results
Tool Setup Guidance:
- Procmon filter configuration
- Wireshark display filters
- Sysmon config recommendations
- INetSim/FakeNet setup
- VM isolation verification
Detection Creation:
- YARA rules from your findings
- Sigma rules from Sysmon events
- Suricata rules from network captures
- Hunting queries for EDR/SIEM
- IOC defanging and formatting
Report Writing:
- Complete malware analysis reports
- Executive summaries
- Technical documentation
- IOC lists with context
- Remediation recommendations
Execute Malware:
- Won't run
./malware.exe - Won't help improve malware code
- Won't make malware more evasive
Read Raw Binaries Directly:
- Won't directly analyze PE/ELF files
- Use tools first (strings, objdump, etc.)
- Then have Claude analyze the output
# ===== On Analysis VM (Manual) =====
analyst@remnux:~$ strings malware.exe > /mnt/export/strings.txt
analyst@remnux:~$ objdump -d malware.exe > /mnt/export/disasm.txt
analyst@remnux:~$ # Execute malware with monitoring
analyst@remnux:~$ cp evidence/* /mnt/export/
# ===== On Host (Claude Code) =====
you@host:~$ cd /malware-analysis/evidence
you@host:~$ # In Claude Code session:
> "Help me triage this sample"
> Read strings.txt
> Read procmon_export.csv
Claude: "Based on the evidence, this appears to be a remote access
trojan (RAT). Key indicators:
- Network connection to 185.220.101.x:4444
- Registry persistence via Run key
- Process injection into explorer.exe
- Keylogging behavior (GetAsyncKeyState calls)
..."
> "Create detection rules for this RAT"
Claude: [Creates YARA rule, Sigma rule, Suricata rule]
> "Write the complete analysis report"
Claude: [Generates full professional report]-
Export Evidence in Text Formats:
- Procmon → CSV (not .PML)
- Wireshark → Text export, HTTP objects
- Sysmon → CSV or JSON
- Memory analysis → Text output
-
Use Read-Only Shares:
- VM can only write to share, not read
- Prevents VM from accessing your host files
-
Batch Analysis:
- Analyze multiple samples
- Export all evidence
- Use Claude Code to batch analyze
-
Templates and Automation:
- Create export scripts in VM
- Use Claude Code to create analysis templates
- Streamline your workflow
-
Version Control:
- Keep analysis notes in git
- Track detection rule versions
- Version your reports
Q: Claude Code refuses to read my evidence file A: Ensure it's in text format (CSV, JSON, TXT), not binary (PML, PCAP, EVTX)
Q: How do I convert PCAP to text? A: Use tshark:
tshark -r capture.pcap -Y http -T fields -e http.host -e http.request.uri > http_traffic.txtQ: How do I convert EVTX to CSV? A: On Windows:
Get-WinEvent -Path sysmon.evtx | Export-Csv sysmon.csvQ: Claude Code says file is too large A: Filter or summarize first:
# Instead of reading all 50k lines
grep "malware.exe" procmon_huge.csv > procmon_filtered.csv
# Then read the filtered versionPurpose: Rapid initial assessment (5-30 minutes per sample)
Use When:
- You have a new unknown sample
- Need to prioritize multiple samples
- Want quick classification before deep analysis
- Time-constrained analysis
Provides:
- File hashing (MD5, SHA1, SHA256)
- Online reputation lookup guidance
- PE structure analysis
- String extraction workflow
- Malware type classification
- Threat level assessment
- Behavior prediction
- Priority determination
- Triage report template
Key Features:
- Structured 5-phase workflow
- Suspicious API import database
- Classification decision tree
- Time management strategies
- Integration with full analysis
Files:
malware-triage/
├── SKILL.md
├── references/
│ ├── indicators.md # Suspicious APIs & patterns
│ └── triage_checklist.md # Step-by-step guide
└── scripts/
└── hash_calculator.py
Purpose: Safe execution and comprehensive behavior monitoring
Use When:
- Need to observe actual malware behavior
- Validating static analysis hypotheses
- Capturing C2 communications
- Documenting runtime activity
- Extracting dynamic IOCs
Provides:
- Pre-execution safety checklist
- Tool setup (Procmon, Wireshark, Process Hacker, Sysmon)
- Monitoring workflows for:
- Process activity and injection
- File system operations
- Registry modifications
- Network communications
- Persistence mechanisms
- Artifact collection procedures
- Automated sandbox usage (ANY.RUN, Joe Sandbox)
- Evidence export workflows
Key Features:
- Safety-first approach with isolation verification
- Step-by-step tool configuration
- Real-time monitoring guidance
- Behavioral IOC extraction
- Timeline creation
- Integration with report writing
Files:
malware-dynamic-analysis/
├── SKILL.md
├── references/
│ ├── tool_setup.md # Procmon, Wireshark, etc.
│ ├── sandbox_setup.md # Local sandbox installation
│ └── anti_analysis_bypass.md # VM detection bypass
└── scripts/
└── (monitoring automation scripts)
Purpose: Analyze non-PE file formats requiring specialized tools
Use When You Encounter:
- .NET/C# Assemblies - Managed executables requiring decompilation
- Office Documents - Word/Excel with VBA/XLM macros
- PDF Files - Suspicious PDFs with JavaScript/exploits
- Scripts - PowerShell, VBScript, JavaScript, Batch files
- Archives - ZIP, RAR, 7z, TAR.GZ
- Shortcuts - .LNK files
- Linux Binaries - ELF executables
Provides:
- Per-Format Workflows:
- .NET: dnSpy/ILSpy decompilation, de4dot deobfuscation
- Office: oledump/olevba macro extraction, XLM macro analysis
- PDF: pdfid/pdf-parser/peepdf JavaScript extraction
- PowerShell: PSDecode deobfuscation, pattern analysis
- Scripts: Deobfuscation techniques
- Archives: Safe inspection and extraction
- LNK: LECmd/lnkinfo analysis
- ELF: readelf/strace/ltrace analysis
Key Features:
- Quick file type identification
- Format-specific tooling
- Deobfuscation techniques
- IOC extraction per format
- Integration with main report
Files:
specialized-file-analyzer/
├── SKILL.md
├── references/
│ ├── dotnet_analysis.md
│ ├── office_macros.md
│ ├── pdf_analysis.md
│ └── script_analysis.md
└── scripts/
└── (format-specific helpers)
Purpose: Convert analysis findings into production detection rules
Use When You Need:
- Sigma Rules for SIEM (Splunk, Elastic, QRadar, Sentinel)
- Suricata/Snort Rules for network IDS/IPS
- Hunting Queries for SOC/threat hunting
- IOC Defanging for safe documentation
- IOC Format Conversion (CSV, STIX, OpenIOC)
Provides:
- IOC defanging workflows (URLs, IPs, domains, emails)
- IOC confidence & volatility assessment
- Sigma rule creation:
- Process creation detection
- Network connection monitoring
- Registry modification detection
- File creation alerts
- Logsource configuration
- Sigma-to-SIEM conversion
- Suricata rule creation:
- HTTP/HTTPS C2 detection
- DNS query monitoring
- TLS/certificate analysis
- Malware download detection
- Hunting query templates (Splunk, Elastic, EDR)
- IOC export formats (STIX 2.1, CSV, OpenIOC)
Key Features:
- Automated IOC defanging
- Rule testing procedures
- False positive analysis
- MITRE ATT&CK tagging
- Multi-format export
Files:
detection-engineer/
├── SKILL.md
├── references/
│ ├── sigma_examples.md
│ ├── suricata_examples.md
│ └── ioc_standards.md
└── scripts/
└── ioc_defanger.py
Purpose: Create professional, enterprise-ready malware analysis reports
Use When:
- Documenting analysis findings
- Creating formal deliverables
- Writing for executive/technical audiences
- Formalizing IOCs and detection rules
- Creating YARA signatures
Provides:
- Complete report template (12 sections)
- Executive summary guidelines
- Technical analysis structure
- IOC documentation standards
- YARA rule creation (testing + validation)
- Remediation recommendations
- Quality assurance checklist
- Efficient workflow strategies
Key Features:
- Multi-audience writing guidance
- YARA rule best practices
- Common mistakes to avoid
- Section-by-section templates
- Professional formatting
Files:
malware-report-writer/
├── SKILL.md
├── assets/
│ └── report_template.md # Complete report structure
└── references/
└── best_practices.md # Writing standards & tips
Skill: malware-triage
- Calculate hashes for all samples
- Quick reputation lookups (VirusTotal, MalwareBazaar)
- Rapid classification
- Prioritize samples (High/Medium/Low)
- Document initial findings
Output: Triage reports for all samples, priority list
For Standard PE Executables:
Skill: malware-dynamic-analysis
- Setup isolated VM environment
- Configure monitoring tools (Procmon, Wireshark, Process Hacker)
- Execute malware
- Monitor behavior (15-60 minutes)
- Extract behavioral IOCs
- Collect artifacts
For Non-PE Files:
Skill: specialized-file-analyzer
- Identify file type (
filecommand) - Select appropriate analysis tool:
- .NET → dnSpy/ILSpy
- Office → oledump/olevba
- PDF → pdfid/pdf-parser
- Scripts → PSDecode/manual analysis
- ELF → readelf/strace
- Extract/deobfuscate content
- Document functionality
- Extract IOCs
Output: Technical analysis findings, behavioral IOCs, screenshots, PCAPs
Skill: detection-engineer
- Review all extracted IOCs
- Defang IOCs for documentation
- Assess IOC confidence levels
- Create Sigma rules for behavioral detection
- Create Suricata rules for network detection
- Generate hunting queries
- Test all rules
Output: Tested Sigma rules, Suricata rules, defanged IOC list, hunting queries
Skills: malware-report-writer + detection-engineer
-
Draft technical sections
- Sample information
- Static analysis findings
- Dynamic analysis observations
- Specialized file analysis results
-
Add detection content
- YARA rules (test against sample!)
- Sigma rules
- Suricata rules
- Defanged IOCs with confidence ratings
- Remediation recommendations
-
Write non-technical sections
- Executive summary
- Malware classification
- Conclusion
- Appendices
-
Quality assurance
- Run through quality checklist
- Test all detection rules
- Verify all hashes
- Grammar/spelling check
- Final formatting
Output: Professional malware analysis report (PDF)
User: "I need to analyze this suspicious .exe sample"
Workflow:
1. "Help me triage this sample" → malware-triage
- Calculates hashes
- Checks VirusTotal
- Analyzes PE structure
- Classifies as trojan/RAT
- Priority: High
2. "Guide me through dynamic analysis" → malware-dynamic-analysis
- Verifies VM isolation
- Sets up Procmon, Wireshark, Process Hacker
- Executes sample
- Monitors for 15 minutes
- Extracts behavioral IOCs
3. "Create detection rules for this malware" → detection-engineer
- Defangs all IOCs
- Creates Sigma rule for process injection
- Creates Suricata rule for C2 traffic
- Generates hunting queries
4. "Help me write the analysis report" → malware-report-writer
- Uses report template
- Structures all findings
- Creates YARA rule
- Reviews with quality checklist
User: "I have a suspicious Word document with macros"
Workflow:
1. "Help me triage this .docm file" → malware-triage
- Identifies Office document
- Checks VirusTotal
- Classifies as macro dropper
2. "Analyze the macros in this document" → specialized-file-analyzer
- Guides oledump.py usage
- Extracts VBA macro code
- Identifies AutoOpen function
- Deobfuscates strings
- Finds PowerShell download cradle
3. "Create detections for this macro malware" → detection-engineer
- Defangs URLs from macro
- Creates Sigma rule for macro execution
- Creates hunting query for similar documents
4. "Write the report" → malware-report-writer
- Documents macro analysis
- Includes sanitized macro code
- Creates YARA rule for document
User: "I have 10 samples to analyze, help me prioritize"
Workflow:
1. "Triage all 10 samples" → malware-triage (use 10 times)
- Quick triage (5-10 min each)
- Hash + VirusTotal for all
- Classifications recorded
- Priority assigned
2. Results:
- 3 High Priority (unknown/sophisticated)
- 5 Medium Priority (known variants)
- 2 Low Priority (common adware)
3. Strategy:
- Phase 1-2: Deep analysis on 3 high-priority samples
- Phase 2-3: Quick analysis on 5 medium-priority samples
- Document low-priority findings (note in report)
- ✅ Triage ALL samples first (prioritize effectively)
- ✅ Document as you analyze (don't leave for the end)
- ✅ Create detection rules during analysis (not as an afterthought)
- ✅ Test YARA rules immediately (avoid failures later)
- ❌ Don't spend excessive time on one sample (spread effort wisely)
- ✅ Better to deeply analyze 2-3 samples than shallowly analyze 10
- ✅ Focus on creating working detection rules
- ✅ Document methodology clearly
- ❌ Don't submit untested YARA/Sigma rules
- ✅ Triage skill for ALL samples (fast initial assessment)
- ✅ Dynamic analysis for unknowns (need behavioral data)
- ✅ Specialized file analyzer when needed (don't force PE analysis on docs)
- ✅ Detection engineer at the end (consolidate IOCs)
- ✅ Report writer continuously (update as you go)
- Use quick triage (5 min) for initial all-sample sweep
- Use standard triage (15 min) for high-priority samples
- Don't skip hash calculation (required for all samples)
- Document predicted behaviors (guides dynamic analysis)
- ALWAYS verify VM isolation before execution
- Start monitoring tools BEFORE executing malware
- Observe for minimum 15 minutes (some malware delays)
- Export ALL artifacts before reverting VM
- Take screenshots of unusual behavior
- File type first - use
filecommand to confirm - Right tool for format - don't use PE tools on Office docs
- Test deobfuscation output (ensure it makes sense)
- Save both obfuscated and deobfuscated versions
- Document deobfuscation methodology
- Always defang IOCs in reports (avoid accidental clicks)
- Test rules before documenting (must work!)
- Label IOC confidence (High/Medium/Low)
- Note IOC volatility (Static/Dynamic)
- Include false positive analysis
- Executive summary last (after understanding full scope)
- Test all YARA rules against sample AND clean files
- Use quality checklist before submission
- Grammar/spelling matters (professional appearance)
- Include all three hashes (MD5, SHA1, SHA256)
- TCM Security: Practical Malware Analysis & Triage (https://certifications.tcm-sec.com/pmrp/)
- SANS: FOR610, FOR710 malware analysis courses
- Open Security Training: Free malware analysis courses
- MalwareBazaar: https://bazaar.abuse.ch/
- VirusTotal: https://www.virustotal.com/
- Hybrid Analysis: https://www.hybrid-analysis.com/
- Sysinternals Suite: https://docs.microsoft.com/en-us/sysinternals/
- Wireshark: https://www.wireshark.org/docs/
- dnSpy: https://github.com/dnSpy/dnSpy
- Didier Stevens Tools: https://blog.didierstevens.com/programs/
- Sigma: https://github.com/SigmaHQ/sigma
- Suricata: https://docs.suricata.io/
- SANS Malware Analysis Cheat Sheet: https://www.sans.org/posters/
- MITRE ATT&CK: https://attack.mitre.org/
- MalAPI.io (Windows APIs): https://malapi.io/
Q: Do I need to use all 5 skills? A: No! Use skills based on your specific needs. Triage and report-writer are most common. Others are situational.
Q: Can I use these skills for real-world work? A: Absolutely! These skills are based on enterprise malware analysis standards and workflows.
Q: Which skill should I start with?
A: Use the root SKILL.md orchestrator — it handles routing automatically. Just describe what you need and it will guide you through the right sequence.
Q: How do I know if a file needs specialized-file-analyzer?
A: Run file sample.bin. If output shows: .NET assembly, Office document, PDF, script, or ELF → use specialized-file-analyzer.
Q: Are these skills suitable for professional work? A: Yes! These skills are based on industry-standard malware analysis workflows used by security professionals and incident responders.
Q: Can I modify skill prompts? A: Yes! Customize to fit your workflow and preferences.
Q: What if I encounter a file type not covered? A: Use the general principles from malware-triage and dynamic-analysis, then search for format-specific tools.
Before finalizing your analysis, verify:
Analysis Phase:
- All samples triaged (hashes, classification, priority)
- High-priority samples deeply analyzed (static + dynamic)
- Specialized files analyzed with appropriate tools
- All artifacts collected (PCAPs, screenshots, logs)
- Behavioral IOCs extracted
Detection Phase:
- All IOCs defanged properly
- IOC confidence levels assigned
- YARA rules created AND TESTED
- Sigma rules created and validated
- Suricata rules tested (if applicable)
- Hunting queries documented
Report Phase:
- Report uses professional template
- Executive summary written (non-technical)
- All technical sections complete
- All three hashes included for each sample
- Detection rules tested and working
- Grammar/spelling checked
- Quality checklist completed
- Ready for delivery!
| Your Question | Use This Skill |
|---|---|
| "What is this file?" | malware-triage |
| "How do I execute this safely?" | malware-dynamic-analysis |
| "How do I analyze this Word doc?" | specialized-file-analyzer |
| "How do I analyze this .NET exe?" | specialized-file-analyzer |
| "How do I analyze this PowerShell script?" | specialized-file-analyzer |
| "How do I create a Sigma rule?" | detection-engineer |
| "How do I defang IOCs?" | detection-engineer |
| "How do I write the report?" | malware-report-writer |
| "How do I create a YARA rule?" | malware-report-writer |
This toolkit covers the operational phases of malware analysis (triage through reporting), though it does not include deep static reverse engineering:
- ✅ 1 orchestrator + 5 specialized skills covering triage, dynamic analysis, detection, and reporting
- ✅ Structured workflows for each analysis phase
- ✅ Clear skill selection guidance (use the right tool for the job)
- ✅ Integration strategies between skills
- ✅ Industry best practices and time management
- ✅ Quality assurance checklists for professional deliverables
Upload the skills and start analyzing!
Built for security professionals, incident responders, and malware analysts. 🔐🎯
