Stats
Actions
Tags
From memory-forensics
Use YARA against memory images to locate known malware, C2 frameworks, and custom IoCs. Covers rule selection, scoping (process vs whole image), false-positive control, and pivoting hits into structured findings.
How this skill is triggered — by the user, by Claude, or both
Slash command
/memory-forensics:yara-memory-huntingThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Maps to [MITRE ATT&CK T1059](https://attack.mitre.org/techniques/T1059/) (Command and Scripting Interpreter) and [T1027](https://attack.mitre.org/techniques/T1027/) (Obfuscated Files or Information) when classifying samples. For rule sources see Elastic [protections-artifacts](https://github.com/elastic/protections-artifacts), [YARA-Forge](https://yarahq.github.io/), and vendor reports.
Maps to MITRE ATT&CK T1059 (Command and Scripting Interpreter) and T1027 (Obfuscated Files or Information) when classifying samples. For rule sources see Elastic protections-artifacts, YARA-Forge, and vendor reports.
| Goal | Scope | Rule style |
|---|---|---|
| "Is this process X?" | Single PID via pid=N | Specific, tight strings |
| "Where in the image does X live?" | Whole image | Broader, paired-condition rules |
| "Is there anything bad here at all?" | Whole image | Curated commodity-framework pack |
Whole-image scans are slow and noisy. Use them when you don't yet have a suspect, then narrow to PIDs.
For commodity C2 and known malware, start with community-maintained packs:
protections-artifacts/yara/rules/)For custom IoCs derived from triage, write the rule inline — don't manage a file for a one-shot.
volatility_yara_scan(image, rules_file="/path/to/rules.yar", pid=None)
or
volatility_yara_scan(image, rules_inline="""
rule MyCustom { strings: $a = "CONFIG:" condition: $a }
""", pid=1234)
Exactly one of rules_file / rules_inline. The pid filter dramatically speeds up scans when you have a suspect.
Each hit gives you: rule name, PID, process, virtual address, matching string(s). Triage each:
csrss, services, svchost — elevated priority; system processes don't normally contain arbitrary stringsFor each confirmed hit:
volatility_malfind --pid N to see if the hit sits inside an injected regionvolatility_dll_list --pid N to see what module the offset maps into (if any)volatility_dump_process --pid N --mode vad and carve around the hit offset for offline triagerule CS_Beacon_Config {
strings:
$magic = { 2E 2E 2E 2E ?? ?? 2E 2E 2E 2E } // XOR-key surrounded config
$sleep = "Beacon_mask" ascii wide
$post = "post-ex" ascii wide
condition:
2 of them
}
Decrypted strings appear in memory even if encrypted on disk. Target what only shows up after unpacking:
rule FamilyX_Runtime_Strings {
strings:
$cmd1 = "!@#run_payload@#!" ascii wide
$cmd2 = "!@#beacon_check@#!" ascii wide
$err = "FamX: failed to allocate" ascii wide
condition:
any of them
}
Malware that dynamically resolves APIs leaves the names in memory:
rule Injector_API_Resolution {
strings:
$a1 = "NtAllocateVirtualMemory"
$a2 = "NtWriteVirtualMemory"
$a3 = "NtCreateThreadEx"
$a4 = "RtlAdjustPrivilege"
condition:
3 of them
}
Benign software rarely stores these as plaintext strings (they're in import tables, not data).
rule Beacon_NamedPipe {
strings:
$p1 = "\\\\.\\pipe\\msagent_" ascii wide
$p2 = "\\\\.\\pipe\\postex_" ascii wide
$p3 = "\\\\.\\pipe\\status_" ascii wide
condition:
any of them
}
lsass, services, svchost) have a tiny legitimate string set; hits there are almost always realWhole-image YARA is slow. The MCP defaults to 600s; raise timeout for larger images or heavy rule packs. When iterating rules, scope to pid=N first to get fast feedback, then widen.
ascii wide liberally.yar file, not a compiled .yarc — pass sourcenpx claudepluginhub s3cr1z/capabilities --plugin memory-forensicsGuides creation, editing, and verification of skills for AI coding agents using test-driven development with subagent scenarios. Use when authoring or debugging skills.