Threat Hunting & IOC Sweeps (YARA / Velociraptor)
CommunityHunt IOCs fast with YARA and Velociraptor.
Data & Analytics#threat hunting#velociraptor#yara#memory forensics#dfir triage#ioc sweep#endpoint hunting
Authorrjonhaas
Version1.0.0
Installs0
System Documentation
What problem does it solve?
Detects malicious files and behaviors by sweeping evidence and memory for known and hypothesized indicators, reducing time-to-find during DFIR triage.
Core Features & Use Cases
- YARA rule authoring for IOC families: Structure rules with meta, strings/regex, and robust conditions for files and memory images.
- High-signal scanning workflow: Scan single files, recursively scan mounted Windows evidence, and scan memory images for hits with optional match details.
- Velociraptor hunt guidance: Deploy endpoint hunts via web console using common hunting artifacts and YARA-based detection VQL patterns.
- False-positive control: Compile rules, test against clean directories/known-good sets, and use scoping tactics to avoid noisy matches.
Quick Start
In the case workspace, ask your analyst agent to generate YARA rules for the highest-confidence IOCs and scan the mounted Windows evidence directory with match-string output saved to ./exports/yara_hits/ for review.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: Threat Hunting & IOC Sweeps (YARA / Velociraptor) Download link: https://github.com/rjonhaas/SIFTics/archive/main.zip#threat-hunting-ioc-sweeps-yara-velociraptor Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.