yara-memory-hunting

Official

Find malware, C2, and IoCs in memory via YARA

Authordreadnode
Version1.0.0
Installs0

System Documentation

What problem does it solve?

Manually sifting through large memory images to identify malicious artifacts, malware families, and indicators of compromise is time-consuming and error-prone for digital forensics and incident response teams. This skill automates and streamlines that process using targeted YARA scanning.

Core Features & Use Cases

  • Scoped YARA Scanning: Run rules against full memory images or individual suspect processes to reduce noise and speed up analysis.
  • Rule Set Flexibility: Use community-maintained packs for commodity C2 and malware, or create custom inline rules for triage-derived indicators.
  • Pivot Workflow: Follow up confirmed hits with Volatility commands to analyze injected regions, mapped modules, and extract additional IoCs for further investigation. Use case: For example, if you identify a suspicious process during incident triage, use this skill to run a targeted YARA scan against that process's memory to confirm if it is a known Cobalt Strike beacon, then pivot to extract associated configuration and network indicators.

Quick Start

Use the yara-memory-hunting skill to scan the provided memory image for known C2 framework artifacts and triage any confirmed hits.

Dependency Matrix

Required Modules

None required

Components

Standard package

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: yara-memory-hunting
Download link: https://github.com/dreadnode/capabilities/archive/main.zip#yara-memory-hunting

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 536,000+ vetted skills library on demand.