yara-memory-hunting
OfficialFind malware, C2, and IoCs in memory via YARA
Data & Analytics#volatility#incident-response#ioc#memory-forensics#malware-detection#yara#cobalt-strike
Authordreadnode
Version1.0.0
Installs0
System Documentation
What problem does it solve?
Manually sifting through large memory images to identify malicious artifacts, malware families, and indicators of compromise is time-consuming and error-prone for digital forensics and incident response teams. This skill automates and streamlines that process using targeted YARA scanning.
Core Features & Use Cases
- Scoped YARA Scanning: Run rules against full memory images or individual suspect processes to reduce noise and speed up analysis.
- Rule Set Flexibility: Use community-maintained packs for commodity C2 and malware, or create custom inline rules for triage-derived indicators.
- Pivot Workflow: Follow up confirmed hits with Volatility commands to analyze injected regions, mapped modules, and extract additional IoCs for further investigation. Use case: For example, if you identify a suspicious process during incident triage, use this skill to run a targeted YARA scan against that process's memory to confirm if it is a known Cobalt Strike beacon, then pivot to extract associated configuration and network indicators.
Quick Start
Use the yara-memory-hunting skill to scan the provided memory image for known C2 framework artifacts and triage any confirmed hits.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: yara-memory-hunting Download link: https://github.com/dreadnode/capabilities/archive/main.zip#yara-memory-hunting Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 536,000+ vetted skills library on demand.