@elizaos/skills 2.0.0-alpha.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +126 -0
- package/package.json +53 -0
- package/skills/1password/SKILL.md +70 -0
- package/skills/1password/references/cli-examples.md +29 -0
- package/skills/1password/references/get-started.md +17 -0
- package/skills/apple-notes/SKILL.md +77 -0
- package/skills/apple-reminders/SKILL.md +96 -0
- package/skills/bear-notes/SKILL.md +107 -0
- package/skills/bird/SKILL.md +224 -0
- package/skills/blogwatcher/SKILL.md +69 -0
- package/skills/blucli/SKILL.md +47 -0
- package/skills/bluebubbles/SKILL.md +131 -0
- package/skills/camsnap/SKILL.md +45 -0
- package/skills/canvas/SKILL.md +203 -0
- package/skills/clawhub/SKILL.md +77 -0
- package/skills/coding-agent/SKILL.md +284 -0
- package/skills/discord/SKILL.md +578 -0
- package/skills/eightctl/SKILL.md +50 -0
- package/skills/food-order/SKILL.md +48 -0
- package/skills/gemini/SKILL.md +43 -0
- package/skills/gifgrep/SKILL.md +79 -0
- package/skills/github/SKILL.md +77 -0
- package/skills/gog/SKILL.md +116 -0
- package/skills/goplaces/SKILL.md +52 -0
- package/skills/healthcheck/SKILL.md +245 -0
- package/skills/himalaya/SKILL.md +257 -0
- package/skills/himalaya/references/configuration.md +184 -0
- package/skills/himalaya/references/message-composition.md +199 -0
- package/skills/imsg/SKILL.md +74 -0
- package/skills/local-places/SERVER_README.md +101 -0
- package/skills/local-places/SKILL.md +102 -0
- package/skills/local-places/pyproject.toml +21 -0
- package/skills/local-places/src/local_places/__init__.py +2 -0
- package/skills/local-places/src/local_places/google_places.py +314 -0
- package/skills/local-places/src/local_places/main.py +65 -0
- package/skills/local-places/src/local_places/schemas.py +107 -0
- package/skills/mcporter/SKILL.md +61 -0
- package/skills/model-usage/SKILL.md +69 -0
- package/skills/model-usage/references/codexbar-cli.md +33 -0
- package/skills/model-usage/scripts/model_usage.py +310 -0
- package/skills/nano-banana-pro/SKILL.md +58 -0
- package/skills/nano-banana-pro/scripts/generate_image.py +184 -0
- package/skills/nano-pdf/SKILL.md +38 -0
- package/skills/notion/SKILL.md +172 -0
- package/skills/obsidian/SKILL.md +81 -0
- package/skills/openai-image-gen/SKILL.md +89 -0
- package/skills/openai-image-gen/scripts/gen.py +240 -0
- package/skills/openai-whisper/SKILL.md +38 -0
- package/skills/openai-whisper-api/SKILL.md +52 -0
- package/skills/openai-whisper-api/scripts/transcribe.sh +85 -0
- package/skills/openhue/SKILL.md +51 -0
- package/skills/oracle/SKILL.md +125 -0
- package/skills/ordercli/SKILL.md +78 -0
- package/skills/peekaboo/SKILL.md +190 -0
- package/skills/sag/SKILL.md +87 -0
- package/skills/security-ask-questions-if-underspecified/.claude-plugin/plugin.json +10 -0
- package/skills/security-ask-questions-if-underspecified/README.md +24 -0
- package/skills/security-ask-questions-if-underspecified/skills/ask-questions-if-underspecified/SKILL.md +85 -0
- package/skills/security-audit-context-building/.claude-plugin/plugin.json +10 -0
- package/skills/security-audit-context-building/README.md +58 -0
- package/skills/security-audit-context-building/commands/audit-context.md +21 -0
- package/skills/security-audit-context-building/skills/audit-context-building/SKILL.md +297 -0
- package/skills/security-audit-context-building/skills/audit-context-building/resources/COMPLETENESS_CHECKLIST.md +47 -0
- package/skills/security-audit-context-building/skills/audit-context-building/resources/FUNCTION_MICRO_ANALYSIS_EXAMPLE.md +355 -0
- package/skills/security-audit-context-building/skills/audit-context-building/resources/OUTPUT_REQUIREMENTS.md +71 -0
- package/skills/security-building-secure-contracts/.claude-plugin/plugin.json +10 -0
- package/skills/security-building-secure-contracts/README.md +241 -0
- package/skills/security-building-secure-contracts/skills/algorand-vulnerability-scanner/SKILL.md +284 -0
- package/skills/security-building-secure-contracts/skills/algorand-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +405 -0
- package/skills/security-building-secure-contracts/skills/audit-prep-assistant/SKILL.md +409 -0
- package/skills/security-building-secure-contracts/skills/cairo-vulnerability-scanner/SKILL.md +329 -0
- package/skills/security-building-secure-contracts/skills/cairo-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +722 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/SKILL.md +218 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/ASSESSMENT_CRITERIA.md +355 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/EXAMPLE_REPORT.md +248 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/REPORT_FORMAT.md +33 -0
- package/skills/security-building-secure-contracts/skills/cosmos-vulnerability-scanner/SKILL.md +334 -0
- package/skills/security-building-secure-contracts/skills/cosmos-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +740 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/SKILL.md +252 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/ASSESSMENT_AREAS.md +329 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/DELIVERABLES.md +118 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/EXAMPLE_REPORT.md +298 -0
- package/skills/security-building-secure-contracts/skills/secure-workflow-guide/SKILL.md +161 -0
- package/skills/security-building-secure-contracts/skills/secure-workflow-guide/resources/EXAMPLE_REPORT.md +279 -0
- package/skills/security-building-secure-contracts/skills/secure-workflow-guide/resources/WORKFLOW_STEPS.md +132 -0
- package/skills/security-building-secure-contracts/skills/solana-vulnerability-scanner/SKILL.md +389 -0
- package/skills/security-building-secure-contracts/skills/solana-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +669 -0
- package/skills/security-building-secure-contracts/skills/substrate-vulnerability-scanner/SKILL.md +298 -0
- package/skills/security-building-secure-contracts/skills/substrate-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +791 -0
- package/skills/security-building-secure-contracts/skills/token-integration-analyzer/SKILL.md +362 -0
- package/skills/security-building-secure-contracts/skills/token-integration-analyzer/resources/ASSESSMENT_CATEGORIES.md +571 -0
- package/skills/security-building-secure-contracts/skills/token-integration-analyzer/resources/REPORT_TEMPLATES.md +141 -0
- package/skills/security-building-secure-contracts/skills/ton-vulnerability-scanner/SKILL.md +388 -0
- package/skills/security-building-secure-contracts/skills/ton-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +595 -0
- package/skills/security-burpsuite-project-parser/.claude-plugin/plugin.json +10 -0
- package/skills/security-burpsuite-project-parser/README.md +103 -0
- package/skills/security-burpsuite-project-parser/commands/burp-search.md +18 -0
- package/skills/security-burpsuite-project-parser/skills/SKILL.md +358 -0
- package/skills/security-burpsuite-project-parser/skills/scripts/burp-search.sh +99 -0
- package/skills/security-claude-in-chrome-troubleshooting/.claude-plugin/plugin.json +8 -0
- package/skills/security-claude-in-chrome-troubleshooting/README.md +31 -0
- package/skills/security-claude-in-chrome-troubleshooting/skills/claude-in-chrome-troubleshooting/SKILL.md +251 -0
- package/skills/security-constant-time-analysis/.claude-plugin/plugin.json +9 -0
- package/skills/security-constant-time-analysis/README.md +381 -0
- package/skills/security-constant-time-analysis/commands/ct-check.md +20 -0
- package/skills/security-constant-time-analysis/ct_analyzer/__init__.py +49 -0
- package/skills/security-constant-time-analysis/ct_analyzer/analyzer.py +1284 -0
- package/skills/security-constant-time-analysis/ct_analyzer/script_analyzers.py +3081 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/__init__.py +1 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_analyzer.py +1397 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/bn_excerpt.js +205 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_constant_time.c +181 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.c +74 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.go +78 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.rs +92 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.cs +174 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.java +161 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.kt +181 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.php +140 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.py +252 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.rb +188 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.swift +199 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.ts +154 -0
- package/skills/security-constant-time-analysis/pyproject.toml +52 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/README.md +90 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/SKILL.md +219 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/compiled.md +129 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/javascript.md +136 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/kotlin.md +252 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/php.md +172 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/python.md +179 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/ruby.md +198 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/swift.md +288 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/vm-compiled.md +354 -0
- package/skills/security-constant-time-analysis/uv.lock +8 -0
- package/skills/security-culture-index/.claude-plugin/plugin.json +8 -0
- package/skills/security-culture-index/README.md +79 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/SKILL.md +293 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/anti-patterns.md +255 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/conversation-starters.md +408 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/interview-trait-signals.md +253 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/motivators.md +158 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/patterns-archetypes.md +147 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/primary-traits.md +307 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/secondary-traits.md +228 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/team-composition.md +148 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/check_deps.py +108 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/__init__.py +20 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/constants.py +122 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/extract.py +187 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/models.py +16 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/opencv_extractor.py +520 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/extract_pdf.py +237 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/pyproject.toml +18 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/burnout-report.md +113 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/comparison-report.md +103 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/hiring-profile.md +127 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/individual-report.md +85 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/predicted-profile.md +165 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/team-report.md +109 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/analyze-team.md +188 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/coach-manager.md +267 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/compare-profiles.md +188 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/define-hiring-profile.md +220 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/detect-burnout.md +206 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/extract-from-pdf.md +121 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/interpret-individual.md +183 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/interview-debrief.md +234 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/mediate-conflict.md +306 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/plan-onboarding.md +322 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/predict-from-interview.md +250 -0
- package/skills/security-differential-review/.claude-plugin/plugin.json +10 -0
- package/skills/security-differential-review/README.md +109 -0
- package/skills/security-differential-review/commands/diff-review.md +21 -0
- package/skills/security-differential-review/skills/differential-review/SKILL.md +220 -0
- package/skills/security-differential-review/skills/differential-review/adversarial.md +203 -0
- package/skills/security-differential-review/skills/differential-review/methodology.md +234 -0
- package/skills/security-differential-review/skills/differential-review/patterns.md +300 -0
- package/skills/security-differential-review/skills/differential-review/reporting.md +369 -0
- package/skills/security-dwarf-expert/.claude-plugin/plugin.json +10 -0
- package/skills/security-dwarf-expert/README.md +38 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/SKILL.md +93 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/reference/coding.md +31 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/reference/dwarfdump.md +50 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/reference/readelf.md +8 -0
- package/skills/security-entry-point-analyzer/.claude-plugin/plugin.json +10 -0
- package/skills/security-entry-point-analyzer/README.md +74 -0
- package/skills/security-entry-point-analyzer/commands/entry-points.md +18 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/SKILL.md +251 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/cosmwasm.md +182 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/move-aptos.md +107 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/move-sui.md +87 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/solana.md +155 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/solidity.md +135 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/ton.md +185 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/vyper.md +141 -0
- package/skills/security-firebase-apk-scanner/.claude-plugin/plugin.json +10 -0
- package/skills/security-firebase-apk-scanner/README.md +85 -0
- package/skills/security-firebase-apk-scanner/commands/scan-apk.md +18 -0
- package/skills/security-firebase-apk-scanner/scanner.sh +1408 -0
- package/skills/security-firebase-apk-scanner/skills/firebase-apk-scanner/SKILL.md +197 -0
- package/skills/security-firebase-apk-scanner/skills/firebase-apk-scanner/references/vulnerabilities.md +803 -0
- package/skills/security-fix-review/.claude-plugin/plugin.json +13 -0
- package/skills/security-fix-review/README.md +118 -0
- package/skills/security-fix-review/commands/fix-review.md +24 -0
- package/skills/security-fix-review/skills/fix-review/SKILL.md +264 -0
- package/skills/security-fix-review/skills/fix-review/references/bug-detection.md +408 -0
- package/skills/security-fix-review/skills/fix-review/references/finding-matching.md +298 -0
- package/skills/security-fix-review/skills/fix-review/references/report-parsing.md +398 -0
- package/skills/security-insecure-defaults/.claude-plugin/plugin.json +10 -0
- package/skills/security-insecure-defaults/README.md +45 -0
- package/skills/security-insecure-defaults/skills/insecure-defaults/SKILL.md +117 -0
- package/skills/security-insecure-defaults/skills/insecure-defaults/references/examples.md +409 -0
- package/skills/security-modern-python/.claude-plugin/plugin.json +10 -0
- package/skills/security-modern-python/README.md +58 -0
- package/skills/security-modern-python/hooks/hooks.json +16 -0
- package/skills/security-modern-python/hooks/intercept-legacy-python.bats +388 -0
- package/skills/security-modern-python/hooks/intercept-legacy-python.sh +109 -0
- package/skills/security-modern-python/hooks/test_helper.bash +75 -0
- package/skills/security-modern-python/skills/modern-python/SKILL.md +333 -0
- package/skills/security-modern-python/skills/modern-python/references/dependabot.md +43 -0
- package/skills/security-modern-python/skills/modern-python/references/migration-checklist.md +141 -0
- package/skills/security-modern-python/skills/modern-python/references/pep723-scripts.md +259 -0
- package/skills/security-modern-python/skills/modern-python/references/prek.md +211 -0
- package/skills/security-modern-python/skills/modern-python/references/pyproject.md +254 -0
- package/skills/security-modern-python/skills/modern-python/references/ruff-config.md +240 -0
- package/skills/security-modern-python/skills/modern-python/references/security-setup.md +255 -0
- package/skills/security-modern-python/skills/modern-python/references/testing.md +284 -0
- package/skills/security-modern-python/skills/modern-python/references/uv-commands.md +200 -0
- package/skills/security-modern-python/skills/modern-python/templates/dependabot.yml +36 -0
- package/skills/security-modern-python/skills/modern-python/templates/pre-commit-config.yaml +66 -0
- package/skills/security-property-based-testing/.claude-plugin/plugin.json +9 -0
- package/skills/security-property-based-testing/README.md +47 -0
- package/skills/security-property-based-testing/skills/property-based-testing/README.md +88 -0
- package/skills/security-property-based-testing/skills/property-based-testing/SKILL.md +109 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/design.md +191 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/generating.md +200 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/libraries.md +130 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/refactoring.md +181 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/reviewing.md +209 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/strategies.md +124 -0
- package/skills/semgrep-rule-creator/.claude-plugin/plugin.json +8 -0
- package/skills/semgrep-rule-creator/README.md +43 -0
- package/skills/semgrep-rule-creator/commands/semgrep-rule.md +26 -0
- package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/SKILL.md +168 -0
- package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/references/quick-reference.md +203 -0
- package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/references/workflow.md +240 -0
- package/skills/semgrep-rule-variant-creator/.claude-plugin/plugin.json +9 -0
- package/skills/semgrep-rule-variant-creator/README.md +86 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/SKILL.md +205 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/applicability-analysis.md +250 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/language-syntax-guide.md +324 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/workflow.md +518 -0
- package/skills/session-logs/SKILL.md +115 -0
- package/skills/sharp-edges/.claude-plugin/plugin.json +10 -0
- package/skills/sharp-edges/README.md +48 -0
- package/skills/sharp-edges/skills/sharp-edges/SKILL.md +292 -0
- package/skills/sharp-edges/skills/sharp-edges/references/auth-patterns.md +252 -0
- package/skills/sharp-edges/skills/sharp-edges/references/case-studies.md +274 -0
- package/skills/sharp-edges/skills/sharp-edges/references/config-patterns.md +333 -0
- package/skills/sharp-edges/skills/sharp-edges/references/crypto-apis.md +190 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-c.md +205 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-csharp.md +285 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-go.md +270 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-java.md +263 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-javascript.md +269 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-kotlin.md +265 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-php.md +245 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-python.md +274 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-ruby.md +273 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-rust.md +272 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-swift.md +287 -0
- package/skills/sharp-edges/skills/sharp-edges/references/language-specific.md +588 -0
- package/skills/sherpa-onnx-tts/SKILL.md +103 -0
- package/skills/sherpa-onnx-tts/bin/sherpa-onnx-tts +178 -0
- package/skills/skill-creator/SKILL.md +370 -0
- package/skills/skill-creator/license.txt +202 -0
- package/skills/skill-creator/scripts/init_skill.py +378 -0
- package/skills/skill-creator/scripts/package_skill.py +111 -0
- package/skills/skill-creator/scripts/quick_validate.py +101 -0
- package/skills/slack/SKILL.md +144 -0
- package/skills/songsee/SKILL.md +49 -0
- package/skills/sonoscli/SKILL.md +46 -0
- package/skills/spec-to-code-compliance/.claude-plugin/plugin.json +10 -0
- package/skills/spec-to-code-compliance/README.md +67 -0
- package/skills/spec-to-code-compliance/commands/spec-compliance.md +22 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/SKILL.md +349 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/COMPLETENESS_CHECKLIST.md +69 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md +417 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/OUTPUT_REQUIREMENTS.md +105 -0
- package/skills/spotify-player/SKILL.md +64 -0
- package/skills/static-analysis/.claude-plugin/plugin.json +8 -0
- package/skills/static-analysis/README.md +59 -0
- package/skills/static-analysis/skills/codeql/SKILL.md +315 -0
- package/skills/static-analysis/skills/sarif-parsing/SKILL.md +479 -0
- package/skills/static-analysis/skills/sarif-parsing/resources/jq-queries.md +162 -0
- package/skills/static-analysis/skills/sarif-parsing/resources/sarif_helpers.py +331 -0
- package/skills/static-analysis/skills/semgrep/SKILL.md +337 -0
- package/skills/summarize/SKILL.md +87 -0
- package/skills/testing-handbook-skills/.claude-plugin/plugin.json +8 -0
- package/skills/testing-handbook-skills/README.md +241 -0
- package/skills/testing-handbook-skills/scripts/pyproject.toml +8 -0
- package/skills/testing-handbook-skills/scripts/validate-skills.py +657 -0
- package/skills/testing-handbook-skills/skills/address-sanitizer/SKILL.md +341 -0
- package/skills/testing-handbook-skills/skills/aflpp/SKILL.md +640 -0
- package/skills/testing-handbook-skills/skills/atheris/SKILL.md +515 -0
- package/skills/testing-handbook-skills/skills/cargo-fuzz/SKILL.md +454 -0
- package/skills/testing-handbook-skills/skills/codeql/SKILL.md +549 -0
- package/skills/testing-handbook-skills/skills/constant-time-testing/SKILL.md +507 -0
- package/skills/testing-handbook-skills/skills/coverage-analysis/SKILL.md +607 -0
- package/skills/testing-handbook-skills/skills/fuzzing-dictionary/SKILL.md +297 -0
- package/skills/testing-handbook-skills/skills/fuzzing-obstacles/SKILL.md +426 -0
- package/skills/testing-handbook-skills/skills/harness-writing/SKILL.md +614 -0
- package/skills/testing-handbook-skills/skills/libafl/SKILL.md +625 -0
- package/skills/testing-handbook-skills/skills/libfuzzer/SKILL.md +795 -0
- package/skills/testing-handbook-skills/skills/ossfuzz/SKILL.md +426 -0
- package/skills/testing-handbook-skills/skills/ruzzy/SKILL.md +443 -0
- package/skills/testing-handbook-skills/skills/semgrep/SKILL.md +601 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/SKILL.md +372 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/agent-prompt.md +280 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/discovery.md +452 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/domain-skill.md +504 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/fuzzer-skill.md +454 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/technique-skill.md +527 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/tool-skill.md +366 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/testing.md +482 -0
- package/skills/testing-handbook-skills/skills/wycheproof/SKILL.md +533 -0
- package/skills/things-mac/SKILL.md +86 -0
- package/skills/tmux/SKILL.md +135 -0
- package/skills/tmux/scripts/find-sessions.sh +112 -0
- package/skills/tmux/scripts/wait-for-text.sh +83 -0
- package/skills/trello/SKILL.md +95 -0
- package/skills/variant-analysis/.claude-plugin/plugin.json +8 -0
- package/skills/variant-analysis/README.md +41 -0
- package/skills/variant-analysis/commands/variants.md +23 -0
- package/skills/variant-analysis/skills/variant-analysis/METHODOLOGY.md +327 -0
- package/skills/variant-analysis/skills/variant-analysis/SKILL.md +142 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/cpp.ql +119 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/go.ql +69 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/java.ql +71 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/javascript.ql +63 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/python.ql +80 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/cpp.yaml +98 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/go.yaml +63 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/java.yaml +61 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/javascript.yaml +60 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/python.yaml +72 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/variant-report-template.md +75 -0
- package/skills/video-frames/SKILL.md +46 -0
- package/skills/video-frames/scripts/frame.sh +81 -0
- package/skills/voice-call/SKILL.md +45 -0
- package/skills/wacli/SKILL.md +72 -0
- package/skills/weather/SKILL.md +54 -0
- package/skills/yara-authoring/.claude-plugin/plugin.json +9 -0
- package/skills/yara-authoring/README.md +131 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/SKILL.md +645 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_Mac_ProtonRAT_Jan25.yar +99 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_NPM_SupplyChain_Jan25.yar +170 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_Win_Remcos_Jan25.yar +103 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/SUSP_CRX_SuspiciousPermissions.yar +134 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/SUSP_JS_Obfuscation_Jan25.yar +185 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/crx-module.md +214 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/dex-module.md +383 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/performance.md +333 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/strings.md +433 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/style-guide.md +257 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/testing.md +399 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/scripts/atom_analyzer.py +526 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/scripts/pyproject.toml +25 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/scripts/yara_lint.py +631 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/workflows/rule-development.md +493 -0
|
@@ -0,0 +1,493 @@
|
|
|
1
|
+
# YARA Rule Development Workflow
|
|
2
|
+
|
|
3
|
+
This guide walks through the complete process of developing a production-quality YARA-X rule, from sample collection to deployment.
|
|
4
|
+
|
|
5
|
+
## Overview
|
|
6
|
+
|
|
7
|
+
```
|
|
8
|
+
┌─────────────────┐
|
|
9
|
+
│ Sample Collection│
|
|
10
|
+
└────────┬────────┘
|
|
11
|
+
▼
|
|
12
|
+
┌─────────────────┐
|
|
13
|
+
│ String Extraction│
|
|
14
|
+
└────────┬────────┘
|
|
15
|
+
▼
|
|
16
|
+
┌─────────────────┐
|
|
17
|
+
│ Rule Writing │
|
|
18
|
+
└────────┬────────┘
|
|
19
|
+
▼
|
|
20
|
+
┌─────────────────┐
|
|
21
|
+
│ Validation │
|
|
22
|
+
└────────┬────────┘
|
|
23
|
+
▼
|
|
24
|
+
┌─────────────────┐
|
|
25
|
+
│ Goodware Testing │
|
|
26
|
+
└────────┬────────┘
|
|
27
|
+
▼
|
|
28
|
+
┌─────────────────┐
|
|
29
|
+
│ Deployment │
|
|
30
|
+
└─────────────────┘
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
---
|
|
34
|
+
|
|
35
|
+
## Phase 1: Sample Collection
|
|
36
|
+
|
|
37
|
+
### Minimum Requirements
|
|
38
|
+
|
|
39
|
+
| Sample Count | Confidence Level | Recommended For |
|
|
40
|
+
|--------------|------------------|-----------------|
|
|
41
|
+
| 1 sample | Low (fragile rule) | Urgent threat, will refine later |
|
|
42
|
+
| 3-5 samples | Medium | Standard detection |
|
|
43
|
+
| 10+ samples | High | Stable, long-term rule |
|
|
44
|
+
|
|
45
|
+
**Single-sample rules are brittle.** The malware author changes one string and your rule is useless.
|
|
46
|
+
|
|
47
|
+
### Gathering Variants
|
|
48
|
+
|
|
49
|
+
1. **Hash pivot** — Search VT for related hashes (imphash, ssdeep, TLSH)
|
|
50
|
+
2. **Behavior pivot** — Search for samples with same C2, mutex, or dropped files
|
|
51
|
+
3. **Infrastructure pivot** — Samples communicating with related domains/IPs
|
|
52
|
+
4. **Time pivot** — Samples submitted around the same campaign window
|
|
53
|
+
|
|
54
|
+
### Packed vs. Unpacked
|
|
55
|
+
|
|
56
|
+
**Check before proceeding:**
|
|
57
|
+
|
|
58
|
+
```bash
|
|
59
|
+
# Check entropy
|
|
60
|
+
yr dump -m math sample.exe --output-format yaml | grep entropy
|
|
61
|
+
|
|
62
|
+
# Check strings count
|
|
63
|
+
strings sample.exe | wc -l
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
| Indicator | Likely Packed | Action |
|
|
67
|
+
|-----------|---------------|--------|
|
|
68
|
+
| Entropy > 7.0 | Yes | Unpack first or detect packer |
|
|
69
|
+
| < 50 readable strings | Probably | Unpack first |
|
|
70
|
+
| UPX/MPRESS signatures | Yes | Unpack with `upx -d` |
|
|
71
|
+
|
|
72
|
+
**Expert rule:** Don't write string-based rules against packed samples. Either unpack first or write a rule targeting the packer itself.
|
|
73
|
+
|
|
74
|
+
### Using yr dump for File Analysis
|
|
75
|
+
|
|
76
|
+
Before writing rules, inspect the sample's structure with YARA-X's native `yr dump`:
|
|
77
|
+
|
|
78
|
+
```bash
|
|
79
|
+
# Inspect PE structure (imports, exports, sections, resources)
|
|
80
|
+
yr dump -m pe sample.exe --output-format yaml
|
|
81
|
+
|
|
82
|
+
# Check entropy (indicates packing)
|
|
83
|
+
yr dump -m math sample.exe --output-format yaml | grep entropy
|
|
84
|
+
|
|
85
|
+
# For Chrome extensions
|
|
86
|
+
yr dump -m crx extension.crx --output-format yaml
|
|
87
|
+
|
|
88
|
+
# For Android apps
|
|
89
|
+
yr dump -m dex classes.dex --output-format yaml
|
|
90
|
+
```
|
|
91
|
+
|
|
92
|
+
`yr dump` shows exactly what YARA-X modules can see. Use this to:
|
|
93
|
+
- Understand available fields before writing conditions
|
|
94
|
+
- Debug why module conditions aren't matching
|
|
95
|
+
- Find unique structural indicators when strings fail
|
|
96
|
+
|
|
97
|
+
---
|
|
98
|
+
|
|
99
|
+
## Phase 2: String Extraction
|
|
100
|
+
|
|
101
|
+
### Using yarGen
|
|
102
|
+
|
|
103
|
+
yarGen extracts candidate strings but generates legacy YARA syntax. Always validate output for YARA-X compatibility.
|
|
104
|
+
|
|
105
|
+
```bash
|
|
106
|
+
# Basic extraction
|
|
107
|
+
python yarGen.py -m samples/ --excludegood -o candidate_rule.yar
|
|
108
|
+
|
|
109
|
+
# Recommended flags
|
|
110
|
+
python yarGen.py -m samples/ \
|
|
111
|
+
--excludegood \ # Filter against known goodware strings
|
|
112
|
+
-g /path/to/good/files \ # Add custom goodware
|
|
113
|
+
--nosimple \ # Exclude simple strings
|
|
114
|
+
--nomagic \ # Don't add magic header checks (do manually)
|
|
115
|
+
-o candidate_rule.yar
|
|
116
|
+
|
|
117
|
+
# CRITICAL: Validate for YARA-X compatibility
|
|
118
|
+
yr check candidate_rule.yar
|
|
119
|
+
yr fmt -w candidate_rule.yar # Apply YARA-X formatting
|
|
120
|
+
```
|
|
121
|
+
|
|
122
|
+
**Common yarGen → YARA-X fixes:**
|
|
123
|
+
- Escape literal `{` in regex: `/{/` → `/\{/`
|
|
124
|
+
- Fix invalid escapes: `\R` → `\\R` or `R`
|
|
125
|
+
- Remove duplicate modifiers
|
|
126
|
+
|
|
127
|
+
### FLOSS for Packed/Obfuscated Samples
|
|
128
|
+
|
|
129
|
+
When yarGen returns only API names or the sample appears packed, use FLOSS:
|
|
130
|
+
|
|
131
|
+
```bash
|
|
132
|
+
# Extract all string types (static, stack, tight, decoded)
|
|
133
|
+
floss sample.exe -o strings.txt
|
|
134
|
+
|
|
135
|
+
# Quick extraction (faster, less thorough)
|
|
136
|
+
floss --only static sample.exe
|
|
137
|
+
|
|
138
|
+
# For Go/Rust binaries (special handling)
|
|
139
|
+
floss --only go sample.exe
|
|
140
|
+
```
|
|
141
|
+
|
|
142
|
+
FLOSS extracts:
|
|
143
|
+
- **Static strings** — Same as `strings` command
|
|
144
|
+
- **Stack strings** — Built character-by-character at runtime
|
|
145
|
+
- **Tight strings** — Small decoding loops
|
|
146
|
+
- **Decoded strings** — From common encoding routines
|
|
147
|
+
|
|
148
|
+
**Expert tip:** Stack strings are often the most unique indicators. If FLOSS finds them, prioritize those over static strings.
|
|
149
|
+
|
|
150
|
+
```bash
|
|
151
|
+
# Look for unique patterns in FLOSS output
|
|
152
|
+
sort strings.txt | uniq -c | sort -rn | head -50
|
|
153
|
+
```
|
|
154
|
+
|
|
155
|
+
### Filtering Criteria
|
|
156
|
+
|
|
157
|
+
**Reject 80% of yarGen output.** Apply these filters:
|
|
158
|
+
|
|
159
|
+
| Category | Reject | Reason |
|
|
160
|
+
|----------|--------|--------|
|
|
161
|
+
| API names | `VirtualAlloc`, `CreateRemoteThread` | Present in legitimate software |
|
|
162
|
+
| Common paths | `C:\Windows\`, `%TEMP%` | Too generic |
|
|
163
|
+
| Format strings | `%s`, `%d\n`, `Error: %s` | Present everywhere |
|
|
164
|
+
| Single words | `config`, `data`, `error` | Not specific enough |
|
|
165
|
+
| Short strings | < 4 bytes | Poor atom quality |
|
|
166
|
+
|
|
167
|
+
| Category | Keep | Reason |
|
|
168
|
+
|----------|------|--------|
|
|
169
|
+
| Mutex names | `Global\\MyMutex123` | Unique to family |
|
|
170
|
+
| PDB paths | `C:\Users\dev\project\x.pdb` | Reveals dev environment |
|
|
171
|
+
| C2 paths | `/api/beacon.php` | Specific to campaign |
|
|
172
|
+
| Stack strings | Built char-by-char | Unique patterns |
|
|
173
|
+
| Error messages | Custom error text | Not library errors |
|
|
174
|
+
| Config markers | `[CONFIG_START]` | Family-specific format |
|
|
175
|
+
|
|
176
|
+
---
|
|
177
|
+
|
|
178
|
+
## Phase 3: Rule Writing
|
|
179
|
+
|
|
180
|
+
### Template
|
|
181
|
+
|
|
182
|
+
```yara
|
|
183
|
+
rule {CATEGORY}_{PLATFORM}_{FAMILY}_{VARIANT}_{DATE}
|
|
184
|
+
{
|
|
185
|
+
meta:
|
|
186
|
+
description = "Detects {WHAT} via {HOW}"
|
|
187
|
+
author = "Your Name <email@example.com>"
|
|
188
|
+
reference = "{URL to analysis or report}"
|
|
189
|
+
date = "{YYYY-MM-DD}"
|
|
190
|
+
modified = "{YYYY-MM-DD}"
|
|
191
|
+
hash = "{sample hash for reference}"
|
|
192
|
+
score = {confidence 0-100}
|
|
193
|
+
|
|
194
|
+
strings:
|
|
195
|
+
// Group 1: High-confidence unique indicators
|
|
196
|
+
$unique_mutex = "Global\\UniqueString123" ascii wide
|
|
197
|
+
$unique_pdb = "C:\\Dev\\Malware\\Release\\loader.pdb" ascii
|
|
198
|
+
|
|
199
|
+
// Group 2: Behavioral patterns (hex for specificity)
|
|
200
|
+
$decrypt_routine = { 8B 45 ?? 33 C1 C1 C0 0D }
|
|
201
|
+
|
|
202
|
+
// Group 3: Configuration/C2 patterns
|
|
203
|
+
$c2_path = "/api/v1/beacon" ascii
|
|
204
|
+
|
|
205
|
+
// Exclusions for known FPs (if needed)
|
|
206
|
+
$fp_legitimate = "Legitimate Vendor Inc" ascii
|
|
207
|
+
|
|
208
|
+
condition:
|
|
209
|
+
// 1. Cheap filters first
|
|
210
|
+
filesize < 5MB and
|
|
211
|
+
uint16(0) == 0x5A4D and
|
|
212
|
+
|
|
213
|
+
// 2. String matching logic
|
|
214
|
+
(
|
|
215
|
+
$unique_mutex or // Definitive alone
|
|
216
|
+
($unique_pdb and $c2_path) or // Two medium = high
|
|
217
|
+
(2 of ($decrypt_*, $c2_*)) // Behavioral combo
|
|
218
|
+
) and
|
|
219
|
+
|
|
220
|
+
// 3. Exclusions last
|
|
221
|
+
not $fp_legitimate
|
|
222
|
+
}
|
|
223
|
+
```
|
|
224
|
+
|
|
225
|
+
### Metadata Checklist
|
|
226
|
+
|
|
227
|
+
- [ ] `description` starts with "Detects" and explains what AND how
|
|
228
|
+
- [ ] `author` includes contact info
|
|
229
|
+
- [ ] `reference` links to analysis (not just "internal")
|
|
230
|
+
- [ ] `date` in YYYY-MM-DD format
|
|
231
|
+
- [ ] `hash` of at least one sample
|
|
232
|
+
- [ ] `score` reflects confidence (< 50 suspicious, 50-75 likely, > 75 confirmed malware)
|
|
233
|
+
|
|
234
|
+
### Condition Ordering
|
|
235
|
+
|
|
236
|
+
**Order by cost:**
|
|
237
|
+
|
|
238
|
+
1. `filesize < X` — Instant
|
|
239
|
+
2. `uint16(0) == 0x5A4D` — Near-instant
|
|
240
|
+
3. String matches — Cheap with good atoms
|
|
241
|
+
4. `for` loops — Medium cost
|
|
242
|
+
5. Module calls — More expensive
|
|
243
|
+
6. Regex patterns — Most expensive
|
|
244
|
+
|
|
245
|
+
**Bad:**
|
|
246
|
+
```yara
|
|
247
|
+
condition:
|
|
248
|
+
pe.imports("kernel32.dll", "VirtualAlloc") and
|
|
249
|
+
$mutex and
|
|
250
|
+
filesize < 5MB
|
|
251
|
+
```
|
|
252
|
+
|
|
253
|
+
**Good:**
|
|
254
|
+
```yara
|
|
255
|
+
condition:
|
|
256
|
+
filesize < 5MB and
|
|
257
|
+
uint16(0) == 0x5A4D and
|
|
258
|
+
$mutex and
|
|
259
|
+
pe.imports("kernel32.dll", "VirtualAlloc")
|
|
260
|
+
```
|
|
261
|
+
|
|
262
|
+
---
|
|
263
|
+
|
|
264
|
+
## Phase 4: Validation
|
|
265
|
+
|
|
266
|
+
### Syntax Check
|
|
267
|
+
|
|
268
|
+
```bash
|
|
269
|
+
# Validate syntax
|
|
270
|
+
yr check rule.yar
|
|
271
|
+
|
|
272
|
+
# Validate entire directory
|
|
273
|
+
yr check rules/
|
|
274
|
+
|
|
275
|
+
# If migrating from legacy YARA, identify issues first
|
|
276
|
+
yr check --relaxed-re-syntax rule.yar
|
|
277
|
+
# Then fix each issue and validate without relaxed mode
|
|
278
|
+
```
|
|
279
|
+
|
|
280
|
+
### Format Consistency
|
|
281
|
+
|
|
282
|
+
```bash
|
|
283
|
+
# Check formatting
|
|
284
|
+
yr fmt --check rule.yar
|
|
285
|
+
|
|
286
|
+
# Auto-format
|
|
287
|
+
yr fmt -w rule.yar
|
|
288
|
+
```
|
|
289
|
+
|
|
290
|
+
### Linter Check
|
|
291
|
+
|
|
292
|
+
```bash
|
|
293
|
+
# Run the skill's linter
|
|
294
|
+
uv run {baseDir}/scripts/yara_lint.py rule.yar
|
|
295
|
+
```
|
|
296
|
+
|
|
297
|
+
**All three must pass before proceeding.**
|
|
298
|
+
|
|
299
|
+
### Positive Testing
|
|
300
|
+
|
|
301
|
+
```bash
|
|
302
|
+
# Should match all samples
|
|
303
|
+
yr scan rule.yar samples/
|
|
304
|
+
|
|
305
|
+
# With matched strings shown
|
|
306
|
+
yr scan -s rule.yar samples/
|
|
307
|
+
```
|
|
308
|
+
|
|
309
|
+
**Expected:** All target samples match.
|
|
310
|
+
|
|
311
|
+
**If samples don't match:**
|
|
312
|
+
- Strings too specific → Use wildcards or alternatives
|
|
313
|
+
- Condition too strict → Relax grouping
|
|
314
|
+
- Packed variants → Create separate unpacked rule
|
|
315
|
+
|
|
316
|
+
---
|
|
317
|
+
|
|
318
|
+
## Phase 5: Goodware Testing
|
|
319
|
+
|
|
320
|
+
### Corpus Selection
|
|
321
|
+
|
|
322
|
+
| Target Platform | Recommended Corpus |
|
|
323
|
+
|-----------------|-------------------|
|
|
324
|
+
| Windows PE | Chrome, Firefox, Adobe Reader, Office, Python |
|
|
325
|
+
| JavaScript | lodash, react, express, webpack |
|
|
326
|
+
| npm packages | Top 100 by downloads + postinstall packages |
|
|
327
|
+
| Chrome extensions | Top 50 Web Store extensions |
|
|
328
|
+
| Android APK | Top 20 Play Store apps |
|
|
329
|
+
|
|
330
|
+
### Local Testing
|
|
331
|
+
|
|
332
|
+
```bash
|
|
333
|
+
# Should return zero matches
|
|
334
|
+
yr scan rule.yar /path/to/goodware/
|
|
335
|
+
|
|
336
|
+
# Count matches
|
|
337
|
+
yr scan -c rule.yar /path/to/goodware/
|
|
338
|
+
```
|
|
339
|
+
|
|
340
|
+
### VirusTotal Retrohunt (Recommended)
|
|
341
|
+
|
|
342
|
+
1. Upload rule to [VT Intelligence](https://www.virustotal.com/gui/hunting)
|
|
343
|
+
2. Select "Goodware" corpus
|
|
344
|
+
3. Run retrohunt
|
|
345
|
+
4. Review every match — each is a potential FP
|
|
346
|
+
|
|
347
|
+
### Interpreting Results
|
|
348
|
+
|
|
349
|
+
| Goodware Matches | Assessment | Action |
|
|
350
|
+
|------------------|------------|--------|
|
|
351
|
+
| 0 | Excellent | Proceed to deployment |
|
|
352
|
+
| 1-2 | Investigate | Check if legitimate FP, add exclusion or tighten |
|
|
353
|
+
| 3-5 | Too broad | Find different indicators |
|
|
354
|
+
| 6+ | Broken | Start over |
|
|
355
|
+
|
|
356
|
+
### FP Investigation
|
|
357
|
+
|
|
358
|
+
```bash
|
|
359
|
+
# See which string matched
|
|
360
|
+
yr scan -s rule.yar false_positive.exe
|
|
361
|
+
```
|
|
362
|
+
|
|
363
|
+
**Common fixes:**
|
|
364
|
+
- Add vendor exclusion: `not $fp_vendor_string`
|
|
365
|
+
- Add distinguishing string: require unique + generic together
|
|
366
|
+
- Add positional constraint: `$marker in (0..1024)`
|
|
367
|
+
- Replace the string entirely with more specific indicator
|
|
368
|
+
|
|
369
|
+
---
|
|
370
|
+
|
|
371
|
+
## Phase 6: Deployment
|
|
372
|
+
|
|
373
|
+
### Peer Review Checklist
|
|
374
|
+
|
|
375
|
+
Before merge, reviewer checks:
|
|
376
|
+
|
|
377
|
+
- [ ] Naming follows convention
|
|
378
|
+
- [ ] Metadata complete and accurate
|
|
379
|
+
- [ ] Strings justify confidence score
|
|
380
|
+
- [ ] Condition ordered by cost
|
|
381
|
+
- [ ] Tested against goodware
|
|
382
|
+
- [ ] No obvious FP risks
|
|
383
|
+
- [ ] Performance acceptable
|
|
384
|
+
|
|
385
|
+
### Version Control
|
|
386
|
+
|
|
387
|
+
```bash
|
|
388
|
+
# Add to repo
|
|
389
|
+
git add rules/malware/MAL_Win_Example_Jan25.yar
|
|
390
|
+
|
|
391
|
+
# Commit with meaningful message
|
|
392
|
+
git commit -m "Add MAL_Win_Example detection rule
|
|
393
|
+
|
|
394
|
+
- Targets Example malware family loader component
|
|
395
|
+
- Based on samples from Jan 2025 campaign
|
|
396
|
+
- Tested against VT goodware (0 matches)
|
|
397
|
+
- Reference: https://example.com/analysis"
|
|
398
|
+
```
|
|
399
|
+
|
|
400
|
+
### Production Monitoring
|
|
401
|
+
|
|
402
|
+
After deployment:
|
|
403
|
+
|
|
404
|
+
1. **Monitor for FPs** — Set up alerting for first 48 hours
|
|
405
|
+
2. **Track detection rate** — Rule should detect new samples in the family
|
|
406
|
+
3. **Review periodically** — Malware evolves; rules need updates
|
|
407
|
+
|
|
408
|
+
---
|
|
409
|
+
|
|
410
|
+
## Decision Points
|
|
411
|
+
|
|
412
|
+
### When to Pivot from Strings to Structure
|
|
413
|
+
|
|
414
|
+
If yarGen returns only API names and paths:
|
|
415
|
+
|
|
416
|
+
```
|
|
417
|
+
→ Try pe.imphash() for import clustering
|
|
418
|
+
→ Try pe.rich_signature for build environment
|
|
419
|
+
→ Try math.entropy() on sections
|
|
420
|
+
→ Try pe module for section anomalies
|
|
421
|
+
→ If nothing works: sample may not be YARA-detectable
|
|
422
|
+
```
|
|
423
|
+
|
|
424
|
+
### When to Split vs. Combine Rules
|
|
425
|
+
|
|
426
|
+
**Split when:**
|
|
427
|
+
- Different variants have no common strings
|
|
428
|
+
- Performance degrades with combined rule
|
|
429
|
+
- Different confidence levels needed
|
|
430
|
+
|
|
431
|
+
**Combine when:**
|
|
432
|
+
- Variants share core indicators
|
|
433
|
+
- Single rule can cover family with `any of` variants
|
|
434
|
+
|
|
435
|
+
### When to Abandon an Approach
|
|
436
|
+
|
|
437
|
+
Stop and pivot when:
|
|
438
|
+
|
|
439
|
+
| Situation | Action |
|
|
440
|
+
|-----------|--------|
|
|
441
|
+
| Can't find 3 unique strings | Target unpacked version or detect packer |
|
|
442
|
+
| Goodware matches > 5 | Find completely different indicators |
|
|
443
|
+
| Performance > 2s per file | Split into focused rules |
|
|
444
|
+
| Can't write clear description | Rule is too vague — reconsider scope |
|
|
445
|
+
|
|
446
|
+
### String Selection Quick Decision
|
|
447
|
+
|
|
448
|
+
```
|
|
449
|
+
Is this string good enough?
|
|
450
|
+
├─ Less than 4 bytes? → NO
|
|
451
|
+
├─ API name? → NO
|
|
452
|
+
├─ Common path? → NO
|
|
453
|
+
├─ In Windows/common libraries? → NO
|
|
454
|
+
├─ Unique to malware family? → YES
|
|
455
|
+
└─ In other malware too? → MAYBE (combine with unique marker)
|
|
456
|
+
```
|
|
457
|
+
|
|
458
|
+
---
|
|
459
|
+
|
|
460
|
+
## Quick Reference
|
|
461
|
+
|
|
462
|
+
### Essential Commands
|
|
463
|
+
|
|
464
|
+
```bash
|
|
465
|
+
yr check rule.yar # Validate syntax
|
|
466
|
+
yr fmt -w rule.yar # Format
|
|
467
|
+
yr scan -s rule.yar file # Scan with matched strings
|
|
468
|
+
yr dump -m pe file.exe # Inspect PE structure
|
|
469
|
+
```
|
|
470
|
+
|
|
471
|
+
### Required Metadata
|
|
472
|
+
|
|
473
|
+
```yara
|
|
474
|
+
meta:
|
|
475
|
+
description = "Detects X via Y"
|
|
476
|
+
author = "Name <email>"
|
|
477
|
+
reference = "URL"
|
|
478
|
+
date = "YYYY-MM-DD"
|
|
479
|
+
```
|
|
480
|
+
|
|
481
|
+
### Condition Order
|
|
482
|
+
|
|
483
|
+
1. `filesize`
|
|
484
|
+
2. Magic bytes (`uint16/uint32`)
|
|
485
|
+
3. Strings
|
|
486
|
+
4. Module calls
|
|
487
|
+
|
|
488
|
+
### Goodware Thresholds
|
|
489
|
+
|
|
490
|
+
- 0 matches = Deploy
|
|
491
|
+
- 1-2 matches = Investigate
|
|
492
|
+
- 3-5 matches = Find new indicators
|
|
493
|
+
- 6+ matches = Start over
|