Skip to content

gl0bal01/malware-analysis-claude-skills

Repository files navigation

Malware Analysis Skills Toolkit

Claude skills package for operational malware analysis — covering triage, dynamic analysis, detection engineering, and reporting. Does not cover deep static reverse engineering (e.g., Ghidra/IDA Pro disassembly).

💡 Want to learn the manual analysis techniques behind these skills? Check out the comprehensive Malware Analysis SOP covering traditional analysis methods and tools.


📦 What's Included

1 Orchestrator + 5 Sub-Skills covering triage, dynamic analysis, detection engineering, and reporting:

  • SKILL.md (root) - Orchestrator — single entry point that routes to the right sub-skill, manages analysis state across phases, and supports multi-sample batch workflows. Just describe what you need.
  1. malware-triage - Initial assessment and prioritization
  2. malware-dynamic-analysis - Safe execution and behavior monitoring
  3. specialized-file-analyzer - Non-PE file analysis (.NET, Office, PDF, scripts, HTA, disk images)
  4. detection-engineer - Detection rules and IOC management
  5. malware-report-writer - Professional report creation

🎯 Quick Skill Selector

Just describe what you need — the orchestrator (SKILL.md) routes automatically. The decision tree below is for reference if you want to invoke a specific sub-skill directly.

START: What do you need to do?

├─ "I need to quickly assess a sample" → Use: malware-triage
│
├─ "I need to execute malware safely and monitor it" → Use: malware-dynamic-analysis
│
├─ "I have a document/script/non-executable" → Use: specialized-file-analyzer
│  ├─ .NET/C# assembly (.exe with .NET)
│  ├─ Office document with macros (.docm, .xlsm)
│  ├─ PDF file
│  ├─ PowerShell/VBS/JavaScript/HTA
│  ├─ Archive (.zip, .rar, .7z)
│  ├─ Disk image (.iso, .img, .vhd, .vhdx)
│  ├─ Linux binary (ELF)
│  └─ Shortcut file (.lnk)
│
├─ "I need to create detection rules or defang IOCs" → Use: detection-engineer
│  ├─ YARA rules → Use: malware-report-writer
│  ├─ Sigma rules (SIEM) → Use: detection-engineer
│  ├─ Suricata rules (IDS) → Use: detection-engineer
│  └─ Defang IOCs → Use: detection-engineer
│
└─ "I need to write a malware analysis report" → Use: malware-report-writer

📊 Skills Comparison Matrix

Skill Name When to Use Primary Output
malware-triage First look at unknown sample Classification, priority, initial IOCs
malware-dynamic-analysis Execute and monitor behavior Behavioral IOCs, process tree, network traffic
specialized-file-analyzer Non-PE files (docs, scripts, etc.) Deobfuscated code, embedded payloads, IOCs
detection-engineer Create detection rules, defang IOCs Sigma/Suricata rules, hunting queries
malware-report-writer Document findings professionally Complete technical report, YARA rules

🚀 Getting Started

Installation (2 minutes)

  1. Upload Skills to Claude

    • Open Claude (claude.ai) or Claude Code
    • Upload the root SKILL.md (the orchestrator) along with all 5 sub-skill folders
    • Skills install automatically
  2. Verify Installation

    Ask Claude: "What skills do you have?"
    Should list: malware-analysis (orchestrator) plus the 5 sub-skills
    
  3. Start Analyzing

    "I have a suspicious .exe file, help me analyze it"
    "I have 5 samples to triage and prioritize"
    "Analyze this Office document with macros"
    

    The orchestrator routes to the right sub-skill automatically.


🔌 MCP Server Integrations (Optional)

MCP servers can automate manual steps like reputation lookups and sandbox execution. These are optional — every skill works without them.

MCP Server What It Automates API Key
VirusTotal Hash/URL/domain reputation lookups Free at virustotal.com
Threat.Zone Automated sandbox execution threat.zone
Threat Intel abuse.ch, AbuseIPDB, GreyNoise, AlienVault OTX Per-source
MISP Team-wide IOC sharing Self-hosted
Shodan C2 infrastructure recon Free at shodan.io
Volatility Memory forensics via natural language Local install

Recommended starting setup: VirusTotal + Threat Intel (abuse.ch). See references/mcp_integrations.md for full setup instructions.


🔐 Using with REMnux/FlareVM (Offline Analysis)

The Problem

Malware analysis VMs are typically network-isolated to prevent C2 communication. Claude Code requires internet access. Solution: Run Claude Code on your HOST machine, analyze exported evidence from the analysis VM.

Architecture

┌─────────────────────────────────────────────────────┐
│  HOST MACHINE (Internet-connected)                  │
│  • Claude Code + skills loaded                      │
│  • Analyzes exported evidence                       │
│  • Creates reports and detection rules              │
└──────────────────┬──────────────────────────────────┘
                   │ Evidence Transfer (shared folder / USB)
┌──────────────────▼──────────────────────────────────┐
│  ANALYSIS VM (Isolated - No Internet recommended)   │
│  REMnux / FlareVM                                   │
│  • Execute malware, run monitoring tools            │
│  • Export evidence in text formats                   │
└─────────────────────────────────────────────────────┘

Host Directory Structure

/malware-analysis/
├── samples/              # Original samples (DO NOT share with VM)
├── evidence/             # Evidence exported FROM analysis VM
│   ├── strings/          # strings output
│   ├── procmon/          # Process Monitor logs (CSV)
│   ├── wireshark/        # Network captures (text exports)
│   ├── sysmon/           # Sysmon event logs (JSON/CSV)
│   ├── memory/           # Memory dump analysis results
│   └── screenshots/      # Behavior screenshots
├── detections/           # Detection rules created by Claude Code
│   ├── yara/
│   ├── sigma/
│   └── suricata/
└── reports/              # Final deliverables

Workflow

  1. Pre-analysis (Claude Code on host): Ask for tool configuration guidance — Procmon filters, Wireshark display filters, Sysmon event focus
  2. Execution (manual on VM): Snapshot VM → start monitoring → execute malware → observe 15+ min → export evidence as CSV/JSON/TXT → revert snapshot
  3. Analysis (Claude Code on host): Feed exported evidence to Claude — triage, deep analysis, detection rule creation, report writing
  4. Deliverables: Detection rules and reports generated on host

What Claude Code CAN and CANNOT Do

CAN: Read/interpret Procmon CSV, Wireshark text exports, Sysmon JSON/CSV, strings output, PE header info. Create YARA/Sigma/Suricata rules, hunting queries, professional reports. Guide tool setup and filter configuration.

CANNOT: Execute malware directly. Read raw binary formats (PML, PCAP, EVTX) — convert to text first. Directly analyze PE/ELF binaries — run tools first (strings, objdump), then feed the output.

Troubleshooting

Q: Claude Code refuses to read my evidence file? A: Ensure it's in text format (CSV, JSON, TXT), not binary (PML, PCAP, EVTX).

Q: How do I convert PCAP to text?

tshark -r capture.pcap -Y http -T fields -e http.host -e http.request.uri > http_traffic.txt

Q: How do I convert EVTX to CSV?

Get-WinEvent -Path sysmon.evtx | Export-Csv sysmon.csv

Q: Claude Code says file is too large? Filter first: grep "malware.exe" procmon_huge.csv > procmon_filtered.csv


📚 Sub-Skill Details

1. Malware Triage

Purpose: Rapid initial assessment (5-30 minutes per sample)

Use when you have a new unknown sample, need to prioritize multiple samples, or want quick classification before deep analysis.

Provides: File hashing (MD5/SHA1/SHA256), reputation lookup guidance, PE structure analysis, string extraction, malware classification, threat level assessment, priority determination.

malware-triage/
├── SKILL.md
├── references/
│   ├── indicators.md          # Suspicious APIs & patterns
│   └── triage_checklist.md    # Step-by-step guide
└── scripts/
    └── hash_calculator.py

2. Malware Dynamic Analysis

Purpose: Safe execution and comprehensive behavior monitoring

Use when you need to observe actual runtime behavior, capture C2 communications, or extract dynamic IOCs.

Provides: Pre-execution safety checklists, tool setup (Procmon, Wireshark, System Informer, Sysmon), monitoring workflows for process/file/registry/network activity, artifact collection, sandbox usage guidance.

malware-dynamic-analysis/
├── SKILL.md
└── references/
    ├── tool_setup.md              # Procmon, Wireshark, etc.
    ├── sandbox_setup.md           # Local sandbox installation
    └── anti_analysis_bypass.md    # VM detection bypass

3. Specialized File Analyzer

Purpose: Analyze non-PE file formats requiring specialized tools

Covers: .NET/C# assemblies (dnSpy/ILSpy), Office macros (oledump/olevba), PDFs (pdfid/pdf-parser), PowerShell/VBScript/JavaScript deobfuscation, archives, LNK files (LECmd), ELF binaries (readelf/strace), HTA files, disk images (ISO/IMG/VHD/VHDX).

specialized-file-analyzer/
└── SKILL.md

4. Detection Engineer

Purpose: Convert analysis findings into production detection rules

Covers: IOC defanging, confidence/volatility assessment, Sigma rules (process creation, network, registry, file), Suricata rules (HTTP/DNS/TLS C2 detection), hunting queries (Splunk, Elastic, EDR), IOC export (STIX 2.1, CSV, OpenIOC). Note: YARA rules are authored in malware-report-writer.

detection-engineer/
└── SKILL.md

5. Malware Report Writer

Purpose: Create professional, enterprise-ready malware analysis reports

Covers: 12-section report template, executive/technical audience guidance, YARA rule creation and testing, IOC documentation with defanging, remediation recommendations, quality assurance checklist.

malware-report-writer/
├── SKILL.md
├── assets/
│   └── report_template.md         # Complete report structure
└── references/
    └── best_practices.md           # Writing standards & tips

💡 Usage Example

User: "I need to analyze this suspicious .exe sample"

Workflow:
1. "Help me triage this sample" → malware-triage
   - Calculates hashes, checks VirusTotal
   - Classifies as trojan/RAT, Priority: High

2. "Guide me through dynamic analysis" → malware-dynamic-analysis
   - Verifies VM isolation
   - Sets up Procmon, Wireshark, System Informer
   - Monitors execution, extracts behavioral IOCs

3. "Create detection rules for this malware" → detection-engineer
   - Defangs all IOCs
   - Creates Sigma rule for process injection
   - Creates Suricata rule for C2 traffic

4. "Help me write the analysis report" → malware-report-writer
   - Structures all findings using template
   - Creates YARA rule, reviews with quality checklist

⚡ Tips

  • Triage ALL samples first before deep-diving — prioritize effectively
  • Document as you analyze — don't leave it for the end
  • Test all detection rules (YARA, Sigma, Suricata) before including in reports
  • Export evidence in text formats — CSV/JSON/TXT, not PML/PCAP/EVTX
  • Better to deeply analyze 2-3 samples than shallowly analyze 10
  • Always defang IOCs in reports and documentation

📖 Additional Resources

Training

Malware Sample Sources

Tool Documentation

Reference Materials


❓ FAQ

Q: Which skill should I start with? A: Use the root SKILL.md orchestrator — it handles routing automatically. Just describe what you need.

Q: Do I need to use all 5 sub-skills? A: No. Triage and report-writer are most common. Others are situational.

Q: How do I know if a file needs specialized-file-analyzer? A: Run file sample.bin. If output shows .NET assembly, Office document, PDF, script, HTA, disk image, or ELF — use specialized-file-analyzer.

Q: Can I modify skill prompts? A: Yes. Customize to fit your workflow and preferences.


🎉 You're Ready!

1 orchestrator + 5 sub-skills covering triage, dynamic analysis, detection engineering, and reporting. Upload the skills and start analyzing.


Built for security professionals, incident responders, and malware analysts.

About

Complete Claude skills toolkit for professional malware analysis. 5 specialized skills covering triage, dynamic analysis, detection engineering, and reporting. Works with REMnux/FlareVM offline environments.

Topics

Resources

License

Stars

43 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors

Languages