Skip to content

SKILL.md

Latest commit

 

History

History
197 lines (141 loc) · 10.2 KB

SKILL.md

File metadata and controls

197 lines (141 loc) · 10.2 KB
name malware-analysis
description Orchestrates the complete malware analysis lifecycle — from initial triage through dynamic analysis, detection engineering, and professional report writing. Routes to specialized sub-skills based on file type and analysis phase. Manages analysis state across phases and supports multi-sample batch workflows. Use this as the single entry point for any malware analysis task.

Malware Analysis Orchestrator

Single entry point for malware analysis engagements. Routes to specialized sub-skills, carries findings between phases, and manages multi-sample workflows.

How This Works

You describe what you need — "analyze this sample", "I have 5 files to triage", "create detection rules from my findings" — and this orchestrator:

  1. Determines which sub-skill to use based on your file type and intent
  2. Guides you through the analysis using that sub-skill
  3. Records findings in a state file (analysis_state.md)
  4. Recommends the next phase when the current one completes
  5. Waits for your confirmation before proceeding

You never need to invoke sub-skills directly.

Routing Logic

Signal Routes To
Unknown file / "what is this?" / initial assessment malware-triage
PE executable after triage, needing behavior monitoring malware-dynamic-analysis
.NET / Office / PDF / script / archive / LNK / ELF specialized-file-analyzer
"Create detection rules" / post-analysis phase detection-engineer
"Write the report" / final documentation phase malware-report-writer
YARA rules specifically malware-report-writer (not detection-engineer)

Triage is always the entry point for new samples. The table above describes which analysis skill follows triage.

File Type Priority Order

When routing by file type, use the file command output. Check in this order — first match wins:

  1. "Mono/.Net assembly" → read and follow specialized-file-analyzer/SKILL.md
  2. "Microsoft Office Document" → read and follow specialized-file-analyzer/SKILL.md
  3. "PDF document" → read and follow specialized-file-analyzer/SKILL.md
  4. "ELF" → read and follow specialized-file-analyzer/SKILL.md
  5. "PE32" / "PE64" (only if .NET was NOT matched) → read and follow malware-triage/SKILL.md, then malware-dynamic-analysis/SKILL.md
  6. "MS Windows shortcut" (LNK) → read and follow specialized-file-analyzer/SKILL.md
  7. ASCII text / script content → read and follow specialized-file-analyzer/SKILL.md
  8. Archive formats (Zip, RAR, 7z) → read and follow specialized-file-analyzer/SKILL.md
  9. "data" / zero-byte / unrecognized → read and follow malware-triage/SKILL.md for manual assessment

.NET is the key ambiguity: file outputs both "PE32" and "Mono/.Net assembly" for .NET assemblies. Always check for .NET before checking for PE.

Phase Sequence

Each sample follows this sequence:

Triage → [Dynamic Analysis OR Specialized File Analysis] → Detection Engineering → Report Writing
  • Triage is always first — read and follow malware-triage/SKILL.md
  • Dynamic analysis for PE executables — read and follow malware-dynamic-analysis/SKILL.md
  • Specialized file analysis for non-PE files (.NET, Office, PDF, scripts, archives, LNK, ELF) — read and follow specialized-file-analyzer/SKILL.md
  • Detection engineering consolidates IOCs into Sigma/Suricata rules — read and follow detection-engineer/SKILL.md
  • Report writing is always last — read and follow malware-report-writer/SKILL.md

Phase Transitions (Suggest-Next Mode)

After each phase completes:

  1. Summarize what was found in the current phase
  2. Update analysis_state.md with findings and IOCs
  3. Recommend the next skill with reasoning based on findings
  4. Wait for user confirmation before proceeding

Never auto-chain phases. Every transition requires user confirmation.

VM Isolation Boundary

Before dynamic analysis, explicitly remind the user:

"The next phase requires executing the sample in your isolated VM (REMnux/FlareVM). Please:

  1. Execute the sample with monitoring tools running (Procmon, Wireshark, Process Hacker, Sysmon)
  2. Observe for at least 15 minutes
  3. Export evidence in text-parseable formats (CSV, JSON, TXT — not PML, PCAP, EVTX)
  4. Return here with the exported evidence files

I'll analyze the evidence when you're back."

State File: analysis_state.md

Created in the user's working directory (not this skill repo) when the first sample is provided. Updated after each phase.

Structure

# Malware Analysis — [Engagement Name/Date]

**Analyst:** [name]
**Started:** [date]
**Status:** [In Progress / Complete]

---

## Samples

### Sample 1: [filename]
- **File Type:** [type]
- **MD5:** [hash]
- **SHA1:** [hash]
- **SHA256:** [hash]
- **Size:** [bytes]
- **Priority:** [Immediate / Standard / Low]
- **Classification:** [Trojan / Ransomware / etc. or Pending]
- **Threat Level:** [Critical / High / Medium / Low or Pending]
- **Current Phase:** [Triage / Dynamic Analysis / Specialized Analysis / Detection / Reporting / Complete / Benign]

#### Triage Findings
- [findings appended after triage phase]

#### Analysis Findings
- [findings appended after dynamic/specialized analysis]

#### IOCs Identified
- [accumulated IOCs, defanged]

#### Detection Rules Created
- [list of rules created and their locations]

---

## Next Steps
- [orchestrator's recommendation for what to do next and why]

State File Rules

  • Create when the user begins an engagement (first sample provided)
  • Append findings after each phase — never overwrite previous findings
  • Replace the "Next Steps" section at each transition (not append)
  • Resume from state file if the user returns in a new conversation — read analysis_state.md to restore context
  • All IOCs must be defanged at the point they are recorded to the state file, regardless of which phase produces them

Multi-Sample Batch Workflow

  1. Intake: Prompt for all known samples upfront — "How many samples do you have? Let's list them all before we begin."
  2. Batch triage: Quick triage pass on all samples (5-10 min each — hashes, file type, reputation check, classification per the triage skill's "Quick Triage" tier)
  3. Priority ranking: Rank samples as Immediate / Standard / Low based on triage findings
  4. Sequential deep analysis: Guide the user through deep analysis of high-priority samples one at a time, following the full phase sequence per sample
  5. State tracking: Update state file per-sample so the user can see which samples are triaged, analyzed, and reported

Conventions Enforced

  • All IOCs in state files and reports must be defanged (hxxp://, [.]com, [@])
  • Reports always include all three hash types: MD5, SHA1, SHA256
  • Evidence must be in text-parseable formats (CSV, JSON, TXT)
  • Detection rules (YARA, Sigma, Suricata) must be tested before inclusion
  • MITRE ATT&CK technique IDs must be tagged in Sigma rules
  • Sigma rules require unique UUIDs
  • Custom Suricata rules use SIDs starting at 1000000+

IOC Defanging Ownership

Each phase defangs IOCs before appending them to the state file. The detection-engineer sub-skill handles bulk defanging, format conversion (STIX, CSV, OpenIOC), and confidence assessment during its dedicated phase.

Edge Cases

  • User wants to skip a phase: Allow it, note the skip in the state file, and proceed to the requested phase
  • User provides evidence without explicit routing: Infer the phase from evidence type (Procmon CSV → dynamic analysis, Sysmon JSON → dynamic analysis, olevba output → specialized file analysis, etc.)
  • Session restart: Read analysis_state.md to restore context and resume from the last recorded phase
  • Single sample, known type: Skip batch triage and go directly to the appropriate skill
  • User explicitly requests a specific sub-skill: Defer to the user's choice
  • Benign sample: If triage determines a sample is clean/benign, mark its phase as Benign in the state file, note the reasoning, and move to the next sample. Do not proceed with further analysis phases.
  • Unrecognized file type: If file output doesn't match any known routing pattern, default to malware-triage/SKILL.md for manual assessment. Note the unknown type in the state file.
  • State file conflicts: If an existing analysis_state.md is found, ask whether to resume the existing engagement or start a new one (with a timestamped filename like analysis_state_2026-03-15.md)
  • Running from the skill repo: If the working directory appears to be this skill repository itself (contains malware-triage/, detection-engineer/, etc. as subdirectories), warn the user and ask them to switch to their analysis workspace before creating a state file

Sub-Skill Reference

The orchestrator delegates to these sub-skills by reading their SKILL.md files at execution time:

Sub-Skill Path Purpose
Malware Triage malware-triage/SKILL.md Rapid assessment, classification, prioritization
Dynamic Analysis malware-dynamic-analysis/SKILL.md Safe execution, behavior monitoring in isolated VMs
Specialized File Analyzer specialized-file-analyzer/SKILL.md Non-PE file analysis (.NET, Office, PDF, scripts, archives, LNK, ELF)
Detection Engineer detection-engineer/SKILL.md Sigma rules, Suricata rules, hunting queries, IOC defanging
Report Writer malware-report-writer/SKILL.md Professional reports, YARA rules, quality checklists

When entering a phase, read the corresponding SKILL.md file and follow its instructions. Carry forward the accumulated state from previous phases.

MCP Server Integrations (Optional)

MCP servers can automate manual steps like hash lookups and IOC enrichment. If available, use them to accelerate the workflow — but they are not required.

See references/mcp_integrations.md for setup instructions and a mapping of which MCP servers benefit which skills. The two highest-impact integrations are:

  1. VirusTotal MCP — automates hash/URL/domain reputation checks during triage
  2. Threat Intel MCP — unified access to MalwareBazaar, ThreatFox, AbuseIPDB, and GreyNoise for IOC validation