YARA Rule Authoring
Author high-quality YARA-X detection rules for malware identification and threat hunting. Covers naming conventions, string selection, performance optimization, migration from legacy YARA, and false-positive reduction.
YARA rules are the backbone of malware detection and IOC hunting. This skill guides you through writing precise, performant YARA-X rules — picking distinctive strings, tuning conditions, using crx/dex modules, and migrating legacy rules — while keeping false positives low.
When to use
Use when writing, reviewing, or optimizing YARA rules for malware detection, IOC matching, or threat-hunting signatures, or when migrating an existing legacy YARA ruleset to YARA-X.
Examples
Write a detection rule
Author a YARA-X rule from a malware sample
Write a YARA-X rule that detects this malware family using its distinctive strings and PE characteristics
Reduce false positives
Tighten an over-matching rule
This YARA rule fires on benign files — help me tighten the conditions to cut false positives