yara-rule-authoring
Detection rules for malware that balance specificity with performance, avoiding false positives through careful string selection and atom optimization.
- Covers naming conventions, string selection heuristics, and performance optimization through atom theory—includes decision trees for when to use hex vs. regex vs. modules
- Supports YARA-X (Rust-based successor) with 99% legacy YARA compatibility; includes migration guidance and new features like private patterns and built-in formatter
- Provides platform-specific guidance for Windows PE, macOS Mach-O, JavaScript/npm, Office documents, Chrome extensions (crx module), and Android apps (dex module)
- Includes expert heuristics for debugging false positives, goodware validation workflows, and a quality checklist covering metadata, string quality, and condition ordering
- Supplies example rules from Elastic, Airbnb, and Stairwell demonstrating graduated string counts, multi-category grouping, and obfuscation detection patterns
YARA-X Rule Authoring
Write detection rules that catch malware without drowning in false positives.
This skill targets YARA-X, the Rust-based successor to legacy YARA. YARA-X powers VirusTotal's production systems and is the recommended implementation. See Migrating from Legacy YARA if you have existing rules.
Core Principles
-
Strings must generate good atoms — YARA extracts 4-byte subsequences for fast matching. Strings with repeated bytes, common sequences, or under 4 bytes force slow bytecode verification on too many files.
-
Target specific families, not categories — "Detects ransomware" catches everything and nothing. "Detects LockBit 3.0 configuration extraction routine" catches what you want.
-
Test against goodware before deployment — A rule that fires on Windows system files is useless. Validate against VirusTotal's goodware corpus or your own clean file set.
-
Short-circuit with cheap checks first — Put
filesize < 10MB and uint16(0) == 0x5A4Dbefore expensive string searches or module calls. -
Metadata is documentation — Future you (and your team) need to know what this catches, why, and where the sample came from.
When to Use
More from trailofbits/skills
ask-questions-if-underspecified
Clarify requirements before implementing. Use when serious doubts arise.
4.2Ksemgrep
>-
3.8Kmodern-python
Configures Python projects with modern tooling (uv, ruff, ty). Use when creating projects, writing standalone scripts, or migrating from pip/Poetry/mypy/black.
3.8Kcodeql
>-
3.6Kinsecure-defaults
Detects fail-open insecure defaults (hardcoded secrets, weak auth, permissive security) that allow apps to run insecurely in production. Use when auditing security, reviewing config management, or analyzing environment variable handling.
3.5Ksecure-workflow-guide
Guides through Trail of Bits' 5-step secure development workflow. Runs Slither scans, checks special features (upgradeability/ERC conformance/token integration), generates visual security diagrams, helps document security properties for fuzzing/verification, and reviews manual security areas.
3.4K