extracting-iocs-from-malware-samples

by mukul975

extracting-iocs-from-malware-samples skill guide for malware analysis: extract hashes, IPs, domains, URLs, host artifacts, and validation cues from samples for threat intel and detection.

Stars0

Favorites0

Comments0

AddedMay 11, 2026

CategoryMalware Analysis

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill extracting-iocs-from-malware-samples

Curation Score

This skill scores 78/100, which means it is a solid listing candidate for directory users who need malware IOC extraction workflows. The repository provides a real, triggerable purpose, concrete extraction steps, and a runnable script/API reference, so users can judge install value with reasonable confidence, though it is more specialized than broadly reusable.

78/100

Strengths

Explicitly triggers on IOC extraction from malware samples and lists concrete use cases like hashes, network indicators, host artifacts, and detection content creation.
Operational detail is strong: the repo includes a Python script, API reference, and CLI example covering hashes, PE metadata, strings, YARA scanning, and VirusTotal validation.
Trust signals are decent for adoption: valid frontmatter, no placeholder markers, and a substantial SKILL.md body with workflow-oriented headings and constraints.

Cautions

The skill is specialized to malware-analysis contexts and requires prerequisites such as Python libraries, malware analysis output, PCAP access, and sometimes VirusTotal API credentials.
There is no install command in SKILL.md, so users may need extra setup effort to wire dependencies and run the script successfully.

Ioc Malware Yara Virustotal Misp

Overview

Overview of extracting-iocs-from-malware-samples skill

What this skill does

The extracting-iocs-from-malware-samples skill helps you turn a malware sample analysis into usable indicators of compromise: hashes, IPs, domains, URLs, emails, file paths, registry keys, mutexes, and related behavior clues. It is most useful when you already have a sample or report and need defense-ready output for threat intel sharing or detection engineering.

Who should use it

This extracting-iocs-from-malware-samples skill is a good fit for malware analysts, SOC analysts, threat intel teams, and detection engineers. It is especially useful for extracting-iocs-from-malware-samples for Malware Analysis when you want the extraction step to be repeatable instead of ad hoc.

What makes it worth installing

The main value is structured extraction plus validation-oriented workflow support. The repo includes a runnable Python agent, a small API reference, and explicit caution around private IP filtering and false positives. That makes the skill more practical than a generic prompt for IOC harvesting.

How to Use extracting-iocs-from-malware-samples skill

Install and locate the workflow

Use the extracting-iocs-from-malware-samples install path from your skills manager, then open skills/extracting-iocs-from-malware-samples/SKILL.md first. After that, read references/api-reference.md for the function-level behavior and scripts/agent.py to see the actual extraction and validation flow.

Give the skill the right starting input

The skill works best when you provide a sample path, analysis context, and your target output. Good inputs are specific: sample filename, whether it is PE malware, whether you want YARA hits, whether VirusTotal validation is allowed, and whether output should be JSON, CSV, or STIX. Weak input like “extract IOCs” usually leaves too many decisions open.

Prompt shape that gets better results

For extracting-iocs-from-malware-samples usage, ask for the exact artifact classes you need and the constraints that matter. For example: “Extract hashes, network IOCs, host artifacts, and YARA matches from this PE sample; defang URLs; exclude private IPs; mark anything unverified.” That phrasing helps the skill separate raw hits from shareable indicators.

Read the files that change output quality

Start with SKILL.md for scope, then references/api-reference.md for dependencies and function names such as compute_hashes, extract_network_iocs, and validate_ioc_virustotal. scripts/agent.py matters because it shows real regex behavior, private IP filtering, and which dependencies are optional versus required.

extracting-iocs-from-malware-samples skill FAQ

Is this only for finalized malware analysis?

Mostly, yes. The skill is best after you have a sample or a credible analysis artifact. If you only have rumor-level indicators, the workflow can still extract strings, but the result is less trustworthy and more likely to create false positives.

How is this different from a normal prompt?

A normal prompt can ask for IOC extraction, but the extracting-iocs-from-malware-samples skill adds an opinionated workflow: hash calculation, PE metadata parsing, string extraction, network and host IOC regex logic, YARA scanning, and optional VirusTotal validation. That makes it more consistent than one-off prompting.

Do I need to be a malware analyst to use it?

No, but you should know what you are looking at. Beginners can use it for extracting-iocs-from-malware-samples guide style workflows if they can supply a sample and understand that extracted indicators still need review before blocking or sharing.

When should I not use it?

Do not rely on it for unverified indicators, and do not treat every extracted domain or IP as malicious. If you need full reverse engineering, runtime debugging, or behavioral emulation, this skill is too narrow; it is built for IOC extraction and packaging, not deep binary analysis.

How to Improve extracting-iocs-from-malware-samples skill

Give cleaner source material

The best results come from a sample plus context: sandbox output, analyst notes, or a known family name. If you provide only a raw binary, the skill can still extract hashes and strings, but you will get less confidence about which artifacts matter operationally.

Ask for validation and filtering explicitly

A strong extracting-iocs-from-malware-samples usage request tells the workflow what to exclude or flag: private IPs, benign domains, development artifacts, and duplicate strings. If you are allowed to use external validation, ask for VirusTotal checks on hashes, domains, and IPs so the output is easier to triage.

Watch the common failure modes

The main failure modes are over-collection, poor defanging, and mixing host artifacts with true network IOCs. If the first output is noisy, narrow the request to one artifact class at a time, such as “network IOCs only” or “PE metadata plus hashes only,” then expand in a second pass.

Iterate toward detection-ready output

After the first run, refine based on what downstream teams actually need: blocklist entries, SIEM fields, YARA content, or a STIX bundle. For extracting-iocs-from-malware-samples for Malware Analysis, the most useful iteration is usually to separate confirmed indicators from likely indicators and ask for a clean, deduplicated final list.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

conducting-malware-incident-response

by mukul975

conducting-malware-incident-response helps IR teams triage suspected malware, confirm infections, scope spread, contain endpoints, and support eradication and recovery. It is designed for conducting-malware-incident-response for Incident Response workflows with evidence-backed steps, telemetry-driven decisions, and practical containment guidance.

Incident Response

Favorites 0GitHub 0

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-ransomware-encryption-behavior

by mukul975

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.

Incident Response

Favorites 0GitHub 0

deobfuscating-javascript-malware

by mukul975

deobfuscating-javascript-malware helps analysts turn heavily obfuscated malicious JavaScript into readable code for malware analysis, phishing pages, web skimmers, droppers, and browser-delivered payloads. Use this deobfuscating-javascript-malware skill for structured deobfuscation, decode tracing, and controlled review when simple minification is not the issue.

Malware Analysis

Favorites 0GitHub 0

analyzing-powershell-empire-artifacts

by mukul975

analyzing-powershell-empire-artifacts skill helps Security Audit teams detect PowerShell Empire artifacts in Windows logs using Script Block Logging, Base64 launcher patterns, stager IOCs, module signatures, and detection references for triage and rule writing.

Security Audit

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

analyzing-macro-malware-in-office-documents

by mukul975

analyzing-macro-malware-in-office-documents helps malware analysts inspect malicious VBA in Word, Excel, and PowerPoint files, decode obfuscation, and extract IOCs, execution paths, and payload staging logic for phishing triage, incident response, and document malware analysis.

Malware Analysis

Favorites 0GitHub 0

analyzing-golang-malware-with-ghidra

by mukul975

analyzing-golang-malware-with-ghidra helps analysts reverse engineer Go-compiled malware in Ghidra with workflows for function recovery, string extraction, build metadata, and dependency mapping. The analyzing-golang-malware-with-ghidra skill is useful for malware triage, incident response, and Security Audit tasks that need practical, Go-specific analysis steps.

Security Audit

Favorites 0GitHub 0

analyzing-supply-chain-malware-artifacts

by mukul975

analyzing-supply-chain-malware-artifacts is a malware-analysis skill for tracing trojanized updates, poisoned dependencies, and build-pipeline tampering. Use it to compare trusted and untrusted artifacts, extract indicators, assess compromise scope, and report findings with less guesswork.

Malware Analysis

Favorites 0GitHub 6.1k

analyzing-linux-kernel-rootkits

by mukul975

analyzing-linux-kernel-rootkits helps DFIR and threat-hunting workflows detect Linux kernel rootkits with Volatility3 cross-view checks, rkhunter scans, and /proc vs /sys analysis for hidden modules, hooked syscalls, and tampered kernel structures. It is a practical analyzing-linux-kernel-rootkits guide for forensic triage.

Digital Forensics

Favorites 0GitHub 0

detecting-mimikatz-execution-patterns

by mukul975

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

Security Audit

Favorites 0GitHub 0

detecting-rootkit-activity

by mukul975

detecting-rootkit-activity is a Malware Analysis skill for finding rootkit indicators such as hidden processes, hooked system calls, altered kernel structures, hidden modules, and covert network artifacts. It uses cross-view comparison and integrity checks to help validate suspicious hosts when standard tools disagree.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-mobile-malware-behavior

by mukul975

The detecting-mobile-malware-behavior skill analyzes suspicious Android and iOS apps for permission abuse, runtime activity, network indicators, and malware-like patterns. Use it for triage, incident response, and detecting-mobile-malware-behavior for Security Audit workflows with evidence-backed mobile analysis.

Security Audit

Favorites 0GitHub 6.1k

analyzing-ransomware-payment-wallets

by mukul975

analyzing-ransomware-payment-wallets is a read-only blockchain-forensics skill for tracing ransomware payment wallets, following fund movement, and clustering related addresses for Security Audit and incident response. Use it when you have a BTC address, tx hash, or suspected wallet and need evidence-backed attribution support.

Security Audit

Favorites 0GitHub 6.1k

analyzing-ransomware-encryption-mechanisms

by mukul975

analyzing-ransomware-encryption-mechanisms skill for malware analysis, focused on identifying ransomware encryption, key handling, and decryption feasibility. Use it to inspect AES, RSA, ChaCha20, hybrid schemes, and implementation flaws that may support recovery.

Malware Analysis

Favorites 0GitHub 6.1k

extracting-config-from-agent-tesla-rat

by mukul975

extracting-config-from-agent-tesla-rat skill for Malware Analysis: extract Agent Tesla .NET config, SMTP/FTP/Telegram credentials, keylogger settings, and C2 endpoints with repeatable workflow guidance.

Malware Analysis

Favorites 0GitHub 0