‹ 首页

malware-report-writer

@gl0bal01 · 收录于 1 周前

Create professional malware analysis reports for enterprise security teams and incident response. Use when you need to write, structure, or improve a malware analysis report, produce executive summaries, author YARA rules, or format IOCs and detection rules for professional delivery.

适合你,如果需要为安全团队编写结构化的恶意软件分析报告。

/ 下载安装
malware-report-writer.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add gl0bal01/malware-analysis-claude-skills/malware-report-writer
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- gl0bal01/malware-analysis-claude-skills/malware-report-writer
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify gl0bal01/malware-analysis-claude-skills/malware-report-writer
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
42GitHub stars
~1.6K最小装载
~4.3K含声明引用
~4.3K文本包总量
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · MIT · 09f91e4

Malware Report Writer

Create professional, comprehensive malware analysis reports for enterprise security teams, incident response, and threat intelligence.

When to Use This Skill

Use this skill when the user needs to:

  • Create a complete malware analysis report from analysis findings
  • Structure analysis results into professional documentation
  • Write executive summaries for malware samples
  • Format IOCs and detection rules for delivery
  • Review or improve existing malware reports
  • Prepare report documentation for stakeholders
Quick Start
Creating a New Report
  1. Use the report template from assets/report_template.md as the base structure
  2. Gather all analysis artifacts:
  3. Sample hashes and file information
  4. Static analysis findings (strings, imports, PE structure)
  5. Dynamic analysis observations (processes, registry, network, files)
  6. IOCs identified
  7. Detection rules created
  8. Populate each section systematically
  9. Review against best practices in references/best_practices.md
Report Structure

The standard report includes these sections in order:

  1. Executive Summary - High-level overview for non-technical stakeholders
  2. Sample Information - Basic file metadata and hashes
  3. Static Analysis - File structure, strings, imports/exports, resources
  4. Dynamic Analysis - Runtime behavior, system changes, network activity
  5. IOCs - Organized by type (file, network, host indicators)
  6. Detection Rules - YARA rules and optionally Sigma rules
  7. Malware Classification - Family, type, capabilities
  8. Remediation and Mitigation - Actionable response steps
  9. Technical Details - Additional deep-dive analysis
  10. Conclusion - Final summary and assessment
  11. References - External resources and links
  12. Appendix - Timeline, tools used, screenshots
Key Principles
Professional Quality
  • Use precise technical language with clear explanations
  • Include all three hash types (MD5, SHA1, SHA256)
  • Provide full context for every finding
  • Document methodology and tools used
  • Include timestamps and version information
Professional Report Requirements

Industry-standard reports require:

  • Complete technical documentation of malware samples
  • Professional format suitable for enterprise delivery
  • Working detection rules based on malware characteristics
  • Clear IOCs that can be operationalized

Critical: The quality of your report reflects your professionalism. Allocate sufficient time for writing and review.

Audience Awareness

Structure content for multiple audiences:

  • Executive Summary: Non-technical decision makers
  • Technical Sections: Security analysts and researchers
  • IOCs/Detection: SOC teams and detection engineers
  • Remediation: Incident responders
Writing Guidelines
Executive Summary
  • 2-4 paragraphs maximum
  • Plain language, minimal jargon
  • Answer: What? How critical? What actions?
  • Include key findings in bullet points
Technical Analysis
  • Document both positive and negative findings
  • Provide evidence for every claim
  • Use code blocks for technical artifacts
  • Include screenshots when they add value
  • Connect behaviors to specific evidence
IOCs Section

Format:

  • Group by type (file, network, host)
  • Include context for each indicator
  • Provide confidence levels if uncertain
  • Test IOCs for accuracy before including

Defanging (required): All IOCs in reports MUST be defanged to prevent accidental activation:

  • URLs: httphxxp, httpshxxps (e.g., hxxps://malicious[.]example[.]com/payload)
  • Domains: bracket the dot before the TLD (e.g., evil[.]com, sub.domain[.]net)
  • Email addresses: @[@] (e.g., attacker[@]evil[.]com)
  • IP addresses: bracket each dot separator (e.g., 192[.]168[.]1[.]1)

Avoid:

  • Environment-specific artifacts
  • Personal/analyst system information
  • Common legitimate values
  • Untested indicators
Detection Rules

YARA Rules:

  • Test against sample (must detect)
  • Test against clean files (must not false positive)
  • Include metadata: author, date, description, hash
  • Use meaningful string and variable names
  • Add comments explaining detection logic
  • Set appropriate conditions to balance detection and false positives

Best practices:

rule Malware_Family_Variant {
    meta:
        description = "Detects Malware_Family based on C2 configuration"
        author = "Analyst Name"
        date = "2025-10-25"
        hash = "abc123..."
        reference = "Internal analysis"
        
    strings:
        $c2_config = { 48 8B ?? ?? ?? ?? ?? 48 8D ?? ?? }  // Config access pattern
        $ua_string = "Mozilla/4.0 (Suspicious UA)" ascii
        $mutex = "Global\\UniqueMalwareMutex" wide
        
    condition:
        uint16(0) == 0x5A4D and  // MZ header
        filesize < 2MB and
        2 of them
}
Common Mistakes to Avoid
  • Over-relying on automated tool output without interpretation
  • Listing findings without explaining significance
  • Missing critical hashes or file metadata
  • Weak or untested detection rules
  • Vague remediation recommendations
  • Poor grammar/spelling
  • Inconsistent formatting
  • Environment-specific artifacts in IOCs
Best Practices Reference

For detailed guidance on report quality, writing style, and common pitfalls, see references/best_practices.md.

Key topics covered:

  • Report writing principles (clarity, completeness, objectivity)
  • Structure guidelines for each section
  • IOC quality standards
  • Detection rule best practices
  • Audience considerations
  • Quality checklist
  • Efficient workflow strategies
Time Management Strategies

For efficient malware report creation:

Recommended workflow:

  • Phase 1-2: Analysis
  • Document findings continuously (don't wait)
  • Take screenshots and capture evidence
  • Create detection rules during analysis
  • Organize notes by report section
  • Phase 3-4: Report writing
  • Draft all technical sections first
  • Write IOCs, detection rules, remediation
  • Create executive summary and conclusion
  • Final quality check and formatting

Pro tip: Start documenting in report format during analysis to save time.

Quality Checklist

Before submitting any report, verify:

Technical Accuracy:

  • [ ] All three hash types included and verified
  • [ ] File paths are complete and accurate
  • [ ] Timestamps include timezone
  • [ ] Process IDs included for process activity
  • [ ] Tool versions documented

Detection Rules:

  • [ ] YARA rules tested against sample (detects correctly)
  • [ ] YARA rules tested against clean files (no false positives)
  • [ ] Rules include complete metadata
  • [ ] Conditions are appropriate and not over-matching

IOCs:

  • [ ] Grouped by type (file, network, host)
  • [ ] Context provided for each IOC
  • [ ] All IOCs defanged (hxxp/hxxps, [.] for domains and IPs, [@] for email)
  • [ ] No environment-specific artifacts
  • [ ] All IOCs validated

Report Quality:

  • [ ] Executive summary is non-technical and actionable
  • [ ] All sections completed
  • [ ] Grammar and spelling checked
  • [ ] Consistent formatting throughout
  • [ ] Evidence supports all claims
  • [ ] Remediation steps are specific and prioritized

Professional Standards:

  • [ ] Report is professional and enterprise-ready
  • [ ] Detection rules work and are well-documented
  • [ ] Technical details demonstrate thorough analysis
  • [ ] Report answers: What is it? What does it do? How to detect? How to remove?
Output Format

Create reports in Markdown format using the template structure. For professional delivery:

  1. Create report in Markdown using the template
  2. Convert to PDF for professional appearance (if required)
  3. Ensure all sections are complete
  4. Include any screenshots as appendix items
  5. Verify detection rules are included and tested
Example Usage

User request: "Help me write a report for this ransomware sample I analyzed"

Workflow:

  1. Load the report template
  2. Ask user for key findings from their analysis
  3. Structure findings into appropriate sections
  4. Help craft executive summary
  5. Format IOCs properly
  6. Review and validate YARA rules
  7. Provide remediation recommendations
  8. Review final report against quality checklist
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。