plaintext 8 lines · 1 tab

YARA rules for spotting suspicious binaries during triage

Kai Nakamura Apr 2026
1 tab
rule SuspiciousDownloader {
  strings:
    $a = "powershell -enc" nocase
    $b = "Invoke-WebRequest" nocase
    $c = "http://" nocase
  condition:
    2 of them
}
1 file · plaintext Explain with highlit

YARA is useful when you need lightweight pattern matching across files during incident response or malware triage. I keep rules specific and review false positives often. Overbroad rules create noise fast, which is the enemy during an active investigation.

Share this code

Here's the card — post it anywhere.

YARA rules for spotting suspicious binaries during triage — share card
Link copied