malware-triagelisted

# Malware Triage > **Sandbox-only discipline**: analysing a sample means running it in an isolated environment. Detonating in production or on a workstation with network egress creates an incident instead of solving one. Treat all samples as worm-class — that discipline costs less than a production outbreak. Detailed reverse engineering (debugger-attached, IDA Pro / Ghidra interactive) is out of scope here — that is a further specialization. The skill covers sandbox-driven triage and YARA scaffolding at signal-pattern level. ## When to use A suspicious file or process lands on your SOC desk. Before you can say "clean" or "incident", you need a structured triage. This skill provides the structure. Triggers on: - A question like "what does this sample do", "write a YARA rule for this family", "ATT&CK mapping from this sandbox output", "is this the same malware family as last month". - A handoff from `ioc-hunter` (sample known, IOCs needed), `log-triage` (suspect-execution event in EDR), `forensics-assist` (memory-extracted binary), `ir-runbook` (sample is part of an incident). - Bug-bounty or bug disclosure where a sample is provided. - A periodic review of EDR quarantine. ### When NOT (handoff) - Deep reverse engineering with disassembler/debugger → out of scope. Requires specialized reverse work. - Detection-rule building on IOCs or TTPs → `detection-engineer` (Sigma/SPL/KQL). - IOC feed curation and sharing → `ioc-hunter`. - Forensic evidence-grade analysis for court