Analyzing real malware with Claude Code and LimaCharlie

Most malware analysis workflows follow the same pattern: run a set of tools, manually review the output, build detection rules from memory, and repeat. It's reliable, but slow, and for MDR and MSSP teams handling volume, delays have a cost. 

In this workshop, LimaCharlie Senior Solutions Engineer Chris Botelho demonstrates a faster path: using Claude Code with LimaCharlie's reverse engineering environment to triage, analyze, and build detections against a real malware sample pulled from Malware Bazaar.

What you'll learn

This session is built for practitioners. If you've done malware triage by hand, you'll recognize the workflow. You'll also see where Claude Code earns its place and where it still needs you. The goal is faster analysis with the same rigor, not a replacement for expertise.

By the end, you'll understand how to use Claude Code to conduct static and dynamic malware analysis and map findings to the MITRE ATT&CK framework. You'll also see how to generate D&R rules in LimaCharlie directly from the threat summary.

Workshop topics

The session covers four major SecOps tasks:

Static analysis. Claude Code runs initial triage on the binary: identifying download URLs, anti-debugging checks, persistence mechanisms, and file entropy. This gives analysts a working picture of the malware's capabilities before execution.

External tool enrichment. Capa, Detect-It-Easy, and FLOSS are run against the sample to map behaviors to the MITRE ATT&CK matrix. Claude Code orchestrates the tools sequentially and compiles findings into a structured threat summary.

Detection rule generation. Using the threat summary and LimaCharlie's event schema, Claude Code writes D&R rules covering C2 connections, registry persistence, PowerShell execution, and process behavior. Chris walks through a specific case where the AI added a network isolation action it was told to exclude, illustrating why output verification is a required step, not optional.

Live detonation and rule validation. The malware executes on a Windows VM with LimaCharlie sensors deployed. Rules fire against live telemetry, and Claude Code identifies which indicators triggered, which didn't, and what the dynamic analysis surfaced beyond the static pass.

Takeaways

Two things stand out from this session. First, the time savings are real: analysis that previously took hours can be compressed to 30 to 45 minutes, particularly for samples that are unpacked and unencrypted. That matters for MDR and MSSP teams moving volume.

Second, the verification requirement is non-negotiable. The AI produced a rule with a network isolation action after being explicitly told not to. Claude Code is a capable analyst assistant, yet it still makes mistakes a practitioner has to catch. The output is worth reviewing before anything goes into production.

This workshop is part of an ongoing series covering how to integrate AI operations into your security workflows, from detection engineering and incident response to multi-tenant management and agentic automation. 

LimaCharlie's AI terminal gives you a full Linux environment with LCRE and the LimaCharlie CLI, ready to connect to Claude Code and start working with real samples. 

You can watch the full training session above and follow along the workshop yourself. Get started free.