Problem
Malwar currently detects base64-encoded bash commands and curl-based exfiltration, but doesn't have a dedicated rule for PowerShell download cradle patterns commonly used in Windows-targeting skill file attacks. These patterns include:
- `IEX (New-Object Net.WebClient).DownloadString('...')`
- `Invoke-Expression` with remote URLs
- `Start-BitsTransfer` to download payloads
- `powershell -enc ` encoded commands
How to Fix
- Create a new rule file in `src/malwar/rules/` (look at existing rules for the pattern)
- The rule should detect PowerShell download cradles in skill file content
- Assign it an ID like `MALWAR-OBF-002` or the next available ID
- Severity: `critical` (same as MALWAR-OBF-001 for bash base64)
- Category: `obfuscated_command`
Test Fixtures
Create a test fixture at `tests/fixtures/skills/malicious/powershell_cradle.md` with a skill that uses PowerShell download patterns. Also add a benign fixture that mentions PowerShell in documentation without triggering the rule.
Reference
Look at `MALWAR-OBF-001` (base64 command execution) for the pattern to follow.
Problem
Malwar currently detects base64-encoded bash commands and curl-based exfiltration, but doesn't have a dedicated rule for PowerShell download cradle patterns commonly used in Windows-targeting skill file attacks. These patterns include:
How to Fix
Test Fixtures
Create a test fixture at `tests/fixtures/skills/malicious/powershell_cradle.md` with a skill that uses PowerShell download patterns. Also add a benign fixture that mentions PowerShell in documentation without triggering the rule.
Reference
Look at `MALWAR-OBF-001` (base64 command execution) for the pattern to follow.