Skip to content

Add detection rule for PowerShell download cradle patterns #4

Open
Open
Add detection rule for PowerShell download cradle patterns#4
Labels
enhancementNew feature or requestgood first issueGood for newcomershelp wantedExtra attention is needed
@Ap6pack

Description

@Ap6pack
Ap6pack
opened on Apr 2, 2026

Problem

Malwar currently detects base64-encoded bash commands and curl-based exfiltration, but doesn't have a dedicated rule for PowerShell download cradle patterns commonly used in Windows-targeting skill file attacks. These patterns include:

  • `IEX (New-Object Net.WebClient).DownloadString('...')`
  • `Invoke-Expression` with remote URLs
  • `Start-BitsTransfer` to download payloads
  • `powershell -enc ` encoded commands

How to Fix

  1. Create a new rule file in `src/malwar/rules/` (look at existing rules for the pattern)
  2. The rule should detect PowerShell download cradles in skill file content
  3. Assign it an ID like `MALWAR-OBF-002` or the next available ID
  4. Severity: `critical` (same as MALWAR-OBF-001 for bash base64)
  5. Category: `obfuscated_command`

Test Fixtures

Create a test fixture at `tests/fixtures/skills/malicious/powershell_cradle.md` with a skill that uses PowerShell download patterns. Also add a benign fixture that mentions PowerShell in documentation without triggering the rule.

Reference

Look at `MALWAR-OBF-001` (base64 command execution) for the pattern to follow.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestgood first issueGood for newcomershelp wantedExtra attention is needed

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions