// MakeNotWork custom YARA rules
// Platform-specific threats and common test patterns

rule eicar_test_file {
    meta:
        description = "EICAR anti-virus test file"
        reference = "https://www.eicar.org/download-anti-malware-testfile/"
    strings:
        $eicar = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
    condition:
        $eicar
}

rule suspicious_script_in_binary {
    meta:
        description = "Executable containing embedded script downloaders"
    strings:
        $ps1 = "powershell" ascii nocase
        $ps2 = "Invoke-Expression" ascii nocase
        $ps3 = "DownloadString" ascii nocase
        $bash1 = "curl " ascii
        $bash2 = "| bash" ascii
        $bash3 = "| sh" ascii
    condition:
        (2 of ($ps*)) or ($bash1 and ($bash2 or $bash3))
}