Sync from PR#1924

Add attachment_filename_containing_unicode_braille_pattern_blank_character.yml by @vector-sec
#1924
Source SHA fa2bad8
Triggered by @zoomequipd

detection-rules/attachment_filename_containing_unicode_braille_pattern_blank_character.yml

@@ -0,0 +1,28 @@
+name: 'Attachment: Filename Containing Unicode Braille Pattern Blank Character'
+description: |
+  Recursively identifies attachments that attempt to conceal their true file extension by using Braille Pattern Blank characters
+references:
+  - "https://www.bleepingcomputer.com/news/security/windows-vulnerability-abused-braille-spaces-in-zero-day-attacks/"
+type: "rule"
+authors:
+  - twitter: "vector_sec"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          regex.icontains(.file_name, '\x{2800}')
+          or (
+            .file_extension in~ $file_extensions_common_archives
+            and any(file.explode(.), regex.icontains(.file_name, '\x{2800}'))
+          )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+id: "c230ca86-f563-58b0-8667-5052cc9bf3c6"
+testing_pr: 1924
+testing_sha: fa2bad8b3500b3f536d2cb60ea131ee6261e7c21