From ad89520c47f65b55718fc68e06f36442e7219335 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Mon, 16 Dec 2024 15:24:28 +0000
Subject: [PATCH] Sync from PR#1924

Add attachment_filename_containing_unicode_braille_pattern_blank_character.yml by @vector-sec
https://github.com/sublime-security/sublime-rules/pull/1924
Source SHA fa2bad8b3500b3f536d2cb60ea131ee6261e7c21
Triggered by @zoomequipd
---
 ...nicode_braille_pattern_blank_character.yml | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 detection-rules/attachment_filename_containing_unicode_braille_pattern_blank_character.yml

diff --git a/detection-rules/attachment_filename_containing_unicode_braille_pattern_blank_character.yml b/detection-rules/attachment_filename_containing_unicode_braille_pattern_blank_character.yml
new file mode 100644
index 00000000000..427ee5c7025
--- /dev/null
+++ b/detection-rules/attachment_filename_containing_unicode_braille_pattern_blank_character.yml
@@ -0,0 +1,28 @@
+name: 'Attachment: Filename Containing Unicode Braille Pattern Blank Character'
+description: |
+  Recursively identifies attachments that attempt to conceal their true file extension by using Braille Pattern Blank characters
+references:
+  - "https://www.bleepingcomputer.com/news/security/windows-vulnerability-abused-braille-spaces-in-zero-day-attacks/"
+type: "rule"
+authors:
+  - twitter: "vector_sec"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          regex.icontains(.file_name, '\x{2800}')
+          or (
+            .file_extension in~ $file_extensions_common_archives
+            and any(file.explode(.), regex.icontains(.file_name, '\x{2800}'))
+          )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+id: "c230ca86-f563-58b0-8667-5052cc9bf3c6"
+testing_pr: 1924
+testing_sha: fa2bad8b3500b3f536d2cb60ea131ee6261e7c21