From 29f1b5caa5bb63d469b3d6d553cf19816c6a0529 Mon Sep 17 00:00:00 2001
From: Eric <vector@tmhk.it>
Date: Tue, 17 Sep 2024 12:11:04 -0400
Subject: [PATCH 1/2] Add files via upload

---
 ...nicode_braille_pattern_blank_character.yml | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 detection-rules/attachment_filename_containing_unicode_braille_pattern_blank_character.yml

diff --git a/detection-rules/attachment_filename_containing_unicode_braille_pattern_blank_character.yml b/detection-rules/attachment_filename_containing_unicode_braille_pattern_blank_character.yml
new file mode 100644
index 00000000000..9d84d4bdd0b
--- /dev/null
+++ b/detection-rules/attachment_filename_containing_unicode_braille_pattern_blank_character.yml
@@ -0,0 +1,25 @@
+name: 'Attachment: Filename Containing Unicode Braille Pattern Blank Character'
+description: |
+  Recursively identifies attachments that attempt to conceal their true file extension by using Braille Pattern Blank characters
+references:
+  - "https://www.bleepingcomputer.com/news/security/windows-vulnerability-abused-braille-spaces-in-zero-day-attacks/"
+type: "rule"
+authors:
+  - twitter: "vector_sec"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          regex.icontains(.file_name, '\x{2800}')
+          or (
+            .file_extension in~ $file_extensions_common_archives
+            and any(file.explode(.), regex.icontains(.file_name, '\x{2800}'))
+          )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
\ No newline at end of file

From fa2bad8b3500b3f536d2cb60ea131ee6261e7c21 Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Tue, 17 Sep 2024 16:13:09 +0000
Subject: [PATCH 2/2] Auto add rule ID

---
 ...name_containing_unicode_braille_pattern_blank_character.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/detection-rules/attachment_filename_containing_unicode_braille_pattern_blank_character.yml b/detection-rules/attachment_filename_containing_unicode_braille_pattern_blank_character.yml
index 9d84d4bdd0b..ee14be7477a 100644
--- a/detection-rules/attachment_filename_containing_unicode_braille_pattern_blank_character.yml
+++ b/detection-rules/attachment_filename_containing_unicode_braille_pattern_blank_character.yml
@@ -22,4 +22,5 @@ tactics_and_techniques:
   - "Evasion"
 detection_methods:
   - "Archive analysis"
-  - "File analysis"
\ No newline at end of file
+  - "File analysis"
+id: "c230ca86-f563-58b0-8667-5052cc9bf3c6"