Add detection rule for 7z archives containing RAR files (#3471)

Co-authored-by: ID Generator <hello@sublimesecurity.com>

Author: morriscode

detection-rules/attachment_7z_archive_containing_rar_file.yml

@@ -0,0 +1,23 @@
+name: "Attachment: 7z Archive Containing RAR File"
+description: "Detects 7z archive attachments that contain RAR files, which may be used to evade detection by nesting compressed file formats."
+type: "rule"
+severity: "medium"
+source: |
+    type.inbound
+    and any(attachments,
+            (
+              .file_extension in~ $file_extensions_common_archives
+              and  .file_type == "7z"
+            )
+            and any(file.expand_archives(.).files, .file_type == "rar")        
+    )
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+id: "1a629bb4-931a-5395-bf22-da327d224d3c"