From e25e83dacb593291cc2f3b93f4af4b0f83475d7f Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 4 Nov 2025 10:03:52 -0500 Subject: [PATCH 1/2] Add detection rule for 7z archives containing RAR files This rule detects 7z archive attachments that contain RAR files, which may be used to evade detection by nesting compressed file formats. --- ...achment_7z_archive_containing_rar_file.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 detection-rules/attachment_7z_archive_containing_rar_file.yml diff --git a/detection-rules/attachment_7z_archive_containing_rar_file.yml b/detection-rules/attachment_7z_archive_containing_rar_file.yml new file mode 100644 index 00000000000..3ebb7e6b615 --- /dev/null +++ b/detection-rules/attachment_7z_archive_containing_rar_file.yml @@ -0,0 +1,22 @@ +name: "Attachment: 7z Archive Containing RAR File" +description: "Detects 7z archive attachments that contain RAR files, which may be used to evade detection by nesting compressed file formats." +type: "rule" +severity: "medium" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ $file_extensions_common_archives + and .file_type == "7z" + ) + and any(file.expand_archives(.).files, .file_type == "rar") + ) +tags: + - "Attack surface reduction" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Archive analysis" + - "File analysis" From d6e5a2e139f222d78931fc7ac7f2813410c20be0 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Tue, 4 Nov 2025 15:07:40 +0000 Subject: [PATCH 2/2] Auto add rule ID --- detection-rules/attachment_7z_archive_containing_rar_file.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/attachment_7z_archive_containing_rar_file.yml b/detection-rules/attachment_7z_archive_containing_rar_file.yml index 3ebb7e6b615..742b29f6731 100644 --- a/detection-rules/attachment_7z_archive_containing_rar_file.yml +++ b/detection-rules/attachment_7z_archive_containing_rar_file.yml @@ -20,3 +20,4 @@ tactics_and_techniques: detection_methods: - "Archive analysis" - "File analysis" +id: "1a629bb4-931a-5395-bf22-da327d224d3c"