Merge PR #5445 from @swachchhanda000 - feat: add coverage for Unicode Space Character Obfuscation

update: Suspicious Double Extension Files: add more suspicious extension combination
update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - add Unicode space character
update: Suspicious Double Extension File Execution: add more suspicious extension combination

---------

Co-authored-by: nasbench <[email protected]>

Author: swachchhanda000

rules/windows/file/file_event/file_event_win_susp_double_extension.yml

@@ -13,9 +13,10 @@ references:
     - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
     - https://twitter.com/malwrhunterteam/status/1235135745611960321
     - https://twitter.com/luc4m/status/1073181154126254080
+    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
 author: Nasreddine Bencherchali (Nextron Systems), frack113
 date: 2022-06-19
-modified: 2022-11-07
+modified: 2025-05-30
 tags:
     - attack.defense-evasion
     - attack.t1036.007
@@ -27,16 +28,22 @@ detection:
         TargetFilename|endswith:
             - '.exe'
             - '.iso'
-            # - '.lnk'  # legitimate links can happen just anywhere
             - '.rar'
             - '.zip'
+            # - '.lnk'  # legitimate links can happen just anywhere
         TargetFilename|contains:
             - '.doc.'
             - '.docx.'
+            - '.gif.'
+            - '.jpeg.'
             - '.jpg.'
+            - '.mp3.'
+            - '.mp4.'
             - '.pdf.'
+            - '.png.'
             - '.ppt.'
             - '.pptx.'
+            - '.svg.'
             - '.xls.'
             - '.xlsx.'
     selection_exe:

rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml

@@ -16,7 +16,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
 author: frack113, Florian Roth (Nextron Systems), Josh Nickels
 date: 2024-09-02
-modified: 2024-09-05
+modified: 2025-05-30
 tags:
     - attack.defense-evasion
     - attack.t1027
@@ -29,12 +29,14 @@ detection:
             - '\cmd.exe'
             - '\cscript.exe'
             - '\powershell.exe'
+            - '\powershell_ise.exe'
             - '\pwsh.exe'
             - '\wscript.exe'
         OriginalFileName:
             - 'Cmd.EXE'
             - 'cscript.exe'
             - 'PowerShell.EXE'
+            - 'PowerShell_ISE.EXE'
             - 'pwsh.dll'
             - 'wscript.exe'
     selection_special_chars:
@@ -55,6 +57,8 @@ detection:
             - '¯'
             - '®'
             - '¶'
+            # Unicode whitespace characters
+            - '⠀' # Braille Pattern Blank (Unicode: U+2800)
     condition: all of selection_*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_susp_double_extension.yml

@@ -8,9 +8,10 @@ description: Detects suspicious use of an .exe extension after a non-executable
 references:
     - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html
     - https://twitter.com/blackorbird/status/1140519090961825792
+    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
 author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)
 date: 2019-06-26
-modified: 2023-02-28
+modified: 2025-05-30
 tags:
     - attack.initial-access
     - attack.t1566.001
@@ -20,48 +21,68 @@ logsource:
 detection:
     selection:
         Image|endswith:
-            - '.doc.exe'
-            - '.docx.exe'
-            - '.xls.exe'
-            - '.xlsx.exe'
-            - '.ppt.exe'
-            - '.pptx.exe'
-            - '.rtf.exe'
-            - '.pdf.exe'
-            - '.txt.exe'
             - '      .exe'
             - '______.exe'
+            - '.doc.exe'
             - '.doc.js'
+            - '.docx.exe'
             - '.docx.js'
-            - '.xls.js'
-            - '.xlsx.js'
+            - '.gif.exe'
+            - '.jpeg.exe'
+            - '.jpg.exe'
+            - '.mkv.exe'
+            - '.mov.exe'
+            - '.mp3.exe'
+            - '.mp4.exe'
+            - '.pdf.exe'
+            - '.pdf.js'
+            - '.png.exe'
+            - '.ppt.exe'
             - '.ppt.js'
+            - '.pptx.exe'
             - '.pptx.js'
+            - '.rtf.exe'
             - '.rtf.js'
-            - '.pdf.js'
+            - '.svg.exe'
+            - '.txt.exe'
             - '.txt.js'
-        CommandLine|contains:
-            - '.doc.exe'
-            - '.docx.exe'
             - '.xls.exe'
+            - '.xls.js'
             - '.xlsx.exe'
-            - '.ppt.exe'
-            - '.pptx.exe'
-            - '.rtf.exe'
-            - '.pdf.exe'
-            - '.txt.exe'
+            - '.xlsx.js'
+            - '⠀⠀⠀⠀⠀⠀.exe' # Unicode Space Character: Braille Pattern Blank (Unicode: U+2800)
+        CommandLine|contains:
             - '      .exe'
             - '______.exe'
+            - '.doc.exe'
             - '.doc.js'
+            - '.docx.exe'
             - '.docx.js'
-            - '.xls.js'
-            - '.xlsx.js'
+            - '.gif.exe'
+            - '.jpeg.exe'
+            - '.jpg.exe'
+            - '.mkv.exe'
+            - '.mov.exe'
+            - '.mp3.exe'
+            - '.mp4.exe'
+            - '.pdf.exe'
+            - '.pdf.js'
+            - '.png.exe'
+            - '.ppt.exe'
             - '.ppt.js'
+            - '.pptx.exe'
             - '.pptx.js'
+            - '.rtf.exe'
             - '.rtf.js'
-            - '.pdf.js'
+            - '.svg.exe'
+            - '.txt.exe'
             - '.txt.js'
+            - '.xls.exe'
+            - '.xls.js'
+            - '.xlsx.exe'
+            - '.xlsx.js'
+            - '⠀⠀⠀⠀⠀⠀.exe' # Unicode Space Character: Braille Pattern Blank (Unicode: U+2800)
     condition: selection
 falsepositives:
     - Unknown
-level: critical
+level: high