feat: Add coverage for Unicode Space Character Obfuscation

rules/windows/file/file_event/file_event_win_susp_double_extension.yml

@@ -13,9 +13,10 @@ references:
     - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
     - https://twitter.com/malwrhunterteam/status/1235135745611960321
     - https://twitter.com/luc4m/status/1073181154126254080
+    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
 author: Nasreddine Bencherchali (Nextron Systems), frack113
 date: 2022-06-19
-modified: 2022-11-07
+modified: 2025-05-30
 tags:
     - attack.defense-evasion
     - attack.t1036.007
@@ -34,6 +35,12 @@ detection:
             - '.doc.'
             - '.docx.'
             - '.jpg.'
+            - '.jpeg.'
+            - '.png.'
+            - '.gif.'
+            - '.svg.'
+            - '.mp3.'
+            - '.mp4.'
             - '.pdf.'
             - '.ppt.'
             - '.pptx.'

rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml

@@ -16,7 +16,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
 author: frack113, Florian Roth (Nextron Systems), Josh Nickels
 date: 2024-09-02
-modified: 2024-09-05
+modified: 2025-05-30
 tags:
     - attack.defense-evasion
     - attack.t1027
@@ -29,12 +29,14 @@ detection:
             - '\cmd.exe'
             - '\cscript.exe'
             - '\powershell.exe'
+            - '\powershell_ise.exe'
             - '\pwsh.exe'
             - '\wscript.exe'
         OriginalFileName:
             - 'Cmd.EXE'
             - 'cscript.exe'
             - 'PowerShell.EXE'
+            - 'PowerShell_ISE.EXE'
             - 'pwsh.dll'
             - 'wscript.exe'
     selection_special_chars:
@@ -55,6 +57,8 @@ detection:
             - '¯'
             - '®'
             - '¶'
+            # Unicode whitespace characters
+            - '⠀' # Braille Pattern Blank (Unicode: U+2800)
     condition: all of selection_*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_susp_double_extension.yml

@@ -8,9 +8,10 @@ description: Detects suspicious use of an .exe extension after a non-executable
 references:
     - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html
     - https://twitter.com/blackorbird/status/1140519090961825792
+    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
 author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)
 date: 2019-06-26
-modified: 2023-02-28
+modified: 2025-05-30
 tags:
     - attack.initial-access
     - attack.t1566.001
@@ -29,8 +30,18 @@ detection:
             - '.rtf.exe'
             - '.pdf.exe'
             - '.txt.exe'
+            - '.jpg.exe'
+            - '.jpeg.exe'
+            - '.png.exe'
+            - '.gif.exe'
+            - '.svg.exe'
+            - '.mkv.exe'
+            - '.mp3.exe'
+            - '.mp4.exe'
+            - '.mov.exe'
             - '      .exe'
             - '______.exe'
+            - '⠀⠀⠀⠀⠀⠀.exe' # Unicode Space Character: Braille Pattern Blank (Unicode: U+2800)
             - '.doc.js'
             - '.docx.js'
             - '.xls.js'
@@ -50,8 +61,18 @@ detection:
             - '.rtf.exe'
             - '.pdf.exe'
             - '.txt.exe'
+            - '.jpg.exe'
+            - '.jpeg.exe'
+            - '.png.exe'
+            - '.gif.exe'
+            - '.svg.exe'
+            - '.mkv.exe'
+            - '.mp3.exe'
+            - '.mp4.exe'
+            - '.mov.exe'
             - '      .exe'
             - '______.exe'
+            - '⠀⠀⠀⠀⠀⠀.exe' # Unicode Space Character: Braille Pattern Blank (Unicode: U+2800)
             - '.doc.js'
             - '.docx.js'
             - '.xls.js'