Attachment: 7z Archive Containing RAR File

calendar Nov 8, 2025 · Attack surface reduction  ·
Share on: linkedin copy

Detects 7z archive attachments that contain RAR files, which may be used to evade detection by nesting compressed file formats.

Sublime rule (View on GitHub)

 1name: "Attachment: 7z Archive Containing RAR File"
 2description: "Detects 7z archive attachments that contain RAR files, which may be used to evade detection by nesting compressed file formats."
 3type: "rule"
 4severity: "medium"
 5source: |
 6    type.inbound
 7    and any(attachments,
 8            (
 9              .file_extension in~ $file_extensions_common_archives
10              and  .file_type == "7z"
11            )
12            and any(file.expand_archives(.).files, .file_type == "rar")        
13    )    
14tags:
15 - "Attack surface reduction"
16attack_types:
17  - "Malware/Ransomware"
18tactics_and_techniques:
19  - "Evasion"
20detection_methods:
21  - "Archive analysis"
22  - "File analysis"
23id: "1a629bb4-931a-5395-bf22-da327d224d3c"

Related rules

to-top