Attachment: Filename Containing Unicode Braille Pattern Blank Character

calendar Feb 20, 2025  ยท
Share on: linkedin copy

Recursively identifies attachments that attempt to conceal their true file extension by using Braille Pattern Blank characters

Sublime rule (View on GitHub)

 1name: 'Attachment: Filename Containing Unicode Braille Pattern Blank Character'
 2description: |
 3    Recursively identifies attachments that attempt to conceal their true file extension by using Braille Pattern Blank characters
 4references:
 5  - "https://www.bleepingcomputer.com/news/security/windows-vulnerability-abused-braille-spaces-in-zero-day-attacks/"
 6  - "https://research.checkpoint.com/2024/resurrecting-internet-explorer-threat-actors-using-zero-day-tricks-in-internet-shortcut-file-to-lure-victims-cve-2024-38112/"
 7type: "rule"
 8authors:
 9  - twitter: "vector_sec"
10severity: "high"
11source: |
12  type.inbound
13  and any(attachments,
14          regex.icontains(.file_name, '\x{2800}')
15          or (
16            .file_extension in~ $file_extensions_common_archives
17            and any(file.explode(.), regex.icontains(.file_name, '\x{2800}'))
18          )
19  )  
20attack_types:
21  - "Malware/Ransomware"
22tactics_and_techniques:
23  - "Evasion"
24detection_methods:
25  - "Archive analysis"
26  - "File analysis"
27id: "c230ca86-f563-58b0-8667-5052cc9bf3c6"
to-top