Add detection rule for CMD file attachments

Detects messages containing CMD files as attachments or within archives, highlighting potential malware risks.

Author: peterdj45

detection-rules/attachment_cmd_file.yml

@@ -0,0 +1,22 @@
+name: "Attachment: CMD file"
+description: "Detects messages containing CMD (Command Prompt) batch files, either as direct attachments or within compressed archives. CMD files can execute arbitrary system commands and are commonly used to deliver malware or perform unauthorized system modifications."
+type: "rule"
+severity: "high"
+source: |
+    type.inbound
+    and length(attachments) > 0
+    and any(attachments,
+            .file_extension =~ "cmd"
+            or (
+              .file_extension in~ $file_extensions_common_archives
+              and any(file.explode(.), .file_extension =~ "cmd")
+            )
+    )
+
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Scripting"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"