Add detection rule for CMD file attachments (#3894)

Co-authored-by: CI Bot <hello@sublimesecurity.com>
Co-authored-by: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>

Author: 3 people

detection-rules/attachment_cmd_file.yml

@@ -0,0 +1,25 @@
+name: "Attachment: cmd file extension"
+description: "Detects messages containing CMD (Command Prompt) batch files, either as direct attachments or within compressed archives. CMD files can execute arbitrary system commands and are commonly used to deliver malware or perform unauthorized system modifications."
+type: "rule"
+severity: "low"
+source: |
+    type.inbound
+    and length(attachments) > 0
+    and any(attachments,
+            .file_extension =~ "cmd"
+            or (
+              .file_extension in~ $file_extensions_common_archives
+              and any(file.explode(.), .file_extension =~ "cmd")
+            )
+    )
+
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Scripting"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+id: "a902b8ed-b8ef-5232-b6bd-0fe915e6a161"