[PR #3067] changed rule: Attachment: WinRAR CVE-2025-8088 exploitation

Author: github-actions[bot]

detection-rules/3067_attachment_rar_cve-2025-8088.yml

@@ -0,0 +1,35 @@
+name: "Attachment: WinRAR CVE-2025-8088 exploitation"
+description: |
+  Detects attempts to exploit CVE-2025-8088 via attached RAR files
+type: "rule"
+severity: "high"
+source: |
+  type.inbound 
+  and any(attachments, 
+      // its a rar file
+      (
+          .content_type == "application/x-rar-compressed"
+          or .file_extension == "rar"
+          or .file_type == "rar"
+      )
+      // less than 10 meg
+      and .size < 10000000
+      // explode it
+      and any(file.explode(.), 
+          // contains a yara match
+          any(.scan.yara.matches, .name == "WinRAR_CVE_2025_8088")
+      )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Exploit"
+  - "Evasion"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "YARA"
+id: "d6b2b8df-24c1-57a4-a467-be82b5e4cbb2"
+og_id: "33b3a82b-0721-53b8-a5f2-d28e3d791b60"
+testing_pr: 3067
+testing_sha: e46845f9a61f9e0062aa72e04e44a175e4fcea62