Potential File Extension Spoofing Using Right-to-Left Override

Original Source: [Sigma source]

Title: Potential File Extension Spoofing Using Right-to-Left Override
Status: experimental
Description:Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
References:
-https://redcanary.com/blog/right-to-left-override/
-https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
Author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems)
Date: 2024-11-17
modified:None
Tags:

-'attack.execution'
-'attack.defense-evasion'
-'attack.t1036.002'

Logsource:

category: file_event
product: windows

Detection:
selection_rtlo_unicode:
TargetFilename|contains: '\u202e'
selection_extensions:
TargetFilename|contains:
-'fpd..'
-'nls..'
-'vsc..'
-'xcod.'
-'xslx.'

condition:all of selection_*
Falsepositives:
-Filenames that contains scriptures such as arabic or hebrew might make use of this character
Level: high

Sign Up to Personalize and Manage Your Detection

Potential File Extension Spoofing Using Right-to-Left Override