Name:Detect RTLO In File Name id:468b7e11-d362-43b8-b6ec-7a2d3b246678 version:4 date:2024-09-30 author:Steven Dick status:production type:TTP Description:The following analytic identifies the use of the right-to-left override (RTLO) character in file names. It leverages data from the Endpoint.Filesystem datamodel, specifically focusing on file creation events and file names containing the RTLO character (U+202E). This activity is significant because adversaries use RTLO to disguise malicious files as benign by reversing the text that follows the character. If confirmed malicious, this technique can deceive users and security tools, leading to the execution of harmful files and potential system compromise. Data_source:
-Sysmon EventID 11
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_create_time) as file_create_time from datamodel=Endpoint.Filesystem where Filesystem.file_name!=unknown by Filesystem.dest Filesystem.user Filesystem.process_id Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex file_name = "\\x{202E}" | rex field=file_name "(?<RTLO_file_1>.+)(?<RTLO_exist_file>\\x{202E})(?<RTLO_file_2>.+)" | eval file_name_with_RTLO=file_name | eval file_name=RTLO_file_1.RTLO_file_2 | fields - RTLO* | `detect_rtlo_in_file_name_filter`
how_to_implement:To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. known_false_positives:Implementation in regions that use right to left in native language. References: -https://attack.mitre.org/techniques/T1036/002/ -https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/ -https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html drilldown_searches: name:'View the detection results for - "$user$" and "$dest$"' search:'%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$" and "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Spearphishing Attachments' asset_type:Endpoint confidence:80 impact:50 message:Suspicious RTLO detected in $file_name$ on endpoint $dest$ by user $user$. mitre_attack_id: - 'T1036.002' - 'T1036' observable: name:'user' type:'User' - role: - 'Victim' name:'dest' type:'Endpoint' - role: - 'Victim' name:'file_name' type:'File Name' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Filesystem.dest' - 'Filesystem.user' - 'Filesystem.file_name' - 'Filesystem.file_path' - 'Filesystem.process_id' risk_score:40 security_domain:endpoint
