File with Right-to-Left Override Character (RTLO) Created/Executed
Identifies the creation or execution of files or processes with names containing the Right-to-Left Override (RTLO) character, which can be used to disguise the file extension and trick users into executing malicious files.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/01/20"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2025/01/22"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation or execution of files or processes with names containing the Right-to-Left Override (RTLO)
13character, which can be used to disguise the file extension and trick users into executing malicious files.
14"""
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-endpoint.events.process-*",
19 "logs-endpoint.events.file-*",
20 "logs-windows.sysmon_operational-*",
21 "logs-m365_defender.event-*",
22 "logs-sentinel_one_cloud_funnel.*",
23 "endgame-*",
24]
25language = "eql"
26license = "Elastic License v2"
27name = "File with Right-to-Left Override Character (RTLO) Created/Executed"
28risk_score = 47
29rule_id = "7e763fd1-228a-4d43-be88-3ffc14cd7de1"
30severity = "medium"
31tags = [
32 "Domain: Endpoint",
33 "OS: Windows",
34 "Use Case: Threat Detection",
35 "Tactic: Defense Evasion",
36 "Data Source: Elastic Endgame",
37 "Data Source: Elastic Defend",
38 "Data Source: Sysmon",
39 "Data Source: Microsoft Defender for Endpoint",
40 "Data Source: SentinelOne",
41 "Resources: Investigation Guide",
42]
43timestamp_override = "event.ingested"
44type = "eql"
45
46query = '''
47any where host.os.type == "windows" and event.category in ("file", "process") and
48 (
49 (event.type == "creation" and file.path : "*\u{202E}*") or
50 (event.type == "start" and process.name : "*\u{202E}*")
51 )
52'''
53note = """## Triage and analysis
54
55> **Disclaimer**:
56> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
57
58### Investigating File with Right-to-Left Override Character (RTLO) Created/Executed
59
60The RTLO character reverses text direction, often used to disguise file extensions, making malicious files appear benign. Adversaries exploit this to trick users into executing harmful files. The detection rule identifies suspicious file or process activities on Windows systems by scanning for RTLO characters in file paths or process names, helping to uncover potential masquerading attempts.
61
62### Possible investigation steps
63
64- Review the alert details to identify the specific file path or process name containing the RTLO character by examining the file.path or process.name fields.
65- Check the event.type field to determine whether the alert was triggered by a file creation or process start event, which can help prioritize the investigation focus.
66- Investigate the origin of the file or process by examining the file's creation time, user account involved, and any associated network activity to identify potential sources or delivery methods.
67- Analyze the file or process for malicious behavior by using endpoint detection tools or sandbox environments to execute and monitor its actions.
68- Cross-reference the file or process with threat intelligence databases to check for known malicious indicators or similar attack patterns.
69- Review system logs and other security alerts around the same timeframe to identify any additional suspicious activities or related incidents.
70
71### False positive analysis
72
73- Legitimate software installations or updates may use RTLO characters in file names to manage versioning or localization, which can trigger false positives. Users can create exceptions for known software vendors or specific installation directories to reduce these alerts.
74- Some file management or backup applications might use RTLO characters in temporary file names for internal processing. Identifying these applications and excluding their specific file paths from monitoring can help minimize false positives.
75- Custom scripts or tools developed in-house might inadvertently use RTLO characters for legitimate purposes. Reviewing these scripts and excluding their execution paths or file names from the detection rule can prevent unnecessary alerts.
76- Certain international or multilingual applications may use RTLO characters as part of their normal operation. Users should identify these applications and configure exceptions based on their file paths or process names to avoid false positives.
77- In environments where file names are dynamically generated and may include RTLO characters, consider implementing a whitelist of trusted file paths or process names to reduce the likelihood of false alerts.
78
79### Response and remediation
80
81- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
82- Terminate any suspicious processes identified with the RTLO character in their names to halt any ongoing malicious activity.
83- Quarantine the files containing the RTLO character to prevent execution and further analysis.
84- Conduct a thorough scan of the isolated system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or remnants.
85- Review and analyze system logs and security alerts to determine the extent of the compromise and identify any lateral movement or additional affected systems.
86- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary.
87- Implement enhanced monitoring and detection rules to identify future attempts to use RTLO characters for masquerading, ensuring that similar threats are detected promptly."""
88
89
90[[rule.threat]]
91framework = "MITRE ATT&CK"
92[[rule.threat.technique]]
93id = "T1036"
94name = "Masquerading"
95reference = "https://attack.mitre.org/techniques/T1036/"
96[[rule.threat.technique.subtechnique]]
97id = "T1036.002"
98name = "Right-to-Left Override"
99reference = "https://attack.mitre.org/techniques/T1036/002/"
100
101
102
103[rule.threat.tactic]
104id = "TA0005"
105name = "Defense Evasion"
106reference = "https://attack.mitre.org/tactics/TA0005/"
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109[[rule.threat.technique]]
110id = "T1204"
111name = "User Execution"
112reference = "https://attack.mitre.org/techniques/T1204/"
113[[rule.threat.technique.subtechnique]]
114id = "T1204.002"
115name = "Malicious File"
116reference = "https://attack.mitre.org/techniques/T1204/002/"
117
118
119
120[rule.threat.tactic]
121id = "TA0002"
122name = "Execution"
123reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating File with Right-to-Left Override Character (RTLO) Created/Executed
The RTLO character reverses text direction, often used to disguise file extensions, making malicious files appear benign. Adversaries exploit this to trick users into executing harmful files. The detection rule identifies suspicious file or process activities on Windows systems by scanning for RTLO characters in file paths or process names, helping to uncover potential masquerading attempts.
Possible investigation steps
- Review the alert details to identify the specific file path or process name containing the RTLO character by examining the file.path or process.name fields.
- Check the event.type field to determine whether the alert was triggered by a file creation or process start event, which can help prioritize the investigation focus.
- Investigate the origin of the file or process by examining the file's creation time, user account involved, and any associated network activity to identify potential sources or delivery methods.
- Analyze the file or process for malicious behavior by using endpoint detection tools or sandbox environments to execute and monitor its actions.
- Cross-reference the file or process with threat intelligence databases to check for known malicious indicators or similar attack patterns.
- Review system logs and other security alerts around the same timeframe to identify any additional suspicious activities or related incidents.
False positive analysis
- Legitimate software installations or updates may use RTLO characters in file names to manage versioning or localization, which can trigger false positives. Users can create exceptions for known software vendors or specific installation directories to reduce these alerts.
- Some file management or backup applications might use RTLO characters in temporary file names for internal processing. Identifying these applications and excluding their specific file paths from monitoring can help minimize false positives.
- Custom scripts or tools developed in-house might inadvertently use RTLO characters for legitimate purposes. Reviewing these scripts and excluding their execution paths or file names from the detection rule can prevent unnecessary alerts.
- Certain international or multilingual applications may use RTLO characters as part of their normal operation. Users should identify these applications and configure exceptions based on their file paths or process names to avoid false positives.
- In environments where file names are dynamically generated and may include RTLO characters, consider implementing a whitelist of trusted file paths or process names to reduce the likelihood of false alerts.
Response and remediation
- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
- Terminate any suspicious processes identified with the RTLO character in their names to halt any ongoing malicious activity.
- Quarantine the files containing the RTLO character to prevent execution and further analysis.
- Conduct a thorough scan of the isolated system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or remnants.
- Review and analyze system logs and security alerts to determine the extent of the compromise and identify any lateral movement or additional affected systems.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary.
- Implement enhanced monitoring and detection rules to identify future attempts to use RTLO characters for masquerading, ensuring that similar threats are detected promptly.
Related rules
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Attempt to Install Kali Linux via WSL
- Command Shell Activity Started via RunDLL32
- Control Panel Process with Unusual Arguments
- DNS Global Query Block List Modified or Disabled