Suspicious Command Line Containing Right-to-Left Override
Detects the presence of the u202+E character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used in obfuscation and masquerading techniques.
Sigma rule (View on GitHub)
1title: Suspicious Command Line Containing Right-to-Left Override
2id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
3status: experimental
4description: Detects the presence of the u202+E character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used in obfuscation and masquerading techniques.
5references:
6 - https://redcanary.com/blog/right-to-left-override/
7 - https://unicode-explorer.com/c/202E
8author: Micah Babinski, @micahbabinski
9date: 2023/01/30
10tags:
11 - attack.defense_evasion
12 - attack.t1036
13 - attack.t1036.002
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 # you can't see it, but trust me, there's a right-to-left override character in the regex below! :P
20 CommandLine|re: ^.*.*$
21 condition: selection
22falsepositives:
23 - Unknown
24level: high```
References
-
Our Security Operations team loves to share insights on TTPs when we see them in the wild. Today an oldie but a goodie: right-to-left override attacks.
Read More -
U+202E RIGHT-TO-LEFT OVERRIDE, copy and paste, unicode character symbol info, commonly abbreviated RLO
Read More
Related rules
- Process Creation With Double File Extension
- Bumblebee WmiPrvSE execution pattern
- Suspicious Use of Rcedit Utility to Alter Executable Metadata
- Command or Scripting Interpreter Creating EXE File
- File Creation of Executables in Temp Folders (Event 4663)