Potential File Extension Spoofing Using Right-to-Left Override

Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.

Sigma rule (View on GitHub)

 1title: Potential File Extension Spoofing Using Right-to-Left Override
 2id: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4
 3related:
 4    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
 5      type: derived
 6status: experimental
 7description: |
 8        Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
 9references:
10    - https://redcanary.com/blog/right-to-left-override/
11    - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
12author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems)
13date: 2024-11-17
14tags:
15    - attack.execution
16    - attack.defense-evasion
17    - attack.t1036.002
18logsource:
19    category: file_event
20    product: windows
21detection:
22    selection_rtlo_unicode:
23        TargetFilename|contains: '\u202e'
24    selection_extensions:
25        TargetFilename|contains:
26            - 'fpd..'
27            - 'nls..'
28            - 'vsc..'
29            - 'xcod.'
30            - 'xslx.'
31    condition: all of selection_*
32falsepositives:
33    - Filenames that contains scriptures such as arabic or hebrew might make use of this character
34level: high

References

Related rules

to-top