Potential File Extension Spoofing Using Right-to-Left Override
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
Sigma rule (View on GitHub)
1title: Potential File Extension Spoofing Using Right-to-Left Override
2id: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4
3related:
4 - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
5 type: derived
6status: experimental
7description: |
8 Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
9references:
10 - https://redcanary.com/blog/right-to-left-override/
11 - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
12author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems)
13date: 2024-11-17
14tags:
15 - attack.execution
16 - attack.defense-evasion
17 - attack.t1036.002
18logsource:
19 category: file_event
20 product: windows
21detection:
22 selection_rtlo_unicode:
23 TargetFilename|contains: '\u202e'
24 selection_extensions:
25 TargetFilename|contains:
26 - 'fpd..'
27 - 'nls..'
28 - 'vsc..'
29 - 'xcod.'
30 - 'xslx.'
31 condition: all of selection_*
32falsepositives:
33 - Filenames that contains scriptures such as arabic or hebrew might make use of this character
34level: high
References
Related rules
- Binary Proxy Execution Via Dotnet-Trace.EXE
- Add Potential Suspicious New Download Source To Winget
- Arbitrary File Download Via IMEWDBLD.EXE
- Arbitrary File Download Via MSEDGE_PROXY.EXE
- Arbitrary File Download Via Squirrel.EXE