Potential File Extension Spoofing Using Right-to-Left Override

 1title: Potential File Extension Spoofing Using Right-to-Left Override
 2id: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4
 3related:
 4    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
 5      type: derived
 6status: test
 7description: |
 8        Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
 9references:
10    - https://redcanary.com/blog/right-to-left-override/
11    - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
12    - https://tria.ge/241015-l98snsyeje/behavioral2
13    - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
14author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
15date: 2024-11-17
16modified: 2026-03-20
17tags:
18    - attack.execution
19    - attack.stealth
20    - attack.t1036.002
21logsource:
22    category: file_event
23    product: windows
24detection:
25    selection_rtlo_unicode:
26        TargetFilename|contains:
27            - '\u202e'  # Unicode RTLO character
28            - '[U+202E]'
29            # Real char U+202E copied/pasted below
30            - '‮'
31    selection_extensions:
32        TargetFilename|contains:
33            - '3pm.'  # Reversed `.mp3`
34            - '4pm.'  # Reversed `.mp4`
35            - 'cod.'  # Reversed `.doc`
36            - 'fdp.'  # Reversed `.pdf`
37            - 'ftr.'  # Reversed `.rtf`
38            - 'gepj.'  # Reversed `.jpeg`
39            - 'gnp.'  # Reversed `.png`
40            - 'gpj.'  # Reversed `.jpg`
41            - 'ism.'  # Reversed `.msi`
42            - 'lmth.'  # Reversed `.html`
43            - 'nls.' # Reversed `.sln`
44            - 'piz.'  # Reversed `.zip`
45            - 'slx.'  # Reversed `.xls`
46            - 'tdo.'  # Reversed `.odt`
47            - 'vsc.'  # Reversed `.csv`
48            - 'vwm.'  # Reversed `.wmv`
49            - 'xcod.'  # Reversed `.docx`
50            - 'xslx.'  # Reversed `.xlsx`
51            - 'xtpp.'  # Reversed `.pptx`
52    condition: all of selection_*
53falsepositives:
54    - Filenames that contains scriptures such as arabic or hebrew might make use of this character
55level: high
56regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/info.yml

References

• https://redcanary.com/blog/right-to-left-override/

  
  Read More

• https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method

  
  Read More

• https://tria.ge/241015-l98snsyeje/behavioral2

  
  Read More

• https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf

  
  Read More

Related rules

• MMC Executing Files with Reversed Extensions Using RTLO Abuse
• APT27 - Emissary Panda Activity
• APT29 2018 Phishing Campaign CommandLine Indicators
• AWS IAM S3Browser LoginProfile Creation
• AWS IAM S3Browser Templated S3 Bucket Policy Creation