MMC Executing Files with Reversed Extensions Using RTLO Abuse
Detects malicious behavior where the MMC utility (mmc.exe
) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
Sigma rule (View on GitHub)
1title: MMC Executing Files with Reversed Extensions Using RTLO Abuse
2id: 9cfe4b27-1e56-48b4-b7a8-d46851c91a44
3status: experimental
4description: Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
5references:
6 - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
7 - https://en.wikipedia.org/wiki/Right-to-left_override
8 - https://tria.ge/241015-l98snsyeje/behavioral2
9author: Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2025-02-05
11tags:
12 - attack.execution
13 - attack.t1204.002
14 - attack.defense-evasion
15 - attack.t1218.014
16 - attack.t1036.002
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_image:
22 - Image|endswith: '\mmc.exe'
23 - OriginalFileName: 'MMC.exe'
24 selection_commandline:
25 CommandLine|contains: # While looking at these files the prefix of their name will look something like csm.pdf, but in reality it is msc file
26 - 'cod.msc' # Reversed `.doc`
27 - 'fdp.msc' # Reversed `.pdf`
28 - 'ftr.msc' # Reversed `.rtf`
29 - 'lmth.msc' # Reversed `.html`
30 - 'slx.msc' # Reversed `.xls`
31 - 'tdo.msc' # Reversed `.odt`
32 - 'xcod.msc' # Reversed `.docx`
33 - 'xslx.msc' # Reversed `.xlsx`
34 - 'xtpp.msc' # Reversed `.pptx`
35 condition: all of selection_*
36falsepositives:
37 - Legitimate administrative actions using MMC to execute misnamed `.msc` files.
38 - Unconventional but non-malicious usage of RLO or reversed extensions.
39level: high
References
Related rules
- MMC Loading Script Engines DLLs
- Potential File Extension Spoofing Using Right-to-Left Override
- Suspicious Microsoft Office Child Process
- Kapeka Backdoor Loaded Via Rundll32.EXE
- Flash Player Update from Suspicious Location