MMC Executing Files with Reversed Extensions Using RTLO Abuse

calendar Oct 1, 2025 · attack.execution attack.t1204.002 attack.defense-evasion attack.t1218.014 attack.t1036.002  ·
Share on: linkedin copy

Detects malicious behavior where the MMC utility (mmc.exe) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.

Sigma rule (View on GitHub)

 1title: MMC Executing Files with Reversed Extensions Using RTLO Abuse
 2id: 9cfe4b27-1e56-48b4-b7a8-d46851c91a44
 3status: experimental
 4description: Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
 5references:
 6    - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
 7    - https://en.wikipedia.org/wiki/Right-to-left_override
 8    - https://tria.ge/241015-l98snsyeje/behavioral2
 9author: Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2025-02-05
11tags:
12    - attack.execution
13    - attack.t1204.002
14    - attack.defense-evasion
15    - attack.t1218.014
16    - attack.t1036.002
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_image:
22        - Image|endswith: '\mmc.exe'
23        - OriginalFileName: 'MMC.exe'
24    selection_commandline:
25        CommandLine|contains: # While looking at these files the prefix of their name will look something like csm.pdf, but in reality it is msc file
26            - 'cod.msc'  # Reversed `.doc`
27            - 'fdp.msc'  # Reversed `.pdf`
28            - 'ftr.msc'  # Reversed `.rtf`
29            - 'lmth.msc'  # Reversed `.html`
30            - 'slx.msc'  # Reversed `.xls`
31            - 'tdo.msc'  # Reversed `.odt`
32            - 'xcod.msc'  # Reversed `.docx`
33            - 'xslx.msc'  # Reversed `.xlsx`
34            - 'xtpp.msc'  # Reversed `.pptx`
35    condition: all of selection_*
36falsepositives:
37    - Legitimate administrative actions using MMC to execute misnamed `.msc` files.
38    - Unconventional but non-malicious usage of RLO or reversed extensions.
39level: high

References

  • %PDF-1.6 %âãÏÓ 1650 0 obj endobj xref 1650 87 0000000016 00000 n 0000003512 00000 n 0000003652 00000 n 0000003832 00000 n 0000003893 00000 n 0000003931 00000 n 0000003977 00000 n 0000004026 00000 n...


    Read More

  • Bidirectional text - Wikipedia

    Egyptian hieroglyphs were written bidirectionally, where the signs that had a distinct "head" or "tail" faced the beginning of the line. Chinese characters and other CJK scripts edit Chinese charac...


    Read More

  • ae8d252986c616884c10ab5082088cc9e413ddf5f9a0e292a1f2c5c0764c74e7 | Triage

    Check this report malware sample ae8d252986c616884c10ab5082088cc9e413ddf5f9a0e292a1f2c5c0764c74e7, with a score of 1 out of 10.


    Read More

Related rules

to-top