Potential Defense Evasion Via Right-to-Left Override
Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques.
Sigma rule (View on GitHub)
1title: Potential Defense Evasion Via Right-to-Left Override
2id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
3related:
4 - id: e0552b19-5a83-4222-b141-b36184bb8d79
5 type: derived
6 - id: 584bca0f-3608-4402-80fd-4075ff6072e3
7 type: derived
8status: test
9description: |
10 Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
11 This is used as an obfuscation and masquerading techniques.
12references:
13 - https://redcanary.com/blog/right-to-left-override/
14 - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
15 - https://unicode-explorer.com/c/202E
16author: Micah Babinski, @micahbabinski
17date: 2023-02-15
18tags:
19 - attack.defense-evasion
20 - attack.t1036.002
21logsource:
22 category: process_creation
23 product: windows
24detection:
25 selection:
26 CommandLine|contains: "\u202e"
27 condition: selection
28falsepositives:
29 - Commandlines that contains scriptures such as arabic or hebrew might make use of this character
30level: high
References
-
Our Security Operations team loves to share insights on TTPs when we see them in the wild. Today an oldie but a goodie: right-to-left override attacks.
Read More -
RTLO can be used to spoof fake extensions. Learn how malware writers are using this old trick to spread malware.
Read More -
U+202E RIGHT-TO-LEFT OVERRIDE, copy and paste, unicode character symbol info, commonly abbreviated RLO
Read More
Related rules
- Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
- Process Deletion of Its Own Executable
- Dism Remove Online Package
- Diamond Sleet APT DLL Sideloading Indicators
- Diamond Sleet APT Scheduled Task Creation - Registry