Potential Defense Evasion Via Right-to-Left Override

calendar Apr 1, 2026 · attack.defense-evasion attack.t1036.002  ·
Share on: linkedin copy

Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.

Sigma rule (View on GitHub)

 1title: Potential Defense Evasion Via Right-to-Left Override
 2id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
 3related:
 4    - id: e0552b19-5a83-4222-b141-b36184bb8d79
 5      type: derived
 6    - id: 584bca0f-3608-4402-80fd-4075ff6072e3
 7      type: derived
 8status: test
 9description: |
10    Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
11    This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.    
12references:
13    - https://redcanary.com/blog/right-to-left-override/
14    - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
15    - https://unicode-explorer.com/c/202E
16    - https://tria.ge/241015-l98snsyeje/behavioral2
17    - https://unprotect.it/technique/right-to-left-override-rlo-extension-spoofing/
18author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems), Luc Génaux
19date: 2023-02-15
20modified: 2026-03-20
21tags:
22    - attack.defense-evasion
23    - attack.t1036.002
24logsource:
25    category: process_creation
26    product: windows
27detection:
28    selection:
29        CommandLine|contains:
30            - '\u202e'  # Unicode RTLO character
31            - '[U+202E]'
32            # Real char U+202E copied/pasted below
33            - '‮'
34    condition: selection
35falsepositives:
36    - Commandlines that contains scriptures such as arabic or hebrew might make use of this character
37level: high
38regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/info.yml

References

Related rules

to-top