Potential Defense Evasion Via Right-to-Left Override
Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques.
Sigma rule (View on GitHub)
1title: Potential Defense Evasion Via Right-to-Left Override
2id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
3status: test
4description: |
5 Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
6 This is used as an obfuscation and masquerading techniques.
7references:
8 - https://redcanary.com/blog/right-to-left-override/
9 - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
10 - https://unicode-explorer.com/c/202E
11author: Micah Babinski, @micahbabinski
12date: 2023/02/15
13tags:
14 - attack.defense_evasion
15 - attack.t1036.002
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains: "\u202e"
22 condition: selection
23falsepositives:
24 - Commandlines that contains scriptures such as arabic or hebrew might make use of this character
25level: high
References
-
Our Security Operations team loves to share insights on TTPs when we see them in the wild. Today an oldie but a goodie: right-to-left override attacks.
Read More -
RTLO can be used to spoof fake extensions. Learn how malware writers are using this old trick to spread malware.
Read More -
U+202E RIGHT-TO-LEFT OVERRIDE, copy and paste, unicode character symbol info, commonly abbreviated RLO
Read More
Related rules
- Suspicious Command Line Containing Right-to-Left Override
- Arbitrary File Download Via MSPUB.EXE
- DLL Loaded From Suspicious Location Via Cmspt.EXE
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
- Directory Removal Via Rmdir