Attachment: Filename Containing Unicode Right-to-Left Override Character

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Recursively identifies attachments that attempt to conceal their true file extension by using right-to-left override characters

Sublime rule (View on GitHub)

 1name: "Attachment: Filename Containing Unicode Right-to-Left Override Character"
 2description: |
 3    Recursively identifies attachments that attempt to conceal their true file extension by using right-to-left override characters
 4references:
 5  - "https://redcanary.com/blog/right-to-left-override/"
 6  - "https://sublimecommunity.slack.com/archives/C02N1F7FP7C/p1644411026329629"
 7type: "rule"
 8authors:
 9  - twitter: "vector_sec"
10severity: "high"
11source: |
12  type.inbound
13  and any(attachments,
14          regex.icontains(.file_name, '\x{202E}', '\x{202D}')
15          or (
16            .file_extension in~ $file_extensions_common_archives
17            and any(file.explode(.), regex.icontains(.file_name, '\x{202E}', '\x{202D}'))
18          )
19  )  
20attack_types:
21  - "Malware/Ransomware"
22tactics_and_techniques:
23  - "Evasion"
24detection_methods:
25  - "Archive analysis"
26  - "File analysis"
27id: "357c57a1-dd29-5ad8-ae2f-c4f4c6489575"
to-top