Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Potential File Extension Spoofing Using Right-to-Left Override

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Potential File Extension Spoofing Using Right-to-Left Override

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Potential File Extension Spoofing Using Right-to-Left Override
id: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4
related:
    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
      type: derived
status: test
description: |
    Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
references:
    - https://redcanary.com/blog/right-to-left-override/
    - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
    - https://tria.ge/241015-l98snsyeje/behavioral2
    - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2024-11-17
modified: 2026-03-20
tags:
    - attack.execution
    - attack.defense-evasion
    - attack.t1036.002
logsource:
    category: file_event
    product: windows
detection:
    selection_rtlo_unicode:
        TargetFilename|contains:
            - '\u202e'  # Unicode RTLO character
            - '[U+202E]'
            # Real char U+202E copied/pasted below
            - '‮'
    selection_extensions:
        TargetFilename|contains:
            - '3pm.'  # Reversed `.mp3`
            - '4pm.'  # Reversed `.mp4`
            - 'cod.'  # Reversed `.doc`
            - 'fdp.'  # Reversed `.pdf`
            - 'ftr.'  # Reversed `.rtf`
            - 'gepj.'  # Reversed `.jpeg`
            - 'gnp.'  # Reversed `.png`
            - 'gpj.'  # Reversed `.jpg`
            - 'ism.'  # Reversed `.msi`
            - 'lmth.'  # Reversed `.html`
            - 'nls.' # Reversed `.sln`
            - 'piz.'  # Reversed `.zip`
            - 'slx.'  # Reversed `.xls`
            - 'tdo.'  # Reversed `.odt`
            - 'vsc.'  # Reversed `.csv`
            - 'vwm.'  # Reversed `.wmv`
            - 'xcod.'  # Reversed `.docx`
            - 'xslx.'  # Reversed `.xlsx`
            - 'xtpp.'  # Reversed `.pptx`
    condition: all of selection_*
falsepositives:
    - Filenames that contains scriptures such as arabic or hebrew might make use of this character
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/info.yml

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml