Detectionhightest
Potential File Extension Spoofing Using Right-to-Left Override
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)Created Sun Nov 17Updated Fri Mar 20979baf41-ca44-4540-9d0c-4fcef3b5a3a4windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic2 selectors
detection:
selection_rtlo_unicode:
TargetFilename|contains:
- '\u202e' # Unicode RTLO character
- '[U+202E]'
# Real char U+202E copied/pasted below
- ''
selection_extensions:
TargetFilename|contains:
- '3pm.' # Reversed `.mp3`
- '4pm.' # Reversed `.mp4`
- 'cod.' # Reversed `.doc`
- 'fdp.' # Reversed `.pdf`
- 'ftr.' # Reversed `.rtf`
- 'gepj.' # Reversed `.jpeg`
- 'gnp.' # Reversed `.png`
- 'gpj.' # Reversed `.jpg`
- 'ism.' # Reversed `.msi`
- 'lmth.' # Reversed `.html`
- 'nls.' # Reversed `.sln`
- 'piz.' # Reversed `.zip`
- 'slx.' # Reversed `.xls`
- 'tdo.' # Reversed `.odt`
- 'vsc.' # Reversed `.csv`
- 'vwm.' # Reversed `.wmv`
- 'xcod.' # Reversed `.docx`
- 'xslx.' # Reversed `.xlsx`
- 'xtpp.' # Reversed `.pptx`
condition: all of selection_*False Positives
Filenames that contains scriptures such as arabic or hebrew might make use of this character
References
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
979baf41-ca44-4540-9d0c-4fcef3b5a3a4
Status
test
Level
high
Type
Detection
Created
Sun Nov 17
Modified
Fri Mar 20
Author
Path
rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml
Raw Tags
attack.executionattack.defense-evasionattack.t1036.002