Merge PR #5910 from @EzLucky - Update RTLO Related Rules With Additional Coverage

update: Potential Defense Evasion Via Right-to-Left Override - Add real rtlo char copied/pasted update: Potential File Extension Spoofing Using Right-to-Left Override - Add real rtlo char copied/pasted --------- Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
2026-04-01 13:57:31 +02:00
parent 7fc53c563e
commit d4d12bdd13
8 changed files with 153 additions and 4 deletions
@@ -0,0 +1,51 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-03-29T09:34:25.027502Z"
+        }
+      },
+      "EventRecordID": 121193,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "Downloads",
+      "UtcTime": "2026-03-29 09:34:25.019",
+      "ProcessGuid": "0197231E-A4C2-69C9-8C00-000000000D00",
+      "ProcessId": 5856,
+      "Image": "C:\\WINDOWS\\Explorer.EXE",
+      "TargetFilename": "C:\\Users\\xodih\\Downloads\\Communicaton_Ltr‮fdp.msc",
+      "CreationUtcTime": "2026-03-29 09:34:25.019",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
@@ -0,0 +1,13 @@
+id: e6fd13b0-c4f7-49ed-9be4-aecd07ba14d9
+description: N/A
+date: 2026-03-29
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4
+      title: Potential File Extension Spoofing Using Right-to-Left Override
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/979baf41-ca44-4540-9d0c-4fcef3b5a3a4.evtx
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-03-20T08:31:26.751156500Z"
+        }
+      },
+      "EventRecordID": 23419552,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 2248,
+          "ThreadID": 3912
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "pcwin2.sigen.net",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-03-20 08:31:26.749",
+      "ProcessGuid": "0AF88113-05DE-69BD-4187-070000009900",
+      "ProcessId": 3680,
+      "Image": "C:\\Users\\administrator.SIGEN.000\\Ann‮gepj.exe",
+      "FileVersion": "10.0.15063.0 (WinBuild.160101.0800)",
+      "Description": "Windows Calculator",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "CALC.EXE",
+      "CommandLine": "\"C:\\Users\\administrator.SIGEN.000\\Ann‮gepj.exe\"",
+      "CurrentDirectory": "C:\\Users\\administrator.SIGEN.000\\",
+      "User": "SIGEN\\Administrator",
+      "LogonGuid": "0AF88113-7E8E-6980-C376-030000000000",
+      "LogonId": "0x376c3",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "SHA1=A2718A03B8E1DFEC38E64743EA05AAE812BA7AB5,MD5=13974CBF51996AB168C12D662FB3BFB7,SHA256=0A6E788FDBCBF925112F9CF57124F68CCAA30F3AC1F10904CE46FFE54E930F11,IMPHASH=60E460797128D126D3620479645931A9",
+      "ParentProcessGuid": "0AF88113-7E92-6980-5D00-000000009900",
+      "ParentProcessId": 5108,
+      "ParentImage": "C:\\Windows\\explorer.exe",
+      "ParentCommandLine": "C:\\Windows\\Explorer.exe",
+      "ParentUser": "SIGEN\\Administrator"
+    }
+  }
+}
@@ -0,0 +1,12 @@
+id: cbcffc11-0c7f-4753-9cdb-10d36b553a02
+description: The user double clicked on a file named Annexe.jpeg, whose actual filename was Ann[U+202E]gepj.exe (using an RTLO character).
+date: 2026-03-20
+author: Luc Génaux
+rule_metadata:
+    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
+      title: Potential Defense Evasion Via Right-to-Left Override
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      path: regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/ad691d92-15f2-4181-9aa4-723c74f9ddc3.evtx
@@ -13,7 +13,7 @@ references:
    - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
 author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2024-11-17
-modified: 2025-02-06
+modified: 2026-03-20
 tags:
    - attack.execution
    - attack.defense-evasion
@@ -26,6 +26,8 @@ detection:
        TargetFilename|contains:
            - '\u202e'  # Unicode RTLO character
            - '[U+202E]'
+            # Real char U+202E copied/pasted below
+            - '‮'
    selection_extensions:
        TargetFilename|contains:
            - '3pm.'  # Reversed `.mp3`
@@ -51,3 +53,4 @@ detection:
 falsepositives:
    - Filenames that contains scriptures such as arabic or hebrew might make use of this character
 level: high
+regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/info.yml
@@ -8,15 +8,16 @@ related:
 status: test
 description: |
    Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
-    This is used as an obfuscation and masquerading techniques.
+    This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.
 references:
    - https://redcanary.com/blog/right-to-left-override/
    - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
    - https://unicode-explorer.com/c/202E
    - https://tria.ge/241015-l98snsyeje/behavioral2
-author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems)
+    - https://unprotect.it/technique/right-to-left-override-rlo-extension-spoofing/
+author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems), Luc Génaux
 date: 2023-02-15
-modified: 2025-02-06
+modified: 2026-03-20
 tags:
    - attack.defense-evasion
    - attack.t1036.002
@@ -28,7 +29,10 @@ detection:
        CommandLine|contains:
            - '\u202e'  # Unicode RTLO character
            - '[U+202E]'
+            # Real char U+202E copied/pasted below
+            - '‮'
    condition: selection
 falsepositives:
    - Commandlines that contains scriptures such as arabic or hebrew might make use of this character
 level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/info.yml