diff --git a/regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/979baf41-ca44-4540-9d0c-4fcef3b5a3a4.evtx b/regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/979baf41-ca44-4540-9d0c-4fcef3b5a3a4.evtx new file mode 100644 index 000000000..d8eaf3f09 Binary files /dev/null and b/regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/979baf41-ca44-4540-9d0c-4fcef3b5a3a4.evtx differ diff --git a/regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/979baf41-ca44-4540-9d0c-4fcef3b5a3a4.json b/regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/979baf41-ca44-4540-9d0c-4fcef3b5a3a4.json new file mode 100644 index 000000000..2a51e50f2 --- /dev/null +++ b/regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/979baf41-ca44-4540-9d0c-4fcef3b5a3a4.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-03-29T09:34:25.027502Z" + } + }, + "EventRecordID": 121193, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 4584, + "ThreadID": 5116 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "Downloads", + "UtcTime": "2026-03-29 09:34:25.019", + "ProcessGuid": "0197231E-A4C2-69C9-8C00-000000000D00", + "ProcessId": 5856, + "Image": "C:\\WINDOWS\\Explorer.EXE", + "TargetFilename": "C:\\Users\\xodih\\Downloads\\Communicaton_Ltr‮fdp.msc", + "CreationUtcTime": "2026-03-29 09:34:25.019", + "User": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/info.yml b/regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/info.yml new file mode 100644 index 000000000..6bbfb7c46 --- /dev/null +++ b/regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/info.yml @@ -0,0 +1,13 @@ +id: e6fd13b0-c4f7-49ed-9be4-aecd07ba14d9 +description: N/A +date: 2026-03-29 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4 + title: Potential File Extension Spoofing Using Right-to-Left Override +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/979baf41-ca44-4540-9d0c-4fcef3b5a3a4.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/ad691d92-15f2-4181-9aa4-723c74f9ddc3.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/ad691d92-15f2-4181-9aa4-723c74f9ddc3.evtx new file mode 100644 index 000000000..b17caa675 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/ad691d92-15f2-4181-9aa4-723c74f9ddc3.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/ad691d92-15f2-4181-9aa4-723c74f9ddc3.json b/regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/ad691d92-15f2-4181-9aa4-723c74f9ddc3.json new file mode 100644 index 000000000..5a13fcf3d --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/ad691d92-15f2-4181-9aa4-723c74f9ddc3.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-03-20T08:31:26.751156500Z" + } + }, + "EventRecordID": 23419552, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 2248, + "ThreadID": 3912 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "pcwin2.sigen.net", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-03-20 08:31:26.749", + "ProcessGuid": "0AF88113-05DE-69BD-4187-070000009900", + "ProcessId": 3680, + "Image": "C:\\Users\\administrator.SIGEN.000\\Ann‮gepj.exe", + "FileVersion": "10.0.15063.0 (WinBuild.160101.0800)", + "Description": "Windows Calculator", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CALC.EXE", + "CommandLine": "\"C:\\Users\\administrator.SIGEN.000\\Ann‮gepj.exe\"", + "CurrentDirectory": "C:\\Users\\administrator.SIGEN.000\\", + "User": "SIGEN\\Administrator", + "LogonGuid": "0AF88113-7E8E-6980-C376-030000000000", + "LogonId": "0x376c3", + "TerminalSessionId": 1, + "IntegrityLevel": "High", + "Hashes": "SHA1=A2718A03B8E1DFEC38E64743EA05AAE812BA7AB5,MD5=13974CBF51996AB168C12D662FB3BFB7,SHA256=0A6E788FDBCBF925112F9CF57124F68CCAA30F3AC1F10904CE46FFE54E930F11,IMPHASH=60E460797128D126D3620479645931A9", + "ParentProcessGuid": "0AF88113-7E92-6980-5D00-000000009900", + "ParentProcessId": 5108, + "ParentImage": "C:\\Windows\\explorer.exe", + "ParentCommandLine": "C:\\Windows\\Explorer.exe", + "ParentUser": "SIGEN\\Administrator" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/info.yml new file mode 100644 index 000000000..4fa19bd68 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/info.yml @@ -0,0 +1,12 @@ +id: cbcffc11-0c7f-4753-9cdb-10d36b553a02 +description: The user double clicked on a file named Annexe.jpeg, whose actual filename was Ann[U+202E]gepj.exe (using an RTLO character). +date: 2026-03-20 +author: Luc Génaux +rule_metadata: + - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 + title: Potential Defense Evasion Via Right-to-Left Override +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/ad691d92-15f2-4181-9aa4-723c74f9ddc3.evtx diff --git a/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml b/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml index b129b5936..586b22f0a 100644 --- a/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml +++ b/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml @@ -13,7 +13,7 @@ references: - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) date: 2024-11-17 -modified: 2025-02-06 +modified: 2026-03-20 tags: - attack.execution - attack.defense-evasion @@ -26,6 +26,8 @@ detection: TargetFilename|contains: - '\u202e' # Unicode RTLO character - '[U+202E]' + # Real char U+202E copied/pasted below + - '‮' selection_extensions: TargetFilename|contains: - '3pm.' # Reversed `.mp3` @@ -51,3 +53,4 @@ detection: falsepositives: - Filenames that contains scriptures such as arabic or hebrew might make use of this character level: high +regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml index ca0089eb6..af6f8a47a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml @@ -8,15 +8,16 @@ related: status: test description: | Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. - This is used as an obfuscation and masquerading techniques. + This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files. references: - https://redcanary.com/blog/right-to-left-override/ - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method - https://unicode-explorer.com/c/202E - https://tria.ge/241015-l98snsyeje/behavioral2 -author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems) + - https://unprotect.it/technique/right-to-left-override-rlo-extension-spoofing/ +author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems), Luc Génaux date: 2023-02-15 -modified: 2025-02-06 +modified: 2026-03-20 tags: - attack.defense-evasion - attack.t1036.002 @@ -28,7 +29,10 @@ detection: CommandLine|contains: - '\u202e' # Unicode RTLO character - '[U+202E]' + # Real char U+202E copied/pasted below + - '‮' condition: selection falsepositives: - Commandlines that contains scriptures such as arabic or hebrew might make use of this character level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/info.yml