From d4d12bdd13deb0c799dc9a7f603132b53e577397 Mon Sep 17 00:00:00 2001 From: EzLucky Date: Wed, 1 Apr 2026 13:57:31 +0200 Subject: [PATCH] Merge PR #5910 from @EzLucky - Update RTLO Related Rules With Additional Coverage update: Potential Defense Evasion Via Right-to-Left Override - Add real rtlo char copied/pasted update: Potential File Extension Spoofing Using Right-to-Left Override - Add real rtlo char copied/pasted --------- Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> --- .../979baf41-ca44-4540-9d0c-4fcef3b5a3a4.evtx | Bin 0 -> 69632 bytes .../979baf41-ca44-4540-9d0c-4fcef3b5a3a4.json | 51 ++++++++++++++ .../info.yml | 13 ++++ .../ad691d92-15f2-4181-9aa4-723c74f9ddc3.evtx | Bin 0 -> 69632 bytes .../ad691d92-15f2-4181-9aa4-723c74f9ddc3.json | 66 ++++++++++++++++++ .../info.yml | 12 ++++ ...ht_to_left_override_extension_spoofing.yml | 5 +- ...eation_win_susp_right_to_left_override.yml | 10 ++- 8 files changed, 153 insertions(+), 4 deletions(-) create mode 100644 regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/979baf41-ca44-4540-9d0c-4fcef3b5a3a4.evtx create mode 100644 regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/979baf41-ca44-4540-9d0c-4fcef3b5a3a4.json create mode 100644 regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/info.yml create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/ad691d92-15f2-4181-9aa4-723c74f9ddc3.evtx create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/ad691d92-15f2-4181-9aa4-723c74f9ddc3.json create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/info.yml diff --git a/regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/979baf41-ca44-4540-9d0c-4fcef3b5a3a4.evtx b/regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/979baf41-ca44-4540-9d0c-4fcef3b5a3a4.evtx new file mode 100644 index 0000000000000000000000000000000000000000..d8eaf3f09b769f0ab5c8b016f2b24b245789e6d2 GIT binary patch literal 69632 zcmeI$TWl0n90u_J%9q16JxwQkSIpY8jaBxBN|kqasB>h&TMxJbqhS1eA8@q z=FE4_ocWzIXP~Y9eQl}!UKzQ$wqOw7u7pHtosp4KK5jbt*X5_&2pgaP1t>rP3Q&Lo z6rcbFC_n)UP@tkfYkyz!hRj9@{&zpx_n@|fKMK^>h;*;tdrifLD+Kg9tNuwhl*T4` zBC)8*ZxN9n!=-0L=AryD{2Agzw@)h6c@WpsZ4$1j+aEUniY?c&XHeERqCZ#Q_)q&s zlCwr!BW>H#y8G<@a%9`k<~t+W(agzg7uaimS9LPAhwIFoi7~B~;`o0&asJ|)-}}l* zI*yEUzFGY9OTm?NfBH|)tT^x6FAfgwt9x-5?nF~fb#fne^#*l&XIw;DWvlc`Mshg5 zA0O{ld-C06M7Bv<`f+jqCn8RxY(Ok0n`Dv9!Owtnqofy^F6__7cM2t&C5xl1^dUJL z$61umk=t=DgYS9LfS-%7*B}e zk_jr;^XO*(`IIT8I$YLL>I_Xxc!vrg3=|z;<<^CcwwhT z&O<>k(Z|Q+(eCp!+7Q<;~<#gJ)cBm8G<@i{U#(Da^)NxoMY!{>-Mm$ zG-I*RL|na~BlS4YM?kk%Cwp=o22h7ZiS%-gwiJ>pFFK$@)Ps!S(Wgk~)TP^FWg{3=0*@zkAt#2}GQ5_w zh2kaJE6|{JS$pEkyNQ^@v@bhQDOeDm|FuS%O-%dIZ+a52b|Tl-W}oob;g~d`#T+`W zvn7W+_1jHUNz&6rL5IEZ{W{T0`z`4`jZ!JD)1^>I;~K#t^7fn6xPfh^<6F#y{NcS? z`+?CE?Mv+QYCC7U5gfpe?L}0go-VCAv^y3?A-uub1^|g_iH4k7Go5rX*6m(Q(PkvO zFp)B*-#Tcu;)I<-;Zg*2Rnvi6oQWE!G^T=f&VN?ih%*jdxE=NN!Pbx8Ru4+l`bsnr zEW&$cM=_i_EL+espHSpnB)nif?px-`Dm19A+xr?Pr-j0aI++rd@rYvTnGa?vUReHJ zL}h|Rr4DB?#j&TKsKiVT)lGQ=j%p<-SL3@mGzFO&{McX84Ybn!6g z7ST&DN1w|Vt68!dWf_ce76t<{%TCucjx%!ef=#Pu9>_Ppx6C_|dgQM|Ct81wdG3@# zpAUal>Pq1+-bX*!y*_w7=ziORscY}P>$N3^cefV~px2th7`}yFee3Gha*s~1VDWA- z&32(&*TseS*0-?Evxl-_tW|nZJ$oiTp00-xCyKef1wH63u8D3OL!twHzO8@8aJmXZ znS)sH*t&7_NVBtS)(pMha?OZI9W1PF+?Ax(nPKakJ>34W4?>T)@sLC{KgH&C^lk4W zm{R)US&#m^aZDr4&9^!2zs)7glDOIAa?%EQz2gjO>RZ5#NBo+Nwx(IK{JTiv5ee2a zf4oKtcz#{IbJf;4Yp)tEPJB0Bg_KTW!IXEf$oW%OOLYGhTQ&{fEoSCr(8DbHr;Dz> zF6ZGTHVfbL@q3;ulzQwh#4C6{UZaap(uj5%WG>1kPkqWc@WO|wow$}rT=J(2?qQL1 zVrDPJD7Rn^uEwnHG%M34a~-|I&1j)j*5Ko(gNJqi$!+LM57ahb|JeR@+GQk-nUq1Q z8~x7t&kNpHIc>SV5A`?U3TfO=_X*z7Xsc0azs$|*zl*q0fC3bt00k&O0SZun0u-PC z1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo z6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)U zP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZ zKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt z00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun z0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-RY|3kph zZf2z~=&dVfh2B8n;Lx*sU)PhnqQNQiZSuL&{4|pvYI)4h=WCD6CmmBwPq=ci-~ObR z{X9xaHxsNME^%dnpFj6M@)9XlaAlFn*M4`C-+o7R@tp3M_P0uJQ0PjF$^Wuv=cxHP zG7!Yk+jf)hXn)+#*N!iq(;aO;C7EKGD?9x59~nJg3}eTYr%itU=}-9W=RYVt?f1W= z#Fcen9j`sh0{=?+=@B!&jn;GUIOAK^{#=vaf7=YdKferHYs`3-a)b;C2!~F&>1CHKVE;~@bcKX;pa{-a>NRm$%%`CY5*eBM93tirML^Fx#G=v--@mwy3Z CCkyca literal 0 HcmV?d00001 diff --git a/regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/979baf41-ca44-4540-9d0c-4fcef3b5a3a4.json b/regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/979baf41-ca44-4540-9d0c-4fcef3b5a3a4.json new file mode 100644 index 000000000..2a51e50f2 --- /dev/null +++ b/regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/979baf41-ca44-4540-9d0c-4fcef3b5a3a4.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-03-29T09:34:25.027502Z" + } + }, + "EventRecordID": 121193, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 4584, + "ThreadID": 5116 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "Downloads", + "UtcTime": "2026-03-29 09:34:25.019", + "ProcessGuid": "0197231E-A4C2-69C9-8C00-000000000D00", + "ProcessId": 5856, + "Image": "C:\\WINDOWS\\Explorer.EXE", + "TargetFilename": "C:\\Users\\xodih\\Downloads\\Communicaton_Ltr‮fdp.msc", + "CreationUtcTime": "2026-03-29 09:34:25.019", + "User": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/info.yml b/regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/info.yml new file mode 100644 index 000000000..6bbfb7c46 --- /dev/null +++ b/regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/info.yml @@ -0,0 +1,13 @@ +id: e6fd13b0-c4f7-49ed-9be4-aecd07ba14d9 +description: N/A +date: 2026-03-29 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4 + title: Potential File Extension Spoofing Using Right-to-Left Override +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/979baf41-ca44-4540-9d0c-4fcef3b5a3a4.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/ad691d92-15f2-4181-9aa4-723c74f9ddc3.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/ad691d92-15f2-4181-9aa4-723c74f9ddc3.evtx new file mode 100644 index 0000000000000000000000000000000000000000..b17caa675814b7cb68f50dc1f85aff1e0b7c6cbf GIT binary patch literal 69632 zcmeI0ZERat8ONV{V>^yh+ex#)fVCvu7_=;|^V%e(LarUtZYgwctV~5))HtoX#EBNS ztW+8uXiP(Bs6$AbCd9w8|F^PK1Wp65L0+B1s_)%s%1HeX@Xa0$=AI?Q^4%_28k@40#H4>znt3PeBz zL_h>YKmYKm^{Gz|7)8`Ap*x{Kog!cF#-f#-9Rj_nHm<@XFu4^#A_N zd7gb~^u$IDyHaL5(`Nrnn*BAgvBzv0?T7F;#D~4!e4jCwF(BcDB8M zwuMdhd=d5cqCZJKxoM82NEgSx6qS!bwhEoEZqh@UkNUbj{_|#&;=grnYCv`0KKL}x z|9JfMt;5H|o{Nu{>-MfGOlQ%A0>|1&cE1^`W*S?P;7s%_? z9Z8$9^H#HlHBo;Gcj|1^`C2|{kJ*wfqH`4;$za^hK&)viHf{UyS+!GWsX=BA9Q9SJJ zPuQ32oEwR*yyZJe9d-<2-;5;Qnd{sD>!?-G_gUO2h8)%G{Y%E~hKe~Lt7G|fX9CgX z5|#>c9hOQ2-L?k}airhe)oEXi#Off`Kwp^awnPFx-i=Be;`47NZ5D#`)uIzJ3WatH zDz`*&I&(2$_c>oY;zUAD7}x+R+ycB_-kq|qz=3oN5plYJnv!-KD)G)a`}?%rh3*UR z+cG%LgF8i&)}H|OGzNWh_Hmp2VOyA^h|o-BxyDv}4g(5@S6HxoS1q;hC!$ zD?wuuhBI24SgF^W>$H4|Nr7%3|4pxPYOjfF+GbFe;j*^2ggN3Q^2#r}uz<&$;pf~$ z-n~a?2fS&tCG)4QC}vMVa221(inOIuOs#b7lT&FBJ`=Hx0pz+Y-4XP-aAGp%^&Nz0 z8Ip4dq=vJbPV2EC5v;9MAi%6f#~o~>9jGOQ0*&)~B}_seW5aLO5jbQOa89GUfig8V zjm!^2Rh*1pETrL9y5}4$^eD|f4T)5omltMJc0W{cmS}xDtgj=H>$Smz?Sv>o(A|hw z99(`iY3sMN;RwT(K#6zSGENS|U3(F=9?RPiJm2jabXwxSww8)WL^>JD>jTfA0U;O;_MJO2L zXmJv+IJI+VXMUW*lczD`?R(1!AG-CW5EU2yL#xM()(9xfX#(%se z-3eDVK`h?BVHOrqb|{i{uJ@X|HwAZ`V8d)^d5+l|jrmkd|Fs)p-ok8$r71rc$8gk2yy6%DTV8Z0b6E{2??Crc5wlw(~l& z%vRil+_4uRoA$B?qIHr_w9X#H4Xrqhy8-z{i`NsMXkoVNIxF!rkrX3))@dOzY$y`j za>laT)6AuOKd4{~%Ul&xG41X4qv>Ohy9WE> z%+@-C!z}YEth_ZE+20zOLPFvz5nqm0VPmhC+|tJ5kc3Co_hhjWHwbJ|X>$M!19bBIG9 zV|94D32!pVa)%Ufava5Lym2qJJV%dh=V3<3Gml@Y z|N1!>0sajUs+0!D1MhwTfpMEv!!<_85Po zC{u16-zAhMAvuCECG?i?9Jf2*$qJr_&@+m7<)|`xs%RTVeG0lLIgIBddN{s<@&uk$ zw9^7U4?vT*as(qMps$E=6PWV=#!W(|0x7R~3S+6Ax~iC=jPG&Cu|9^fpNal1L4Oe~ zqbPCiD()gi@aJC{y2l_}#b*ZN$M8KB$y4_o*f+YKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmY zKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmY zKmYKmYKmYKmYKm