Merge pull request #4001 from mbabinski/master

feat: new rule related to Right-to-left override character in the CLI

rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml

@@ -0,0 +1,25 @@
+title: Potential Defense Evasion Via Right-to-Left Override
+id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
+status: experimental
+description: |
+    Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
+    This is used as an obfuscation and masquerading techniques.
+references:
+    - https://redcanary.com/blog/right-to-left-override/
+    - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
+    - https://unicode-explorer.com/c/202E
+author: Micah Babinski, @micahbabinski
+date: 2023/02/15
+tags:
+    - attack.defense_evasion
+    - attack.t1036.002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains: "\u202e"
+    condition: selection
+falsepositives:
+    - Commandlines that contains scriptures such as arabic or hebrew might make use of this character
+level: high