From f5e7db38a6a298b211ce68e15e62606531fa3cb3 Mon Sep 17 00:00:00 2001 From: Micah Babinski Date: Wed, 1 Feb 2023 07:34:23 -0800 Subject: [PATCH 1/7] Added rule for RLO character in command line --- ...oc_creation_win_right_to_left_override.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_right_to_left_override.yml diff --git a/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml new file mode 100644 index 000000000..23260200c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml @@ -0,0 +1,24 @@ +title: Suspicious Command Line Containing Right-to-Left Override +id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 +status: experimental +description: Detects the presence of the u202+E character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used in obfuscation and masquerading techniques. +references: + - https://redcanary.com/blog/right-to-left-override/ + - https://unicode-explorer.com/c/202E + - https://medium.com/@micahbabinski/detecting-onenote-one-malware-delivery-407e9321ecf0 +author: Micah Babinski, @micahbabinski +date: 2023/01/30 +tags: + - attack.defense_evasion + - attack.t1036 + - attack.t1036.002 +logsource: + category: process_creation + product: windows +detection: + selection: + # you can't see it, but trust me, there's a right-to-left override character in the regex below! :P + CommandLine|re: ^.*‮.*$ + condition: selection +falsepositives: + - Accidental insertion of this character into a filename or command line (very rare) \ No newline at end of file From 266d13d4413f54d16d547394d2a892ccc1739fd1 Mon Sep 17 00:00:00 2001 From: Micah Babinski Date: Wed, 1 Feb 2023 07:38:24 -0800 Subject: [PATCH 2/7] Re-added missing level --- .../proc_creation_win_right_to_left_override.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml index 23260200c..7d5e1e701 100644 --- a/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml +++ b/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml @@ -21,4 +21,5 @@ detection: CommandLine|re: ^.*‮.*$ condition: selection falsepositives: - - Accidental insertion of this character into a filename or command line (very rare) \ No newline at end of file + - Accidental insertion of this character into a filename or command line (very rare) +level: high \ No newline at end of file From bf8c8604cee191d7ec73b7aa44584f35d7bcfd05 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 3 Feb 2023 15:41:46 +0100 Subject: [PATCH 3/7] exchange the unicode char with the hex representation --- .../proc_creation_win_right_to_left_override.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml index 7d5e1e701..001835724 100644 --- a/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml +++ b/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml @@ -18,8 +18,8 @@ logsource: detection: selection: # you can't see it, but trust me, there's a right-to-left override character in the regex below! :P - CommandLine|re: ^.*‮.*$ + CommandLine|re: '\xe2\x80\xae' condition: selection falsepositives: - Accidental insertion of this character into a filename or command line (very rare) -level: high \ No newline at end of file +level: high From 3f75cd0844eaee81f85a48ac205768337848d682 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 3 Feb 2023 15:43:30 +0100 Subject: [PATCH 4/7] Update proc_creation_win_right_to_left_override.yml --- .../proc_creation_win_right_to_left_override.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml index 001835724..e88360ae1 100644 --- a/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml +++ b/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - # you can't see it, but trust me, there's a right-to-left override character in the regex below! :P + # hex representation of RTLO character CommandLine|re: '\xe2\x80\xae' condition: selection falsepositives: From 0634364e5c6ba44476acb179f07a83b630240fd4 Mon Sep 17 00:00:00 2001 From: Micah Babinski Date: Wed, 15 Feb 2023 14:54:37 -0800 Subject: [PATCH 5/7] Updated rule with YAML unicode escaping --- .../proc_creation_win_right_to_left_override.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml index e88360ae1..b86fa3b4d 100644 --- a/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml +++ b/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml @@ -5,9 +5,8 @@ description: Detects the presence of the u202+E character, which causes a termin references: - https://redcanary.com/blog/right-to-left-override/ - https://unicode-explorer.com/c/202E - - https://medium.com/@micahbabinski/detecting-onenote-one-malware-delivery-407e9321ecf0 author: Micah Babinski, @micahbabinski -date: 2023/01/30 +date: 2023/02/15 tags: - attack.defense_evasion - attack.t1036 @@ -17,9 +16,8 @@ logsource: product: windows detection: selection: - # hex representation of RTLO character - CommandLine|re: '\xe2\x80\xae' + CommandLine|contains: "\u202e" condition: selection falsepositives: - - Accidental insertion of this character into a filename or command line (very rare) -level: high + - Unknown +level: high \ No newline at end of file From 927affe24a89953980ac7c7a4c138ae6b4c05fbc Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 16 Feb 2023 01:39:16 +0100 Subject: [PATCH 6/7] fix: update metadata --- ...oc_creation_win_right_to_left_override.yml | 23 ----------------- ...eation_win_susp_right_to_left_override.yml | 25 +++++++++++++++++++ 2 files changed, 25 insertions(+), 23 deletions(-) delete mode 100644 rules/windows/process_creation/proc_creation_win_right_to_left_override.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml diff --git a/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml deleted file mode 100644 index b86fa3b4d..000000000 --- a/rules/windows/process_creation/proc_creation_win_right_to_left_override.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Suspicious Command Line Containing Right-to-Left Override -id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 -status: experimental -description: Detects the presence of the u202+E character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used in obfuscation and masquerading techniques. -references: - - https://redcanary.com/blog/right-to-left-override/ - - https://unicode-explorer.com/c/202E -author: Micah Babinski, @micahbabinski -date: 2023/02/15 -tags: - - attack.defense_evasion - - attack.t1036 - - attack.t1036.002 -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains: "\u202e" - condition: selection -falsepositives: - - Unknown -level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml new file mode 100644 index 000000000..3df86fc4c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml @@ -0,0 +1,25 @@ +title: Potential Defense Evasion Via Right-to-Left Override +id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 +status: experimental +description: | + Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. + This is used as an obfuscation and masquerading techniques. +references: + - https://redcanary.com/blog/right-to-left-override/ + - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method + - https://unicode-explorer.com/c/202E +author: Micah Babinski, @micahbabinski +date: 2023/02/15 +tags: + - attack.defense_evasion + - attack.t1036.002 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: "\u202e" + condition: selection +falsepositives: + - Commandlines that contains scriptures such as arabic or hebrew might make use of this character +level: high \ No newline at end of file From e2acd4a276974a46fd31a9d4244c0f8f2dc2eb56 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 16 Feb 2023 01:40:01 +0100 Subject: [PATCH 7/7] fix: add missing space --- .../proc_creation_win_susp_right_to_left_override.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml index 3df86fc4c..3ea4b6b5d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml @@ -22,4 +22,4 @@ detection: condition: selection falsepositives: - Commandlines that contains scriptures such as arabic or hebrew might make use of this character -level: high \ No newline at end of file +level: high