Detects the presence of the “u202+E” character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This character is used as an obfuscation and masquerad
title: Potential Defense Evasion Via Right-to-Left Override
id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
related:
- id: e0552b19-5a83-4222-b141-b36184bb8d79
type: derived
- id: 584bca0f-3608-4402-80fd-4075ff6072e3
type: derived
status: test
description: |
Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.
references:
- https://redcanary.com/blog/right-to-left-override/
- https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
- https://unicode-explorer.com/c/202E
- https://tria.ge/241015-l98snsyeje/behavioral2
- https://unprotect.it/technique/right-to-left-override-rlo-extension-spoofing/
author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems), Luc Génaux
date: 2023-02-15
modified: 2026-03-20
tags:
- attack.defense-evasion
- attack.t1036.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '\u202e' # Unicode RTLO character
- '[U+202E]'
# Real char U+202E copied/pasted below
- ''
condition: selection
falsepositives:
- Commandlines that contains scriptures such as arabic or hebrew might make use of this character
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/info.yml
imProcessCreate
| where TargetProcessCommandLine contains "\\u202e" or TargetProcessCommandLine contains "[U+202E]" or TargetProcessCommandLine contains ""| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |