Adversaries may use right-to-left override characters in filenames to spoof legitimate file extensions and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential file-based attacks that rely on visual deception to bypass user awareness and security controls.
Detection Rule
title: Potential File Extension Spoofing Using Right-to-Left Override
id: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4
related:
- id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
type: derived
status: test
description: |
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
references:
- https://redcanary.com/blog/right-to-left-override/
- https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
- https://tria.ge/241015-l98snsyeje/behavioral2
- https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2024-11-17
modified: 2025-02-06
tags:
- attack.execution
- attack.defense-evasion
- attack.t1036.002
logsource:
category: file_event
product: windows
detection:
selection_rtlo_unicode:
TargetFilename|contains:
- '\u202e' # Unicode RTLO character
- '[U+202E]'
selection_extensions:
TargetFilename|contains:
- '3pm.' # Reversed `.mp3`
- '4pm.' # Reversed `.mp4`
- 'cod.' # Reversed `.doc`
- 'fdp.' # Reversed `.pdf`
- 'ftr.' # Reversed `.rtf`
- 'gepj.' # Reversed `.jpeg`
- 'gnp.' # Reversed `.png`
- 'gpj.' # Reversed `.jpg`
- 'ism.' # Reversed `.msi`
- 'lmth.' # Reversed `.html`
- 'nls.' # Reversed `.sln`
- 'piz.' # Reversed `.zip`
- 'slx.' # Reversed `.xls`
- 'tdo.' # Reversed `.odt`
- 'vsc.' # Reversed `.csv`
- 'vwm.' # Reversed `.wmv`
- 'xcod.' # Reversed `.docx`
- 'xslx.' # Reversed `.xlsx`
- 'xtpp.' # Reversed `.pptx`
condition: all of selection_*
falsepositives:
- Filenames that contains scriptures such as arabic or hebrew might make use of this character
level: high
imFileEvent
| where (TargetFileName contains "\\u202e" or TargetFileName contains "[U+202E]") and (TargetFileName contains "3pm." or TargetFileName contains "4pm." or TargetFileName contains "cod." or TargetFileName contains "fdp." or TargetFileName contains "ftr." or TargetFileName contains "gepj." or TargetFileName contains "gnp." or TargetFileName contains "gpj." or TargetFileName contains "ism." or TargetFileName contains "lmth." or TargetFileName contains "nls." or TargetFileName contains "piz." or TargetFileName contains "slx." or TargetFileName contains "tdo." or TargetFileName contains "vsc." or TargetFileName contains "vwm." or TargetFileName contains "xcod." or TargetFileName contains "xslx." or TargetFileName contains "xtpp.")Scenario: A system administrator uses a script to rename log files using a right-to-left override character to ensure consistent naming across different locales.
Filter/Exclusion: Exclude filenames that match known administrative tools or scripts (e.g., logrotate, rsyslog, cron jobs) or those containing known administrative command patterns.
Scenario: A scheduled backup job generates temporary files with spoofed extensions to avoid triggering security software during the backup process.
Filter/Exclusion: Exclude files created by known backup tools (e.g., Veeam, Commvault, rsync, tar) or those with timestamps matching scheduled backup windows.
Scenario: A developer uses a right-to-left override in a filename to test how the system handles Unicode filenames, such as in a test environment or during localization testing.
Filter/Exclusion: Exclude files located in known development directories (e.g., /var/tmp, /tmp, /home/dev/, or those with .test, .tmp, or .loc suffixes).
Scenario: A user downloads a legitimate file with a spoofed extension (e.g., report.docx.exe) as part of a software update or patch, which is then renamed by a script.
Filter/Exclusion: Exclude files that match known software update directories (e.g., /opt/update/, /usr/local/, or those with known vendor-specific naming conventions).
Scenario: A system uses a right-to-left override in filenames to support multilingual file naming in a shared drive, such as in a global enterprise environment.
Filter/Exclusion: Exclude files in shared drives with known multilingual naming conventions or those associated with enterprise file-sharing tools (e.g., Microsoft OneDrive, Google Drive, Dropbox).