LoFP / commandlines that contains scriptures such as arabic or hebrew might make use of this character

Techniques

• t1036
• t1036.002

Sample rules

Potential Defense Evasion Via Right-to-Left Override

• source: sigma
• technicques:
  • t1036
  • t1036.002

Description

Detects the presence of the “u202+E” character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques.

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - \u202e
  - '[U+202E]'