Techniques
Sample rules
Potential Defense Evasion Via Right-to-Left Override
- source: sigma
- technicques:
- t1036
- t1036.002
Description
Detects the presence of the “u202+E” character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.
Detection logic
condition: selection
selection:
CommandLine|contains:
- \u202e
- '[U+202E]'
- "\u202E"