Techniques
Sample rules
Potential Defense Evasion Via Right-to-Left Override
- source: sigma
- technicques:
- t1036
- t1036.002
Description
Detects the presence of the “u202+E” character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques.
Detection logic
condition: selection
selection:
CommandLine|contains: "\u202E"