Techniques
Sample rules
Potential File Extension Spoofing Using Right-to-Left Override
- source: sigma
- technicques:
- t1036
- t1036.002
Description
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
Detection logic
condition: all of selection_*
selection_extensions:
TargetFilename|contains:
- 3pm.
- 4pm.
- cod.
- fdp.
- ftr.
- gepj.
- gnp.
- gpj.
- ism.
- lmth.
- nls.
- piz.
- slx.
- tdo.
- vsc.
- vwm.
- xcod.
- xslx.
- xtpp.
selection_rtlo_unicode:
TargetFilename|contains:
- \u202e
- '[U+202E]'