Techniques
Sample rules
Potential File Extension Spoofing Using Right-to-Left Override
- source: sigma
- technicques:- t1036
- t1036.002
 
Description
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
Detection logic
condition: all of selection_*
selection_extensions:
  TargetFilename|contains:
  - 3pm.
  - 4pm.
  - cod.
  - fdp.
  - ftr.
  - gepj.
  - gnp.
  - gpj.
  - ism.
  - lmth.
  - nls.
  - piz.
  - slx.
  - tdo.
  - vsc.
  - vwm.
  - xcod.
  - xslx.
  - xtpp.
selection_rtlo_unicode:
  TargetFilename|contains:
  - \u202e
  - '[U+202E]'
