LoFP / filenames that contains scriptures such as arabic or hebrew might make use of this character

Techniques

Sample rules

Potential File Extension Spoofing Using Right-to-Left Override

source: sigma
technicques:
- t1036
- t1036.002

Description

Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.

Detection logic

condition: all of selection_*
selection_extensions:
  TargetFilename|contains:
  - 3pm.
  - 4pm.
  - cod.
  - fdp.
  - ftr.
  - gepj.
  - gnp.
  - gpj.
  - ism.
  - lmth.
  - nls.
  - piz.
  - slx.
  - tdo.
  - vsc.
  - vwm.
  - xcod.
  - xslx.
  - xtpp.
selection_rtlo_unicode:
  TargetFilename|contains:
  - \u202e
  - '[U+202E]'