LoFP / filenames that contains scriptures such as arabic or hebrew might make use of this character

Techniques

• t1036
• t1036.002

Sample rules

Potential File Extension Spoofing Using Right-to-Left Override

• source: sigma
• technicques:
  • t1036
  • t1036.002

Description

Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.

Detection logic

condition: all of selection_*
selection_extensions:
  TargetFilename|contains:
  - fpd..
  - nls..
  - vsc..
  - xcod.
  - xslx.
selection_rtlo_unicode:
  TargetFilename|contains: \u202e