Techniques
Sample rules
Detect RTLO In File Name
- source: splunk
- technicques:
- T1036.002
- T1036
Description
This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_create_time) as file_create_time from datamodel=Endpoint.Filesystem where Filesystem.file_name!=unknown by Filesystem.dest Filesystem.user Filesystem.process_id Filesystem.file_name Filesystem.file_path
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| regex file_name = "\\x{202E}"
| rex field=file_name "(?<RTLO_file_1>.+)(?<RTLO_exist_file>\\x{202E})(?<RTLO_file_2>.+)"
| eval file_name_with_RTLO=file_name
| eval file_name=RTLO_file_1.RTLO_file_2
| fields - RTLO*
| `detect_rtlo_in_file_name_filter`
Detect RTLO In Process
- source: splunk
- technicques:
- T1036.002
- T1036
Description
This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process!=unknown AND Processes.action=allowed by Processes.dest Processes.user Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| regex process="\\x{202E}"
| rex field=process "(?<RTLO_command_1>.+)(?<RTLO_exist_process>\\x{202E})(?<RTLO_command_2>.+)"
| eval process_with_RTLO=process
| eval process=RTLO_command_1.RTLO_command_2
| fields - RTLO*
| `detect_rtlo_in_process_filter`