LoFP LoFP / unconventional but non-malicious usage of rlo or reversed extensions.

Techniques

Sample rules

MMC Executing Files with Reversed Extensions Using RTLO Abuse

Description

Detects malicious behavior where the MMC utility (mmc.exe) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.

Detection logic

condition: all of selection_*
selection_commandline:
  CommandLine|contains:
  - cod.msc
  - fdp.msc
  - ftr.msc
  - lmth.msc
  - slx.msc
  - tdo.msc
  - xcod.msc
  - xslx.msc
  - xtpp.msc
selection_image:
- Image|endswith: \mmc.exe
- OriginalFileName: MMC.exe