unconventional but non-malicious usage of rlo or reversed extensions.

t1036
t1036.002
t1204
t1204.002
t1218
t1218.014
windows
sigma

Techniques

t1036
t1036.002
t1204
t1204.002
t1218
t1218.014

Sample rules

MMC Executing Files with Reversed Extensions Using RTLO Abuse

source: sigma
technicques:
- t1036
- t1036.002
- t1204
- t1204.002
- t1218
- t1218.014

Description

Detects malicious behavior where the MMC utility (mmc.exe) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.

Detection logic

condition: all of selection_*
selection_commandline:
  CommandLine|contains:
  - cod.msc
  - fdp.msc
  - ftr.msc
  - lmth.msc
  - slx.msc
  - tdo.msc
  - xcod.msc
  - xslx.msc
  - xtpp.msc
selection_image:
- Image|endswith: \mmc.exe
- OriginalFileName: MMC.exe