Techniques
Sample rules
MMC Executing Files with Reversed Extensions Using RTLO Abuse
- source: sigma
- technicques:
- t1036
- t1036.002
- t1204
- t1204.002
- t1218
- t1218.014
Description
Detects malicious behavior where the MMC utility (mmc.exe
) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
Detection logic
condition: all of selection_*
selection_commandline:
CommandLine|contains:
- cod.msc
- fdp.msc
- ftr.msc
- lmth.msc
- slx.msc
- tdo.msc
- xcod.msc
- xslx.msc
- xtpp.msc
selection_image:
- Image|endswith: \mmc.exe
- OriginalFileName: MMC.exe