EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Potential File Extension Spoofing Using Right-to-Left Override

Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.

MITRE ATT&CK

T1036.002
executiondefense-evasion

Detection Query

selection_rtlo_unicode:
  TargetFilename|contains:
    - \u202e
    - "[U+202E]"
    - ‮
selection_extensions:
  TargetFilename|contains:
    - 3pm.
    - 4pm.
    - cod.
    - fdp.
    - ftr.
    - gepj.
    - gnp.
    - gpj.
    - ism.
    - lmth.
    - nls.
    - piz.
    - slx.
    - tdo.
    - vsc.
    - vwm.
    - xcod.
    - xslx.
    - xtpp.
condition: all of selection_*

Author

Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)

Created

2024-11-17

Data Sources

windowsFile Events

Platforms

windows

References

Tags

attack.executionattack.defense-evasionattack.t1036.002
Raw Content
title: Potential File Extension Spoofing Using Right-to-Left Override
id: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4
related:
    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
      type: derived
status: test
description: |
    Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
references:
    - https://redcanary.com/blog/right-to-left-override/
    - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
    - https://tria.ge/241015-l98snsyeje/behavioral2
    - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2024-11-17
modified: 2026-03-20
tags:
    - attack.execution
    - attack.defense-evasion
    - attack.t1036.002
logsource:
    category: file_event
    product: windows
detection:
    selection_rtlo_unicode:
        TargetFilename|contains:
            - '\u202e'  # Unicode RTLO character
            - '[U+202E]'
            # Real char U+202E copied/pasted below
            - '‮'
    selection_extensions:
        TargetFilename|contains:
            - '3pm.'  # Reversed `.mp3`
            - '4pm.'  # Reversed `.mp4`
            - 'cod.'  # Reversed `.doc`
            - 'fdp.'  # Reversed `.pdf`
            - 'ftr.'  # Reversed `.rtf`
            - 'gepj.'  # Reversed `.jpeg`
            - 'gnp.'  # Reversed `.png`
            - 'gpj.'  # Reversed `.jpg`
            - 'ism.'  # Reversed `.msi`
            - 'lmth.'  # Reversed `.html`
            - 'nls.' # Reversed `.sln`
            - 'piz.'  # Reversed `.zip`
            - 'slx.'  # Reversed `.xls`
            - 'tdo.'  # Reversed `.odt`
            - 'vsc.'  # Reversed `.csv`
            - 'vwm.'  # Reversed `.wmv`
            - 'xcod.'  # Reversed `.docx`
            - 'xslx.'  # Reversed `.xlsx`
            - 'xtpp.'  # Reversed `.pptx`
    condition: all of selection_*
falsepositives:
    - Filenames that contains scriptures such as arabic or hebrew might make use of this character
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/info.yml