← Back to Explore
T1036.002
Right-to-Left Override
Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</...
LinuxmacOSWindows
6
Detections
3
Sources
5
Threat Actors
BY SOURCE
3sigma2splunk_escu1elastic
PROCEDURES (3)
Process Creation Monitoring4 detections
Auto-extracted: 4 detections for process creation monitoring
General Monitoring1 detections
Auto-extracted: 1 detections for general monitoring
File Monitoring1 detections
Auto-extracted: 1 detections for file monitoring
THREAT ACTORS (5)
DETECTIONS (6)
Detect RTLO In File Name
splunk_escu
Detect RTLO In Process
splunk_escu
File with Right-to-Left Override Character (RTLO) Created/Executed
elasticmedium
MMC Executing Files with Reversed Extensions Using RTLO Abuse
sigmahigh
Potential Defense Evasion Via Right-to-Left Override
sigmahigh
Potential File Extension Spoofing Using Right-to-Left Override
sigmahigh