From 41a59142d7cc9c9f98a936f1f195898a36a17490 Mon Sep 17 00:00:00 2001
From: Jonathan Peters <143413578+cod3nym@users.noreply.github.com>
Date: Mon, 18 Nov 2024 22:43:01 +0100
Subject: [PATCH] Merge PR #5081 from @cod3nym - Add `Potential File Extension
 Spoofing Using Right-to-Left Override`

new: Potential File Extension Spoofing Using Right-to-Left Override

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 ...ht_to_left_override_extension_spoofing.yml | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml

diff --git a/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml b/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml
new file mode 100644
index 00000000000..abe674df87f
--- /dev/null
+++ b/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml
@@ -0,0 +1,34 @@
+title: Potential File Extension Spoofing Using Right-to-Left Override
+id: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4
+related:
+    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
+      type: derived
+status: experimental
+description: |
+    Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
+references:
+    - https://redcanary.com/blog/right-to-left-override/
+    - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
+author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems)
+date: 2024-11-17
+tags:
+    - attack.execution
+    - attack.defense-evasion
+    - attack.t1036.002
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection_rtlo_unicode:
+        TargetFilename|contains: '\u202e'
+    selection_extensions:
+        TargetFilename|contains:
+            - 'fpd..'
+            - 'nls..'
+            - 'vsc..'
+            - 'xcod.'
+            - 'xslx.'
+    condition: all of selection_*
+falsepositives:
+    - Filenames that contains scriptures such as arabic or hebrew might make use of this character
+level: high