This detection rule identifies the abuse of the right-to-left override (RTLO) character (Unicode U+202E) in process names using data from Endpoint Detection and Response (EDR) agents, specifically focusing on process execution logs and command-line information. Adversaries exploit the RTLO character to mask malicious files or commands, making them appear innocuous while facilitating covert execution of harmful code. Such techniques can lead to unauthorized access, data exfiltration, or system compromise. The rule applies a series of regex and field evaluation functions to detect the presence of the RTLO character in the process names and associated command lines. The implementation relies on properly configured EDR logs, namely Sysmon and Windows Event Logs, ensuring comprehensive visibility into endpoint activities.