heroui logo

Detect RTLO In File Name

Splunk Security Content

View Source
Summary
This detection rule focuses on identifying the presence of Right-To-Left Override (RTLO) characters in file names, which can be exploited by malicious actors to disguise harmful files. By taking advantage of the RTLO (U+202E), attackers can reverse the order of characters in file names, making a potentially malicious file appear benign to unsuspecting users as the text following the RTLO character changes direction. The rule utilizes data from endpoint file creation events captured in the `Endpoint.Filesystem` datamodel, specifically monitoring for instances where the file name contains the RTLO character. If confirmed as malicious, such disguising techniques could lead to harmful file execution and subsequent system compromise. Deployment of this detection requires collecting detailed file creation logs via Sysmon EventID 11 and ensuring relevant endpoint data is ingested into the Splunk datamodel for accurate analysis.
Categories
  • Endpoint
Data Sources
  • Pod
  • Container
  • User Account
  • File
ATT&CK Techniques
  • T1036
  • T1036.002
Created: 2024-11-13