This detection rule identifies the use of the Right-to-Left Override (RTLO) Unicode character (U+202E) in command lines. This character can manipulate the way text is rendered in terminals, browsers, or operating systems, allowing attackers to obfuscate their commands or filenames, making it difficult for analysts to recognize malicious behavior at a glance. By including this character in their input, cybercriminals can mask their operations, leading to potential security breaches as observables appear benign. The rule aims to spot these obfuscation techniques in process creation events on Windows platforms, where such tactics may be employed to evade detection by traditional security measures.