This detection rule identifies the creation or execution of files or processes that contain Right-to-Left Override (RTLO) characters, which can be exploited to disguise file extensions and trick users into executing malicious files. By analyzing events related to file creation and process initiation on Windows systems, this rule aims to detect suspicious activities that leverage RTLO characters for masquerading purposes. It applies to several data sources including Windows Event Logs, Sysmon logs, and endpoint logs from security solutions like Microsoft Defender for Endpoint and SentinelOne. Alerts generated by this rule should be triaged and investigated thoroughly, as the presence of RTLO characters can signify a potential threat, especially in environments where user execution of files could lead to compromise. Additional context is also provided on handling false positives, which may occur when legitimate software or backup applications use RTLO characters legitimately. The rule is structured for use in environments supporting EQL (Event Query Language) and is applicable for proactive defense and detection of evasion tactics.