{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rtlo/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","rtlo","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThe Right-to-Left Override (RTLO) character (U+202E) is a Unicode character that causes text to be displayed from right to left, instead of the usual left to right. This character can be exploited by attackers to disguise malicious file extensions, making a harmful file appear safe to unsuspecting users. For example, an executable file named \u0026ldquo;evil.exe\u0026rdquo; could be renamed to \u0026ldquo;evilU+202Eegp.txt.exe,\u0026rdquo; which, when displayed, would appear as \u0026ldquo;evil.exe.txt.ege,\u0026rdquo; tricking the user into thinking it\u0026rsquo;s a harmless text file. This detection rule identifies suspicious file or process activities on Windows systems by scanning for RTLO characters in file paths or process names, helping to uncover potential masquerading attempts. The detection is applicable to events from Elastic Defend, Microsoft Defender XDR, and SentinelOne Cloud Funnel.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious file with an RTLO character embedded in its name. For example, \u003ccode\u003ebadU+202Eexe.txt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious file to the target system, possibly through phishing, web downloads, or other social engineering techniques.\u003c/li\u003e\n\u003cli\u003eThe user receives the file and sees the file name as \u003ccode\u003ebad.txt.exe\u003c/code\u003e due to the RTLO character reversing the text display.\u003c/li\u003e\n\u003cli\u003eThe user, believing the file is a harmless text file, executes the file.\u003c/li\u003e\n\u003cli\u003eThe malicious file executes its intended payload, which could include installing malware, exfiltrating data, or performing other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe executed process may attempt to establish a command and control (C2) connection with an external server to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe malware may attempt to escalate privileges or move laterally within the network to compromise additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code on the victim\u0026rsquo;s system. This can result in data theft, system compromise, and potential lateral movement within the network. The use of RTLO characters is a simple but effective defense evasion technique that can bypass standard security controls relying on file extension checks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect RTLO Character in Filename\u003c/code\u003e to your SIEM to detect suspicious file creations and executions involving the RTLO character (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command line auditing to capture the execution of processes with RTLO characters in their names (Logsource: process_creation).\u003c/li\u003e\n\u003cli\u003eEducate users about the dangers of RTLO characters and the importance of verifying file extensions before execution.\u003c/li\u003e\n\u003cli\u003eImplement file extension filtering policies to block the execution of certain file types, regardless of the displayed file name.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-rtlo-file-creation/","summary":"This rule detects the creation or execution of files or processes with names containing the Right-to-Left Override (RTLO) character, which can be used to disguise the file extension and trick users into executing malicious files on Windows systems.","title":"File with Right-to-Left Override Character (RTLO) Created/Executed","url":"https://feed.craftedsignal.io/briefs/2024-01-rtlo-file-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Rtlo","version":"https://jsonfeed.org/version/1.1"}