← Library
splApache-2.0from splunk/security_content

Detect RTLO In File Name

The following analytic identifies the use of the right-to-left override (RTLO) character in file names. It leverages data from the Endpoint.Filesystem datamodel, specifically focusing on file creation events and file names containing the RTLO character (U+202E). This activity is significant because adversaries use RTLO to disguise malicious files as benign by reversing the text that follows the character. If confirmed malicious, this technique can deceive users and security tools, leading to the execution of harmful files and potential system compromise.

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/detect_rtlo_in_file_name.yml
| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime
        values(Filesystem.file_create_time) as file_create_time

from datamodel=Endpoint.Filesystem where Filesystem.file_name!=unknown

by Filesystem.action Filesystem.dest Filesystem.file_access_time
   Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
   Filesystem.file_name Filesystem.file_path Filesystem.file_acl
   Filesystem.file_size Filesystem.process_guid Filesystem.process_id
   Filesystem.user Filesystem.vendor_product

| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| regex file_name = "\\x{202E}"
| rex field=file_name "(?<RTLO_file_1>.+)(?<RTLO_exist_file>\\x{202E})(?<RTLO_file_2>.+)"
| eval file_name_with_RTLO=file_name
| eval file_name=RTLO_file_1.RTLO_file_2
| fields - RTLO*
| `detect_rtlo_in_file_name_filter`