Date: 11/19/2024
Severity: Medium
Summary
"Potential File Extension Spoofing Using Right-to-Left Override" refers to a security technique where attackers exploit the Right-to-Left Override (RTLO) character in file names to manipulate how file extensions are displayed. The RTLO character causes text to be rendered in reverse order, allowing attackers to make a malicious file appear as a harmless one. For example, they could make a file with a ".exe" extension appear as a ".jpg" image file by placing the RTLO character before the extension, tricking users into opening a potentially dangerous file. This method can be used to bypass security checks and deceive users into executing malicious software.
Indicators of Compromise (IOC) List
Filename | '\u202e' 'fpd..' 'nls..' 'vsc..' 'xcod.' 'xslx.' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection:
Detection Query 1 | resourcename in ("Windows Security") AND eventtype = "4663" AND objectname like "\u202e" AND (objectname like "fpd.." OR objectname like "nls.." OR objectname like "vsc.." OR objectname like "xcod." OR objectname like "xslx.") |
Detection Query 2 | technologygroup = "EDR" AND objectname like "\u202e" AND (objectname like "fpd.." OR objectname like "nls.." OR objectname like "vsc.." OR objectname like "xcod." OR objectname like "xslx.") |
Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml