Recently I have been working on getting a query that can help me identify the execution of malicious documents which make use of "T1036.002: Masquerading (Right-to-Left Override)".
"Adversaries may manipulate features of an artifact to mask its true intentions/make it seem legitimate. One technique that could be employed to achieve this is right-to-left character override (RTLO). RTLO is a non-printing Unicode character that causes the text that follows to be displayed in reverse.
Detection of this technique involves monitoring filenames for commonly used RTLO character formats such as\u202E,[U+202E], and%E2%80%AE."
My current query does not work and simply shows all file names from the Image field: index=* | eval file_name=replace(Image,"(.*\\\)","") | rex field=file_name "(?i)(?<hex_field>202e)" | search NOT (hex_field="") | dedup file_name | table file_name, hex_field, Image