Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to detect T1036.002: Masquerading (Right-to-Left Override)?

jrock
Observer
‎01-12-2023 04:28 AM

Hi all,

Recently I have been working on getting a query that can help me identify the execution of malicious documents which make use of "T1036.002: Masquerading (Right-to-Left Override)". 

"Adversaries may manipulate features of an artifact to mask its true intentions/make it seem legitimate. One technique that could be employed to achieve this is right-to-left character override (RTLO). RTLO is a non-printing Unicode character that causes the text that follows to be displayed in reverse.

Detection of this technique involves monitoring filenames for commonly used RTLO character formats such as \u202E, [U+202E], and %E2%80%AE."

My current query does not work and simply shows all file names from the Image field:
index=*
| eval file_name=replace(Image,"(.*\\\)","")
| rex field=file_name "(?i)(?<hex_field>202e)" | search NOT (hex_field="")
| dedup file_name
| table file_name, hex_field, Image

 

Image Field: C:\Users\Administrator.BARTERTOWNGROUP\Desktop\‮cod.3aka3.scr

Note here that the rcs.3aka3.doc is RTL not LTR. Does anyone have any idea how to achieve such filtering?

Labels (3)
Labels
Tags (2)
0 Karma
Reply

cbr654
Path Finder
‎03-13-2023 07:15 AM

Not joking .  I was going about this the hard way and wasted so much time , but this worked 

index=sysmon  <U+202E>   ( This is invisible . You will not see it when you paste it in Splunk)
| stats .. ( your query)  

In sysmon the CommandLine and Targetfilename is were you would see the RTLO operation

0 Karma
Reply

cbr654
Path Finder
‎03-13-2023 06:42 AM

Hey jrock,
I figured it out.  Copy and past the invisible character (U+202E) from the character map into Splunk. You will not see it, but it this there. Put the rest of your query afterwards.  

0 Karma
Reply

jrock
Observer
‎03-13-2023 06:56 AM

Hi CBR

Must be a joke o.o?

Would you mind sharing the query you have, or a simplified anonymized version. As I tried this myself but I couldn't get it to work.

 

 

0 Karma
Reply

cbr654
Path Finder
‎02-28-2023 07:58 AM

Hey jrock, were you able to figure this out. i am looking for a solution as well. Thanks!

0 Karma
Reply

jrock
Observer
‎02-28-2023 11:11 PM

Hey cbr!

Unfortunately I was not yet able to find any query that does exactly this. Hoped the community would be able to help, but I think this is either an under rated approach to gain a foothold on the network, or it is not possible.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top