Splunk Search

How to detect T1036.002: Masquerading (Right-to-Left Override)?

jrock
New Member

Hi all,

Recently I have been working on getting a query that can help me identify the execution of malicious documents which make use of "T1036.002: Masquerading (Right-to-Left Override)". 

"Adversaries may manipulate features of an artifact to mask its true intentions/make it seem legitimate. One technique that could be employed to achieve this is right-to-left character override (RTLO). RTLO is a non-printing Unicode character that causes the text that follows to be displayed in reverse.

Detection of this technique involves monitoring filenames for commonly used RTLO character formats such as \u202E, [U+202E], and %E2%80%AE."

My current query does not work and simply shows all file names from the Image field:
index=*
| eval file_name=replace(Image,"(.*\\\)","")
| rex field=file_name "(?i)(?<hex_field>202e)" | search NOT (hex_field="")
| dedup file_name
| table file_name, hex_field, Image

 

Image Field: C:\Users\Administrator.BARTERTOWNGROUP\Desktop\‮cod.3aka3.scr

Note here that the rcs.3aka3.doc is RTL not LTR. Does anyone have any idea how to achieve such filtering?

Labels (3)
0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...