Splunk Search

How to detect T1036.002: Masquerading (Right-to-Left Override)?

jrock
Observer

Hi all,

Recently I have been working on getting a query that can help me identify the execution of malicious documents which make use of "T1036.002: Masquerading (Right-to-Left Override)". 

"Adversaries may manipulate features of an artifact to mask its true intentions/make it seem legitimate. One technique that could be employed to achieve this is right-to-left character override (RTLO). RTLO is a non-printing Unicode character that causes the text that follows to be displayed in reverse.

Detection of this technique involves monitoring filenames for commonly used RTLO character formats such as \u202E, [U+202E], and %E2%80%AE."

My current query does not work and simply shows all file names from the Image field:
index=*
| eval file_name=replace(Image,"(.*\\\)","")
| rex field=file_name "(?i)(?<hex_field>202e)" | search NOT (hex_field="")
| dedup file_name
| table file_name, hex_field, Image

 

Image Field: C:\Users\Administrator.BARTERTOWNGROUP\Desktop\‮cod.3aka3.scr

Note here that the rcs.3aka3.doc is RTL not LTR. Does anyone have any idea how to achieve such filtering?

Labels (3)
Tags (2)
0 Karma

cbr654
Path Finder

Not joking .  I was going about this the hard way and wasted so much time , but this worked 

index=sysmon  <U+202E>   ( This is invisible . You will not see it when you paste it in Splunk)
| stats .. ( your query)  

In sysmon the CommandLine and Targetfilename is were you would see the RTLO operation

0 Karma

cbr654
Path Finder

Hey jrock,
I figured it out.  Copy and past the invisible character (U+202E) from the character map into Splunk. You will not see it, but it this there. Put the rest of your query afterwards.  

0 Karma

jrock
Observer

Hi CBR

Must be a joke o.o?

Would you mind sharing the query you have, or a simplified anonymized version. As I tried this myself but I couldn't get it to work.

 

 

0 Karma

cbr654
Path Finder

Hey jrock, were you able to figure this out. i am looking for a solution as well. Thanks!

0 Karma

jrock
Observer

Hey cbr!

Unfortunately I was not yet able to find any query that does exactly this. Hoped the community would be able to help, but I think this is either an under rated approach to gain a foothold on the network, or it is not possible.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...