Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to detect T1036.002: Masquerading (Right-to-Left Override)?

jrock
Observer
‎01-12-2023 04:28 AM

Hi all,

Recently I have been working on getting a query that can help me identify the execution of malicious documents which make use of "T1036.002: Masquerading (Right-to-Left Override)". 

"Adversaries may manipulate features of an artifact to mask its true intentions/make it seem legitimate. One technique that could be employed to achieve this is right-to-left character override (RTLO). RTLO is a non-printing Unicode character that causes the text that follows to be displayed in reverse.

Detection of this technique involves monitoring filenames for commonly used RTLO character formats such as \u202E, [U+202E], and %E2%80%AE."

My current query does not work and simply shows all file names from the Image field:
index=*
| eval file_name=replace(Image,"(.*\\\)","")
| rex field=file_name "(?i)(?<hex_field>202e)" | search NOT (hex_field="")
| dedup file_name
| table file_name, hex_field, Image

 

Image Field: C:\Users\Administrator.BARTERTOWNGROUP\Desktop\‮cod.3aka3.scr

Note here that the rcs.3aka3.doc is RTL not LTR. Does anyone have any idea how to achieve such filtering?

Labels (3)
Labels
Tags (2)
0 Karma
Reply

cbr654
Path Finder
‎03-13-2023 07:15 AM

Not joking .  I was going about this the hard way and wasted so much time , but this worked 

index=sysmon  <U+202E>   ( This is invisible . You will not see it when you paste it in Splunk)
| stats .. ( your query)  

In sysmon the CommandLine and Targetfilename is were you would see the RTLO operation

0 Karma
Reply

cbr654
Path Finder
‎03-13-2023 06:42 AM

Hey jrock,
I figured it out.  Copy and past the invisible character (U+202E) from the character map into Splunk. You will not see it, but it this there. Put the rest of your query afterwards.  

0 Karma
Reply

jrock
Observer
‎03-13-2023 06:56 AM

Hi CBR

Must be a joke o.o?

Would you mind sharing the query you have, or a simplified anonymized version. As I tried this myself but I couldn't get it to work.

 

 

0 Karma
Reply

cbr654
Path Finder
‎02-28-2023 07:58 AM

Hey jrock, were you able to figure this out. i am looking for a solution as well. Thanks!

0 Karma
Reply

jrock
Observer
‎02-28-2023 11:11 PM

Hey cbr!

Unfortunately I was not yet able to find any query that does exactly this. Hoped the community would be able to help, but I think this is either an under rated approach to gain a foothold on the network, or it is not possible.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...