Right-to-Left Override

let RTLO_Char = unicode_codepoints_to_string(dynamic([8238]));
DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName contains RTLO_Char or FolderPath contains RTLO_Char
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType,
         InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256
| sort by Timestamp desc

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=11 OR EventCode=15)
| eval has_rtlo=if(match(Image, "\xe2\x80\xae") OR match(TargetFilename, "\xe2\x80\xae") OR match(CommandLine, "\xe2\x80\xae"), 1, 0)
| where has_rtlo=1
| table _time, host, User, EventCode, Image, TargetFilename, CommandLine, Hashes
| sort - _time

any where event.category in ("process", "file") and (
  process.name regex~ ".*\u202e.*" or
  process.executable regex~ ".*\u202e.*" or
  process.command_line regex~ ".*\u202e.*" or
  file.path regex~ ".*\u202e.*" or
  file.name regex~ ".*\u202e.*"
)

SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  username,
  sourceip AS source_ip,
  "Process Name",
  "Command",
  "File Path",
  QIDNAME(qid) AS event_name
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND "Event ID" IN ('1', '11', '15', '4688')
  AND (
    "Process Name" LIKE '%' || CHR(226) || CHR(128) || CHR(174) || '%'
    OR "Command" LIKE '%' || CHR(226) || CHR(128) || CHR(174) || '%'
    OR "File Path" LIKE '%' || CHR(226) || CHR(128) || CHR(174) || '%'
    OR "File Name" LIKE '%' || CHR(226) || CHR(128) || CHR(174) || '%'
  )
ORDER BY starttime DESC
LAST 24 HOURS

(_sourceCategory=*sysmon* OR _sourceCategory=*windows/security* OR _sourceCategory=*winlogbeat*)
| where EventID in ("1", "11", "15", "4688")
| if(isNull(Image), "", Image) as proc_image
| if(isNull(TargetFilename), "", TargetFilename) as target_file
| if(isNull(CommandLine), "", CommandLine) as cmd_line
| if(isNull(NewProcessName), "", NewProcessName) as new_proc
| where proc_image matches "*\u202e*"
  OR target_file matches "*\u202e*"
  OR cmd_line matches "*\u202e*"
  OR new_proc matches "*\u202e*"
| fields _messageTime, Computer, User, EventID, proc_image, target_file, cmd_line, new_proc, Hashes
| sort by _messageTime desc

rule t1036_002_rtlo_override {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Right-to-Left Override (RTLO) character U+202E in process and file events to identify filename extension spoofing"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1036.002"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1036/002/"
  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" or
      $e.metadata.event_type = "FILE_CREATION" or
      $e.metadata.event_type = "FILE_MODIFICATION"
    )
    (
      re.regex($e.principal.process.file.full_path, `\x{202e}`) or
      re.regex($e.target.file.full_path, `\x{202e}`) or
      re.regex($e.target.file.names[0], `\x{202e}`) or
      re.regex($e.principal.process.command_line, `\x{202e}`)
    )
  condition:
    $e
}

#event_simpleName = /ProcessRollup2|SyntheticProcessRollup2|FileWritten|PeFileWritten/
| ImageFileName = /\xe2\x80\xae/ OR CommandLine = /\xe2\x80\xae/ OR TargetFileName = /\xe2\x80\xae/
| table([timestamp, ComputerName, UserName, #event_simpleName, ImageFileName, CommandLine, TargetFileName, SHA256HashData, MD5HashData])
| sort(timestamp, order=desc)