Detect Right-to-Left Override in IBM QRadar
Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named 'March 25 \u202Excod.scr' will display as 'March 25 rcs.docx'. Adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.002 Right-to-Left Override
- Canonical reference
- https://attack.mitre.org/techniques/T1036/002/
QRadar Detection Query
SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
LOGSOURCENAME(logsourceid) AS log_source,
CATEGORYNAME(category) AS event_category,
username,
sourceip AS source_ip,
"Process Name",
"Command",
"File Path",
QIDNAME(qid) AS event_name
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
AND "Event ID" IN ('1', '11', '15', '4688')
AND (
"Process Name" LIKE '%' || CHR(226) || CHR(128) || CHR(174) || '%'
OR "Command" LIKE '%' || CHR(226) || CHR(128) || CHR(174) || '%'
OR "File Path" LIKE '%' || CHR(226) || CHR(128) || CHR(174) || '%'
OR "File Name" LIKE '%' || CHR(226) || CHR(128) || CHR(174) || '%'
)
ORDER BY starttime DESC
LAST 24 HOURSDetects RTLO character (U+202E, UTF-8: 0xE2 0x80 0xAE, decimal CHR(226)||CHR(128)||CHR(174)) in process and file events. Covers Sysmon Event IDs 1 (process create), 11 (file create), 15 (file stream hash) and Windows Security Event 4688 (process creation) by searching for the 3-byte UTF-8 sequence in key string fields.
Data Sources
Required Tables
False Positives & Tuning
- Applications legitimately processing Arabic, Hebrew, or other RTL-script documents where bidirectional Unicode control characters appear in file metadata or paths
- Document management or content pipeline systems operating in multi-locale environments where RTL formatting characters are embedded in filenames from external sources
- Authorized red team or security awareness campaigns using RTLO techniques as part of phishing simulation exercises
Other platforms for T1036.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create File with RTLO Character to Disguise Extension
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename containing the RTLO character (U+202E). The filename in logs will show the raw Unicode character.
- Test 2Create Executable Masquerading as PDF via RTLO
Expected signal: Sysmon Event ID 11: FileCreate with .scr extension disguised via RTLO. The file appears as 'invoice_2026rcs.pdf' in Explorer but is actually a screensaver executable.
- Test 3RTLO in Registry Value (Windows)
Expected signal: Sysmon Event ID 13: RegistryEvent (Value Set) with the RTLO character in the registry value name. Regedit.exe will display the reversed text but reg.exe will show the raw characters.
References (6)
- https://attack.mitre.org/techniques/T1036/002/
- https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/
- https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/
- https://securelist.com/zero-day-vulnerability-in-telegram/83800/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.002/T1036.002.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file_event
Unlock Pro Content
Get the full detection package for T1036.002 including response playbook, investigation guide, and atomic red team tests.