title: Right-to-Left Override (T1036.002)
id: df00tech-t1036-002
status: experimental
description: "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named 'March 25 \\u202Excod.scr' will display as 'March 25 rcs.docx'. Adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity."
references:
  - https://attack.mitre.org/techniques/T1036/002/
  - https://df00tech.com/detections/T1036.002
author: df00tech
date: 2026/04/20
tags:
  - attack.t1036.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate documents in right-to-left languages (Arabic, Hebrew, Farsi) that use bidirectional text control characters"
  - Internationalized file names in multilingual environments that legitimately use Unicode control characters
  - PDF or Word documents containing RTL text segments that may appear in file metadata
level: high