This rule detects when a file is written to disk or a commandline contains a right-to-left-override (U202E) character followed by an a string that would deceive users to believe the file has a different extension. For example: legitpic\u202Egpj.exe would appear in windows explorer as legitpicexe.jpg. I have tested this scenario and validated the rule.
P.S: Mind the "invisible" unicode character in the regex if you edit the rule.
Hi,
This rule detects when a file is written to disk or a commandline contains a right-to-left-override (U202E) character followed by an a string that would deceive users to believe the file has a different extension. For example: legitpic\u202Egpj.exe would appear in windows explorer as legitpicexe.jpg. I have tested this scenario and validated the rule.
P.S: Mind the "invisible" unicode character in the regex if you edit the rule.