1. Home
  2. Detection Strategies
  3. Right-to-Left Override Masquerading Detection via Filename and Execution Context

Right-to-Left Override Masquerading Detection via Filename and Execution Context

Technique Detected:  Right-to-Left Override | T1036.002

ID: DET0527
Domains: Enterprise
Analytics: AN1461, AN1462, AN1463
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1461

Execution of files containing right-to-left override characters (U+202E) to masquerade true file extensions. Often found in phishing payloads or file downloads.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4104
File Metadata (DC0059) WinEventLog:Windows Defender Operational
Mutable Elements
Field Description
FilenamePattern RTLO variants such as \u202E, %E2%80%AE, or byte-encoded forms
ExecutionContext Allows tuning for untrusted sources, e.g., browser downloads or email attachments
TimeWindow Defines correlation between file creation and process execution

AN1462

Execution of files with reversed filename extensions using Unicode RTLO character. Frequently used to deceive Gatekeeper and users in Safari or Mail-based phishing.

Log Sources
Data Component Name Channel
File Metadata (DC0059) macos:unifiedlog subsystem=com.apple.lsd
Process Creation (DC0032) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC
File Access (DC0055) fs:quarantine /var/log/quarantine.log
Mutable Elements
Field Description
FilenameDisplay Whether user-facing tools display the spoofed name or the true extension
GatekeeperBypassFlag Whether the execution bypassed translocation or quarantine checks
UserContext Scope detection to untrusted or non-admin users

AN1463

Execution of user-downloaded or created scripts with hidden extensions due to RTLO character insertion in filename, often present in desktop environments or phishing campaigns.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Metadata (DC0059) linux:osquery event-based
File Access (DC0055) desktop:file_manager nautilus, dolphin, or gvfs logs
Mutable Elements
Field Description
ExtensionMismatch Filter based on mismatched visible extension vs. magic bytes or mime-type
ProcessLineage Correlation between file open and subsequent script interpreter invocation
FilenameEntropy Suspicious Unicode sequences or byte entropy in filenames