!yreuqsO htiw OLTR gnitceteD

Unicode chars are dangerous. We all know that they can be used to trigger vulnerabilities, bypass filters and lure some users to take the wrong action. Last year during a BlueOps training about MITRE’s ATT&CK framework explaining tactics and tech. I just randomly give an example of a trick that uses Right-To-Left-Override, RTLO char (U+202E) to deceive users. It can happen in several ways, and I must admit I tried to show where exactly in ATT&CK’s framework it was but I couldn’t find. I knew that should be in “Defense Evasion” but no clue.
No problem at all! MITRE’s ATT&CK framework is a (great)community-driven base of adversary tactics and techniques based on real-world observations. This was a well-known real-world trick[1,2], even used in bug bounties[3]. I just had to submit to the community and after some time they updated their database to cover it in the Masquerading (T1036) technique. Not only showing that is awesome work in progress but also showing that the community is strong.

About BlueOps

BlueOps is a Brazilian company that wants to bring high-quality training about defensive security in Portuguese. We have plenty of Offensive training/courses/teachers and we plan to make defensive technologies cool again.

We are a defensive security company!

Is part of our job show how can we detect the T1036 being used in your environment. For this, we first thought to use Facebook’s Osquery(version 3.2.6)[4] to see if we can catch this kind of trick. The problem is Osquery can’t find the \u202E Unicode char correctly, even when listing files, that’s why is important always test your detection rules first!

Doc with RTLO and icon changed

Listing files the doc is there

We can’t find this doc with Osquery

PowerShell to the rescue!

As Osquery fails to detect the Technique 1036 we must find another source in how to detect/find this kind of trick. As this kind of trick is common on Microsoft Windows environment, we can rely on PowerShell to search and find files with weird Unicode char.

Get-ChildItem -Path: C:\ -Recurse -ErrorAction SilentlyContinue| % {$_.FullName | Select-String -AllMatches ‘\u202E’}

Powershell is able to find =)

Conclusion

We must know the strengths and weakness of our tools! Even thought Os query is a great tool, right now it seems it can’t handle some Unicode. This isn’t an exclusive Osquery problem, some security tools also fail when they have to parse/analyze/trigger when weird chars are in the middle. Also, MITRE’s is a great community and they’re always trying to improve the ATT&CK framework.

References

[1] https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/
[2] — https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/
[3] — https://hackerone.com/reports/196222
[4] —https://osquery.io/