update logic

rules/windows/file/file_event/file_event_win_susp_rtlo_extension_spoofing.yml → rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml

@@ -1,15 +1,16 @@
-title: Potential File Extension Spoofing Right-to-Left Override
+title: Potential File Extension Spoofing Using Right-to-Left Override
 id: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4
 related:
     - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
       type: derived
 status: experimental
-description: Detects suspicious filenames that contain right-to-left override characters and potentially spoofed file extensions
+description: |
+    Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
 references:
     - https://redcanary.com/blog/right-to-left-override/
     - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
-author: Jonathan Peters (NextronSystems), Florian Roth (NextronSystems)
-date: 2024-10-25
+author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems)
+date: 2024-11-17
 tags:
     - attack.execution
     - attack.defense-evasion
@@ -18,15 +19,16 @@ logsource:
     category: file_event
     product: windows
 detection:
-    selection:
-        - TargetFilename|contains:
-            - 'nls..'
+    selection_rtlo_unicode:
+        TargetFilename|contains: '\u202e'
+    selection_extensions:
+        TargetFilename|contains:
             - 'fpd..'
+            - 'nls..'
+            - 'vsc..'
             - 'xcod.'
             - 'xslx.'
-            - 'vsc..'
-        - TargetFilename|contains: '\u202e'
-    condition: selection
+    condition: all of selection_*
 falsepositives:
     - Filenames that contains scriptures such as arabic or hebrew might make use of this character
 level: high