https://github.com/franckferman/memento-rtlo
🔄 Memento: Right-to-Left Override (RTLO) Extension Spoofing File Renamer.
https://github.com/franckferman/memento-rtlo
cyber cybersecurity-education extension memento pentest pentesting powershell powershell-script powershell-scripting powershell-scripts redteam redteam-tool redteaming right-to-left rtlo rtlo-extension-spoof spoof spoof-extension spoof-extensions spoofing-attack
Last synced: about 1 month ago
JSON representation
🔄 Memento: Right-to-Left Override (RTLO) Extension Spoofing File Renamer.
- Host: GitHub
- URL: https://github.com/franckferman/memento-rtlo
- Owner: franckferman
- License: agpl-3.0
- Created: 2023-11-12T15:26:03.000Z (over 2 years ago)
- Default Branch: stable
- Last Pushed: 2025-03-13T16:24:42.000Z (over 1 year ago)
- Last Synced: 2025-04-07T22:38:08.070Z (over 1 year ago)
- Topics: cyber, cybersecurity-education, extension, memento, pentest, pentesting, powershell, powershell-script, powershell-scripting, powershell-scripts, redteam, redteam-tool, redteaming, right-to-left, rtlo, rtlo-extension-spoof, spoof, spoof-extension, spoof-extensions, spoofing-attack
- Language: PowerShell
- Homepage: https://github.com/franckferman/Memento-RTLO
- Size: 81.1 KB
- Stars: 5
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
[![Contributors][contributors-shield]](https://github.com/franckferman/Memento-RTLO/graphs/contributors)
[![Stargazers][stars-shield]](https://github.com/franckferman/Memento-RTLO/stargazers)
[![License][license-shield]](https://github.com/franckferman/Memento-RTLO/blob/stable/LICENSE)
Memento-RTLO
File extension spoofing via the Right-to-Left Override Unicode character (U+202E).
PowerShell-based red team and awareness tool demonstrating MITRE ATT&CK T1036.002.
---
## Table of Contents
Click to collapse/expand
- About
- Unicode Bidi Deep Dive
- RTLO Attack Mechanics
- MITRE ATT&CK Mapping
- Detection
- Installation
- Usage
- Star Evolution
- License
- Contact
---
## About
Memento-RTLO is a PowerShell tool that demonstrates **file extension spoofing** using the Right-to-Left Override (RTLO) Unicode control character (`U+202E`).
It renames or copies executable files (`.exe`, `.hta`, `.bat`, `.vbs`) so that their displayed extension appears benign (e.g., `.pdf`, `.jpeg`, `.txt`) while the underlying filesystem entry and operating-system behavior remain unchanged. The visual deception is produced entirely at the Unicode rendering layer, without modifying file content or metadata.
The project serves three audiences:
- **Red teamers** building phishing payloads for authorized engagements.
- **Security researchers** analyzing how operating systems and email clients render bidirectional filenames.
- **Blue teamers and trainers** demonstrating the attack to raise user awareness.
> This technique is well-documented and widely detected by modern endpoint protection platforms. It is not a sophisticated bypass. Its value is pedagogical.
---
## Unicode Bidi Deep Dive
### The Unicode Bidirectional Algorithm (UBA)
The Unicode Standard defines the **Bidirectional Algorithm** (UAX #9) to handle mixed-direction text — documents that combine left-to-right (LTR) scripts such as Latin with right-to-left (RTL) scripts such as Arabic or Hebrew. The algorithm assigns a **bidi category** to every code point and then applies a set of rules to determine the visual order of characters on screen.
Key bidi categories relevant to this attack:
| Category | Name | Description |
|---|---|---|
| L | Left-to-Right | Standard Latin characters, digits in LTR context |
| R | Right-to-Left | Hebrew base characters |
| AL | Arabic Letter | Arabic base characters |
| AN | Arabic Number | Arabic-Indic digits |
| RLE | Right-to-Left Embedding | U+202B — open RTL embedding |
| LRE | Left-to-Right Embedding | U+202A — open LTR embedding |
| RLO | Right-to-Left Override | **U+202E** — force all following characters RTL |
| LRO | Left-to-Right Override | U+202D — force all following characters LTR |
| PDF | Pop Directional Formatting | U+202C — terminate the innermost embedding |
### U+202E: Right-to-Left Override
`U+202E RIGHT-TO-LEFT OVERRIDE` is a **format character** — it has zero width, produces no visible glyph, and is designed for use in contexts where a run of characters must be rendered right-to-left regardless of their intrinsic bidi properties.
Legitimate use cases include:
- Displaying a product code or part number written in a Latin script inside an otherwise RTL document.
- Embedding a URL that contains LTR punctuation inside Arabic body text.
Because it is a non-printing character, it is **invisible in most GUI contexts** — Windows Explorer, email clients, Outlook attachment lists, messaging applications, and web browsers all render the reversed characters without exposing the control character itself.
### Code Point Anatomy
```
U+202E
Block : General Punctuation (U+2000 - U+206F)
Category : Cf (Format character)
Bidi : RLO (Right-to-Left Override)
Mirrored : No
UTF-8 : E2 80 AE (3 bytes)
UTF-16LE : 2E 20 (2 bytes, BMP)
```
The three-byte UTF-8 sequence `0xE2 0x80 0xAE` is what appears in the raw bytes of any NTFS filename that embeds this character.
### Visual Reversal Mechanism
When `U+202E` is inserted at position *k* in a string, every character at positions *k+1* onward is rendered in reverse visual order by the bidi algorithm. The characters are stored in logical (memory) order unchanged; only the **rendering pipeline** reorders them.
Example — logical storage vs. visual presentation:
```
Logical bytes: A n n e x e [U+202E] e p e j . e x e
^-- LTR name --^ ^-- RTL rendering starts here --^
Visual output: Annexe exe.jpeg
^^^^^^ appears to be .jpeg extension
```
The file is an `.exe`. The filesystem, the kernel, and the process loader all see `exe.jpeg` reversed back to `gpej.exe` — but the **bidi display layer** shows `jpeg`. The operating system executes it as an EXE.
---
## RTLO Attack Mechanics
### Filename Construction
The attack constructs a filename with the following logical structure:
```
+ U+202E + reverse() +
```
Step by step for a target file `payload.exe` spoofed to appear as `Annexe.jpeg`:
1. Choose display name: `Annexe`
2. Choose spoof extension: `jpeg`
3. Reverse the spoof extension character by character: `gepj`
4. Append the real extension: `gepj.exe`
5. Insert `U+202E` between display name and reversed string: `Annexe[U+202E]gepj.exe`
The bidi algorithm renders `gepj.exe` right-to-left, producing the visual string `exe.jpeg` appended to `Annexe`, so the user sees **`Annexe exe.jpeg`**.
Windows Explorer also assigns the icon associated with `.jpeg` files to this entry (via shell association lookup on the **displayed** extension string), completing the visual deception.
### Supported File Types
| Real Extension | Spoof Options |
|---|---|
| `.exe` | `Annexe.jpeg`, `Document.pdf` |
| `.hta` | `Info.jpg`, `Fichier.txt` |
| `.bat` | `Note.txt`, `Liste.csv` |
| `.vbs` | `Script.txt`, `Email.eml` |
### Operating System Behavior
- **NTFS**: stores the exact logical byte sequence including `U+202E`. No sanitization occurs at the filesystem layer.
- **Windows Shell**: renders the filename through the DirectWrite/GDI bidi stack, showing the reversed visual form.
- **Process execution**: the Windows kernel resolves the filename using its logical byte sequence. When the user double-clicks the visually deceptive entry, the loader reads the real extension (`.exe`) and executes accordingly.
- **Linux (ext4/NTFS-3g)**: the character is valid in filenames. Terminal emulators with bidi support (e.g., mlterm, recent versions of GNOME Terminal with fribidi) will render the reversal.
### Delivery Vectors
The technique has been observed in the following delivery contexts:
- Email attachments (Outlook renders bidi filenames in the attachment pane).
- ZIP archives opened via Explorer or third-party archivers.
- Messenger file transfers (Telegram, WhatsApp Web).
- SMB shares browsed via Explorer.
- Malicious ISO/IMG mounts.
---
## MITRE ATT&CK Mapping
### T1036.002 - Masquerading: Right-to-Left Override
| Field | Value |
|---|---|
| Tactic | Defense Evasion |
| Technique | T1036 - Masquerading |
| Sub-technique | T1036.002 - Right-to-Left Override |
| Platforms | Windows, Linux, macOS |
| Data Sources | File: File Metadata, File: File Creation, Process: Process Creation |
**ATT&CK description (paraphrased):** Adversaries may abuse the RTLO character to disguise the true file extension of a malicious payload. This sub-technique focuses on the Unicode bidirectional control character `U+202E`, which causes text following it to be displayed in reverse. When placed strategically in a filename, it causes the displayed extension to differ from the actual extension processed by the operating system.
### Related Techniques
| ID | Name | Relationship |
|---|---|---|
| T1566.001 | Spearphishing Attachment | Common delivery mechanism for RTLO-renamed payloads |
| T1204.002 | User Execution: Malicious File | Depends on the user clicking the spoofed file |
| T1036 | Masquerading (parent) | RTLO is one sub-technique of broader masquerading |
| T1027 | Obfuscated Files or Information | Conceptual overlap — non-content-level obfuscation |
### Real-World Usage
RTLO-based filename spoofing has been documented in:
- **APT28 (Fancy Bear)** spearphishing campaigns (2014-2016) targeting journalists and government officials.
- **Mahdi malware** (2012) — one of the early documented uses of RTLO in targeted attacks.
- Multiple commodity phishing kits distributed via email platforms.
- **FIN7** operational tooling in financial sector attacks.
---
## Detection
### Filesystem-Level Detection
Scan filenames for the presence of Unicode bidi override/embedding characters:
| Code Point | Name | UTF-8 bytes |
|---|---|---|
| U+202A | Left-to-Right Embedding | `E2 80 AA` |
| U+202B | Right-to-Left Embedding | `E2 80 AB` |
| U+202C | Pop Directional Formatting | `E2 80 AC` |
| U+202D | Left-to-Right Override | `E2 80 AD` |
| U+202E | Right-to-Left Override | `E2 80 AE` |
| U+2066 | Left-to-Right Isolate | `E2 81 A6` |
| U+2067 | Right-to-Left Isolate | `E2 81 A7` |
| U+2068 | First Strong Isolate | `E2 81 A8` |
| U+2069 | Pop Directional Isolate | `E2 81 A9` |
PowerShell one-liner to scan the current directory for RTLO characters in filenames:
```powershell
Get-ChildItem -Recurse | Where-Object { $_.Name -match [char]0x202E } | Select-Object FullName
```
Python equivalent for cross-platform use:
```python
import os
BIDI_CONTROLS = {'\u202a', '\u202b', '\u202c', '\u202d', '\u202e',
'\u2066', '\u2067', '\u2068', '\u2069'}
for root, dirs, files in os.walk('.'):
for name in files:
if any(c in name for c in BIDI_CONTROLS):
print(os.path.join(root, name))
```
### SIEM / EDR Detection Rules
**Sigma rule concept (Windows file creation event):**
```yaml
title: RTLO Character in Filename
status: experimental
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: "\u202E"
condition: selection
falsepositives:
- Legitimate Arabic/Hebrew software with RTL product names (rare)
level: high
tags:
- attack.defense_evasion
- attack.t1036.002
```
**Windows Defender / MDE KQL:**
```kql
DeviceFileEvents
| where FileName contains "\u202E"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName
```
### Email Gateway
Most enterprise email gateways (Proofpoint, Mimecast, Microsoft EOP) flag or strip attachments whose filename bytes contain `0xE2 0x80 0xAE`. Verify your gateway's Unicode normalization policy if RTLO files are a concern in your threat model.
### Antivirus Heuristics
Major AV vendors flag RTLO-named executables at the file-open/scan event layer. Detection is reliable on Windows when the file is written to disk. Network-level inspection varies by vendor.
---
## Installation
### Prerequisites
- **Windows OS** (tested on Windows 10 and Windows 11).
- **PowerShell 5.1 or higher** (pre-installed on modern Windows).
- No external dependencies. Pure PowerShell.
### Getting Memento-RTLO
#### Option 1: One-liner download
```powershell
Invoke-WebRequest https://raw.githubusercontent.com/franckferman/Memento-RTLO/stable/MementoRTLO.ps1 -OutFile MementoRTLO.ps1
```
#### Option 2: Clone via Git
```powershell
git clone https://github.com/franckferman/Memento-RTLO.git
```
#### Option 3: Download ZIP
1. Navigate to the GitHub repository.
2. Click `<> Code` then `Download ZIP`.
3. Extract to the desired location.
---
## Usage
### Setup
Allow script execution for the current process (does not persist):
```powershell
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process
```
### Basic Usage
```powershell
.\MementoRTLO.ps1 --file "C:\Path\to\payload.exe"
```
If `--choice` is omitted, the script presents an interactive menu of available spoof patterns for the detected extension.
Combined one-liner:
```powershell
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process; .\MementoRTLO.ps1 --file "C:\Path\to\payload.exe"
```
### Command-Line Reference
```
.\MementoRTLO.ps1 --file [--choice ] [--replace] [--show-list] [--help]
```
| Option | Required | Description | Example |
|---|---|---|---|
| `--file ` | Yes | Path to the source file to spoof | `--file "C:\lab\test.exe"` |
| `--choice ` | No | Select spoof pattern by index (see `--show-list`) | `--choice 1` |
| `--replace` | No | Rename the original file in-place (default: create a copy) | `--replace` |
| `--show-list` | No | Print all available name/extension pairs and exit | `--show-list` |
| `--help` / `-help` / `/help` | No | Print help message and exit | `--help` |
### Examples
List available spoof patterns:
```powershell
.\MementoRTLO.ps1 --show-list
```
Spoof `payload.exe` as a PDF document (non-destructive copy):
```powershell
.\MementoRTLO.ps1 --file "C:\lab\payload.exe" --choice 2
```
Spoof `payload.exe` as a JPEG and rename the original in-place:
```powershell
.\MementoRTLO.ps1 --file "C:\lab\payload.exe" --choice 1 --replace
```
Spoof a VBS file as an email message:
```powershell
.\MementoRTLO.ps1 --file "C:\lab\dropper.vbs" --choice 2
```
---
## Star Evolution
---
## License
This project is licensed under the GNU Affero General Public License v3.0.
See the [LICENSE](https://github.com/franckferman/Memento-RTLO/blob/stable/LICENSE) file for the full terms.
---
## Contact
[![ProtonMail][protonmail-shield]](mailto:contact@franckferman.fr)
[![LinkedIn][linkedin-shield]](https://www.linkedin.com/in/franckferman)
[![Twitter][twitter-shield]](https://www.twitter.com/franckferman)
[contributors-shield]: https://img.shields.io/github/contributors/franckferman/Memento-RTLO.svg?style=for-the-badge
[contributors-url]: https://github.com/franckferman/Memento-RTLO/graphs/contributors
[stars-shield]: https://img.shields.io/github/stars/franckferman/Memento-RTLO.svg?style=for-the-badge
[stars-url]: https://github.com/franckferman/Memento-RTLO/stargazers
[license-shield]: https://img.shields.io/github/license/franckferman/Memento-RTLO.svg?style=for-the-badge
[license-url]: https://github.com/franckferman/Memento-RTLO/blob/stable/LICENSE
[protonmail-shield]: https://img.shields.io/badge/ProtonMail-8B89CC?style=for-the-badge&logo=protonmail&logoColor=blueviolet
[linkedin-shield]: https://img.shields.io/badge/-LinkedIn-black.svg?style=for-the-badge&logo=linkedin&colorB=blue
[twitter-shield]: https://img.shields.io/badge/-Twitter-black.svg?style=for-the-badge&logo=twitter&colorB=blue