Add MFT rule for RTLO and add .lnk to most sup_script_exec rules

Author: reece394

rules/mft/sup_script_exec_intel_mft.yml

@@ -111,6 +111,7 @@ filter:
       - 'i*.rb'
       - 'i*.ocx'
       - 'i*.scf'
+      - 'i*.lnk'
 
   directory:
     FullPath:

rules/mft/sup_script_exec_perflogs_mft.yml

@@ -111,6 +111,7 @@ filter:
       - 'i*.rb'
       - 'i*.ocx'
       - 'i*.scf'
+      - 'i*.lnk'
 
   directory:
     FullPath:

rules/mft/sup_script_exec_program_files_root_mft.yml

@@ -111,6 +111,7 @@ filter:
       - 'i*.rb'
       - 'i*.ocx'
       - 'i*.scf'
+      - 'i*.lnk'
 
   directory:
     FullPath:

rules/mft/sup_script_exec_recyclebin_mft.yml

@@ -111,6 +111,7 @@ filter:
       - 'i*.rb'
       - 'i*.ocx'
       - 'i*.scf'
+      - 'i*.lnk'
 
   directory:
     FullPath:

rules/mft/sup_script_exec_recyclebin_nonstand_mft.yml

@@ -111,6 +111,7 @@ filter:
       - 'i*.rb'
       - 'i*.ocx'
       - 'i*.scf'
+      - 'i*.lnk'
 
   directory:
     FullPath:

rules/mft/sup_script_exec_root_mft.yml

@@ -111,6 +111,7 @@ filter:
       - 'i*.rb'
       - 'i*.ocx'
       - 'i*.scf'
+      - 'i*.lnk'
 
   directory:
     FullPath:

rules/mft/sup_script_exec_root_nonstand_fold_mft.yml

@@ -111,6 +111,7 @@ filter:
       - 'i*.rb'
       - 'i*.ocx'
       - 'i*.scf'
+      - 'i*.lnk'
 
   directory:
     FullPath:
@@ -130,4 +131,5 @@ filter:
       - 'iWindows\*'
       - 'i[Unknown]\*'
       - 'iIntel\*'
-      - 'iTemp\*'
+      - 'iTemp\*'
+      - 'iWindows.old\*'

rules/mft/sup_script_exec_root_temp_mft.yml

@@ -111,6 +111,7 @@ filter:
       - 'i*.rb'
       - 'i*.ocx'
       - 'i*.scf'
+      - 'i*.lnk'
 
   directory:
     FullPath:

rules/mft/sup_script_exec_rtlo_mft.yml

@@ -0,0 +1,118 @@
+---
+title: Suspicious Script or Executable Using RTLO
+group: MFT
+description: Suspicious Script or Executable using Right To Left Override Character U+202E. Potential Threat Actor Activity.
+authors:
+  - Reece394
+
+
+kind: mft
+level: high
+status: stable
+timestamp: StandardInfoCreated
+
+
+fields:
+  - name: FileNamePath
+    to: FullPath
+  - name: StandardInfoLastModified0x10
+    to: StandardInfoLastModified
+  - name: StandardInfoLastAccess0x10
+    to: StandardInfoLastAccess
+  - name: FileNameCreated0x30
+    to: FileNameCreated
+  - name: FileNameLastModified0x30
+    to: FileNameLastModified
+  - name: FileNameLastAccess0x30
+    to: FileNameLastAccess
+  - name: FileSize
+    to: FileSize
+  - name: IsADirectory
+    to: IsADirectory
+  - name: IsDeleted
+    to: IsDeleted
+  - name: HasAlternateDataStreams
+    to: HasAlternateDataStreams
+  - name: DataStreams
+    to: DataStreams
+
+filter:
+  condition: sup and rtlo
+
+  sup:
+    FullPath:
+      - 'i*.bat'
+      - 'i*.cmd'
+      - 'i*.cpl'
+      - 'i*.ex'
+      - 'i*.ex_'
+      - 'i*.exe'
+      - 'i*.jse'
+      - 'i*.msc'
+      - 'i*.ps1'
+      - 'i*.ps1xml'
+      - 'i*.ps2'
+      - 'i*.ps2xml'
+      - 'i*.psc1'
+      - 'i*.psc2'
+      - 'i*.msh'
+      - 'i*.msh1'
+      - 'i*.msh2'
+      - 'i*.mshxml'
+      - 'i*.msh1xml'
+      - 'i*.msh2xml'
+      - 'i*.reg'
+      - 'i*.vb'
+      - 'i*.vbe'
+      - 'i*.ws'
+      - 'i*.wsf'
+      - 'i*.wsc'
+      - 'i*.hta'
+      - 'i*.vbs'
+      - 'i*.com'
+      - 'i*.dll'
+      - 'i*.sys'
+      - 'i*.isu'
+      - 'i*.scr'
+      - 'i*.mst'
+      - 'i*.job'
+      - 'i*.paf'
+      - 'i*.sct'
+      - 'i*.gadget'
+      - 'i*.pif'
+      - 'i*.shb'
+      - 'i*.vbscript'
+      - 'i*.inf'
+      - 'i*.inf1'
+      - 'i*.shs'
+      - 'i*.bin'
+      - 'i*.ins'
+      - 'i*.u3p'
+      - 'i*.wsh'
+      - 'i*.inx'
+      - 'i*.js'
+      - 'i*.msi'
+      - 'i*.msp'
+      - 'i*.rgs'
+      - 'i*.sh'
+      - 'i*.run'
+      - 'i*.jar'
+      - 'i*.py'
+      - 'i*.py3'
+      - 'i*.pyc'
+      - 'i*.pyo'
+      - 'i*.pyw'
+      - 'i*.pyx'
+      - 'i*.pyd'
+      - 'i*.pxd'
+      - 'i*.pyi'
+      - 'i*.pyz'
+      - 'i*.pl'
+      - 'i*.rb'
+      - 'i*.ocx'
+      - 'i*.scf'
+      - 'i*.lnk'
+
+  rtlo:
+    FullPath:
+      - 'i*‮*'

rules/mft/sup_script_exec_user_downloads_mft.yml

@@ -111,6 +111,7 @@ filter:
       - 'i*.rb'
       - 'i*.ocx'
       - 'i*.scf'
+      - 'i*.lnk'
 
   directory:
     FullPath: