KQL Search

Query Details

HomeAI ToolsDevice Query

Bi Di Swap URL In Device Network Events

Query

# *BiDi Swap URL in DeviceNetworkEvents*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1036.002 | Right-to-Left Override | https://attack.mitre.org/techniques/T1036/002/ |
| TA1001 | Data Obfuscation | https://attack.mitre.org/techniques/T1001/ |

#### Description

This rule detects the presence of percent-encoded Bi-Directional (BiDi) control characters in URLs within network events. Specifically, it looks for '%E2%80%AE' (Right-to-Left Override - RLO), '%E2%80%8E' (Left-to-Right Mark - LRM), and '%E2%80%8F' (Right-to-Left Mark - RLM). These characters can be used to obfuscate URLs, making malicious links appear benign to users and potentially bypass security controls.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://www.bleepingcomputer.com/news/security/bidi-swap-the-bidirectional-text-trick-that-makes-fake-urls-look-real/


## Defender XDR
```KQL
//BiDi Swap Detection
let bidi_chars = dynamic(['%E2%80%AE', '%E2%80%8E', '%E2%80%8F']);
// Die wichtigsten BiDi-Zeichen sind RLO (%E2%80%AE), RLM (%E2%80%8F) und LRM (%E2%80%8E).
// Die Liste oben deckt die gängigsten Bidi-Kontroll- und nicht-druckbaren Steuerzeichen ab (U+2000 bis U+206F).
DeviceNetworkEvents
| where isnotempty(RemoteUrl)
// Suche nach den prozentkodierten BiDi-Zeichen in der URL
| where RemoteUrl has_any (bidi_chars)
| project Timestamp, DeviceName, DeviceId, RemoteUrl, ActionType, InitiatingProcessFileName, RemoteIP, RemotePort, ReportId
| extend Bidi_Character_Found = extract_all(@"(%E2%80%AE|%E2%80%8E|%E2%80%8E)", RemoteUrl)

```

Explanation

This query is designed to detect potentially malicious URLs in network events by identifying the use of specific percent-encoded Bi-Directional (BiDi) control characters. These characters can be used to manipulate the appearance of URLs, making them look legitimate while hiding malicious intent. The query focuses on three specific BiDi characters:

  1. Right-to-Left Override (RLO): %E2%80%AE
  2. Left-to-Right Mark (LRM): %E2%80%8E
  3. Right-to-Left Mark (RLM): %E2%80%8F

Here's a breakdown of what the query does:

  1. Define BiDi Characters: It starts by defining a list of the BiDi characters that are of interest.

  2. Filter Network Events: It looks at network events where the URL is not empty.

  3. Search for BiDi Characters: It checks if any of the defined BiDi characters are present in the URLs.

  4. Project Relevant Data: It selects and displays relevant information such as the timestamp, device name, device ID, URL, action type, initiating process file name, remote IP, remote port, and report ID.

  5. Extract BiDi Characters: It extracts and lists any BiDi characters found in the URL for further analysis.

Overall, this query helps in identifying URLs that might be using text direction control characters to disguise their true nature, which is a technique associated with obfuscation and potentially malicious activity.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 28, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsTimestampDeviceNameDeviceIdRemoteUrlActionTypeInitiatingProcessFileNameRemoteIPRemotePortReportIdBidiCharacterFound

Operators

letdynamicDeviceNetworkEvents|whereisnotemptyhas_anyprojectextendextract_all

Actions