Suspicious Space Characters in RunMRU Registry Path - ClickFix

Title: Suspicious Space Characters in RunMRU Registry Path - ClickFix
Status: experimental
Description:Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
References:
  -https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
  -https://github.com/JohnHammond/recaptcha-phish
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2025-11-04
modified:None
Tags:

• -'attack.execution'
• -'attack.t1204.004'
• -'attack.defense-evasion'
• -'attack.t1027.010'

Logsource:

• category: registry_set
• product: windows

Detection:
  selection_key:
    TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
    Details|contains: '#'
  selection_space_variation:
    Details|contains:
      -'            '
      -'            '
      -'            '
      -'            '
      -'            '
      -'            '
      -'            '
      -'            '
      -'            '
      -'            '
      -'            '
      -'            '
      -' '

  condition:all of selection_*
Falsepositives:
  -Unlikely
Level: high