Suspicious Space Characters in TypedPaths Registry Path - FileFix

Title: Suspicious Space Characters in TypedPaths Registry Path - FileFix
Status: experimental
Description:Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
References:
  -https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
  -https://mrd0x.com/filefix-clickfix-alternative/
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2025-11-04
modified:None
Tags:

• -'attack.execution'
• -'attack.t1204.004'
• -'attack.defense-evasion'
• -'attack.t1027.010'

Logsource:

• category: registry_set
• product: windows

Detection:
  selection_key:
    TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1'
    Details|contains: '#'
  selection_space_variation:
    Details|contains:
      -'            '
      -'            '
      -'            '
      -'            '
      -'            '
      -'            '
      -'            '
      -'            '
      -'            '
      -'            '
      -'            '
      -'            '
      -' '

  condition:all of selection_*
Falsepositives:
  -Unlikely
Level: high