FileFix - Command Evidence in TypedPaths

Severity: high
Author: Alfie Champion (delivr.to), Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1204.004` User Execution: Malicious Copy and Paste

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `all of selection_base`

Details|contains: '#'
Details|contains: http
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1'

Stage 2: `all of selection_cmd`

or:
Details|contains: '%comspec%'
Details|contains: account
Details|contains: anti-bot
Details|contains: bitsadmin
Details|contains: botcheck
Details|contains: captcha
Details|contains: certutil
Details|contains: challenge
Details|contains: cmd
Details|contains: confirmation
Details|contains: cscript
Details|contains: curl
Details|contains: finger
Details|contains: fraud
Details|contains: human
Details|contains: identification
Details|contains: identificator
Details|contains: identity
Details|contains: mshta
Details|contains: powershell
Details|contains: pwsh
Details|contains: regsvr32
Details|contains: robot
Details|contains: rundll32
Details|contains: schtasks
Details|contains: validation
Details|contains: verification
Details|contains: verify
Details|contains: wget
Details|contains: wscript

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	match	`#` corpus 3 (sigma 3) `%comspec%` corpus 2 (sigma 2) `account` corpus 2 (sigma 2) `anti-bot` corpus 2 (sigma 2) `bitsadmin` corpus 2 (sigma 2) `botcheck` corpus 2 (sigma 2) `captcha` corpus 2 (sigma 2) `certutil` corpus 2 (sigma 2) `challenge` corpus 2 (sigma 2) `cmd` corpus 3 (sigma 3) `confirmation` corpus 2 (sigma 2) `cscript` corpus 4 (sigma 4) `curl` corpus 2 (sigma 2) `finger` corpus 2 (sigma 2) `fraud` corpus 2 (sigma 2) `http` corpus 2 (sigma 2) `human` corpus 2 (sigma 2) `identification` corpus 2 (sigma 2) `identificator` corpus 2 (sigma 2) `identity` corpus 2 (sigma 2) `mshta` corpus 4 (sigma 4) `powershell` corpus 8 (sigma 8) `pwsh` corpus 4 (sigma 4) `regsvr32` corpus 3 (sigma 3) `robot` corpus 2 (sigma 2) `rundll32` corpus 4 (sigma 4) `schtasks` corpus 2 (sigma 2) `validation` corpus 2 (sigma 2) `verification` corpus 2 (sigma 2) `verify` corpus 2 (sigma 2) `wget` corpus 2 (sigma 2) `wscript` corpus 4 (sigma 4)
`TargetObject`	ends_with	`\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1` corpus 2 (sigma 2)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.

Suspicious Space Characters in TypedPaths Registry Path - FileFix [sigma] (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)