Detection rules › Sigma
Suspicious Space Characters in RunMRU Registry Path - ClickFix
Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1204.004 User Execution: Malicious Copy and Paste |
| Defense Evasion | T1027.010 Obfuscated Files or Information: Command Obfuscation |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: all of selection_key
Details|contains: '#'
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
Stage 2: all of selection_space_variation
or:
Details|contains: ' '
Details|contains: ' '
Details|contains: ' '
Details|contains: ' '
Details|contains: ' '
Details|contains: ' '
Details|contains: ' '
Details|contains: ' '
Details|contains: ' '
Details|contains: ' '
Details|contains: ' '
Details|contains: ' '
Details|contains: ' '
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Details | match |
|
TargetObject | match |
|