detection.wiki

Detection rules › Sigma

Suspicious Space Characters in TypedPaths Registry Path - FileFix

Severity
high
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Source
upstream

Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1204.004 User Execution: Malicious Copy and Paste
Defense EvasionT1027.010 Obfuscated Files or Information: Command Obfuscation

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: all of selection_key

Details|contains: '#'
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1'

Stage 2: all of selection_space_variation

or:
Details|contains: '            '
Details|contains: '            '
Details|contains: '            '
Details|contains: '            '
Details|contains: '            '
Details|contains: '            '
Details|contains: '            '
Details|contains: '            '
Details|contains: '            '
Details|contains: '            '
Details|contains: '            '
Details|contains: '            '
Details|contains: '            '

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailsmatch
  • corpus 2 (sigma 2)
  • # corpus 3 (sigma 3)
  •              corpus 2 (sigma 2)
  •              corpus 2 (sigma 2)
  •              corpus 2 (sigma 2)
  •              corpus 2 (sigma 2)
  •              corpus 2 (sigma 2)
  •              corpus 2 (sigma 2)
  •              corpus 2 (sigma 2)
  •              corpus 2 (sigma 2)
  •              corpus 2 (sigma 2)
  •              corpus 2 (sigma 2)
  •              corpus 2 (sigma 2)
  •              corpus 2 (sigma 2)
TargetObjectends_with
  • \Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1 corpus 2 (sigma 2)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.