FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse

calendar Jul 8, 2025 · attack.execution attack.t1204.004  ·
Share on: linkedin copy

Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.

Sigma rule (View on GitHub)

 1title: FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse
 2id: 4fee3d51-8069-4a4c-a0f7-924fcaff2c70
 3status: experimental
 4description: Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
 5references:
 6    - https://x.com/russianpanda9xx/status/1940831134759506029
 7    - https://mrd0x.com/filefix-clickfix-alternative/
 8author: Alfie Champion (delivr.to)
 9date: 2025-07-05
10tags:
11    - attack.execution
12    - attack.t1204.004
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection_base:
18        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1'
19        Details|contains: '#'
20        Image|endswith:
21            - '\brave.exe'
22            - '\chrome.exe'
23            - '\firefox.exe'
24            - '\msedge.exe'
25    selection_cmd:
26        Details|contains:
27            - 'cmd'
28            - 'curl'
29            - 'powershell'
30            - 'bitsadmin'
31            - 'certutil'
32            - 'mshta'
33            - 'regsvr32'
34    condition: all of selection_*
35falsepositives:
36    - Unknown
37level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

  • Presenting an alternate method to the traditional ClickFix attack. Introduction Over the past few weeks, I’ve been working on the upcoming update for the Offensive Phishing Operations Course. The u...


    Read More

Related rules

to-top