FileFix - Command Evidence in TypedPaths

calendar Nov 27, 2025 · attack.execution attack.t1204.004  ·
Share on: linkedin copy

Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.

Sigma rule (View on GitHub)

 1title: FileFix - Command Evidence in TypedPaths
 2id: 4fee3d51-8069-4a4c-a0f7-924fcaff2c70
 3related:
 4    - id: 4be03877-d5b6-4520-85c9-a5911c0a656c
 5      type: similar
 6status: experimental
 7description: |
 8        Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
 9references:
10    - https://x.com/russianpanda9xx/status/1940831134759506029
11    - https://mrd0x.com/filefix-clickfix-alternative/
12    - https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
13author: Alfie Champion (delivr.to), Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2025-07-05
15modified: 2025-11-19
16tags:
17    - attack.execution
18    - attack.t1204.004
19logsource:
20    category: registry_set
21    product: windows
22detection:
23    selection_base:
24        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1'
25        Details|contains|all:
26            - '#'
27            - 'http'
28    selection_cmd:
29        - Details|contains:
30              # Add more suspicious keywords
31              - 'account'
32              - 'anti-bot'
33              - 'botcheck'
34              - 'captcha'
35              - 'challenge'
36              - 'confirmation'
37              - 'fraud'
38              - 'human'
39              - 'identification'
40              - 'identificator'
41              - 'identity'
42              - 'robot'
43              - 'validation'
44              - 'verification'
45              - 'verify'
46        - Details|contains:
47              - '%comspec%'
48              - 'bitsadmin'
49              - 'certutil'
50              - 'cmd'
51              - 'cscript'
52              - 'curl'
53              - 'finger'
54              - 'mshta'
55              - 'powershell'
56              - 'pwsh'
57              - 'regsvr32'
58              - 'rundll32'
59              - 'schtasks'
60              - 'wget'
61              - 'wscript'
62    condition: all of selection_*
63falsepositives:
64    - Unknown
65level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

  • Presenting an alternate method to the traditional ClickFix attack. Introduction Over the past few weeks, I’ve been working on the upcoming update for the Offensive Phishing Operations Course. The u...


    Read More

  • Decades-old ‘Finger’ protocol abused in ClickFix malware attacks - Secure Contain Protect

    The decades-old "finger" command is making a comeback,, with threat actors using the protocol to retrieve remote commands to execute on Windows devices. In the past, people used the finger command to look up information about local and remote users on Unix and Linux systems via the Finger protocol, a command later added to Windows. While still


    Read More

Related rules

to-top