Suspicious Space Characters in RunMRU Registry Path - ClickFix

 1title: Suspicious Space Characters in RunMRU Registry Path - ClickFix
 2id: 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e
 3related:
 4    - id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
 5      type: similar
 6status: experimental
 7description: |
 8        Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
 9references:
10    - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
11    - https://github.com/JohnHammond/recaptcha-phish
12author: Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2025-11-04
14tags:
15    - attack.execution
16    - attack.t1204.004
17    - attack.defense-evasion
18    - attack.t1027.010
19logsource:
20    category: registry_set
21    product: windows
22detection:
23    selection_key:
24        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
25        Details|contains: '#'
26    selection_space_variation:
27        Details|contains:
28            - '            ' # En Quad (U+2000)
29            - '            ' # Em Quad (U+2001)
30            - '            ' # En Space (U+2002)
31            - '            ' # Em Space (U+2003)
32            - '            ' # Three-Per-Em Space (U+2004)
33            - '            ' # Four-Per-Em Space (U+2005)
34            - '            ' # Six-Per-Em Space (U+2006)
35            - '            ' # Figure Space (U+2007)
36            - '            ' # Punctuation Space (U+2008)
37            - '            ' # Thin Space (U+2009)
38            - '            ' # Hair Space (U+200A)
39            - '            ' # No-Break Space (U+00A0)
40            - '            ' # Normal space
41    condition: all of selection_*
42falsepositives:
43    - Unlikely
44level: high