Suspicious Space Characters in TypedPaths Registry Path - FileFix

 1title: Suspicious Space Characters in TypedPaths Registry Path - FileFix
 2id: 8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e
 3related:
 4    - id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
 5      type: similar
 6status: experimental
 7description: |
 8        Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
 9references:
10    - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
11    - https://mrd0x.com/filefix-clickfix-alternative/
12author: Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2025-11-04
14tags:
15    - attack.execution
16    - attack.t1204.004
17    - attack.defense-evasion
18    - attack.t1027.010
19logsource:
20    category: registry_set
21    product: windows
22detection:
23    selection_key:
24        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1'
25        Details|contains: '#'
26    selection_space_variation:
27        Details|contains:
28            - '            ' # En Quad (U+2000)
29            - '            ' # Em Quad (U+2001)
30            - '            ' # En Space (U+2002)
31            - '            ' # Em Space (U+2003)
32            - '            ' # Three-Per-Em Space (U+2004)
33            - '            ' # Four-Per-Em Space (U+2005)
34            - '            ' # Six-Per-Em Space (U+2006)
35            - '            ' # Figure Space (U+2007)
36            - '            ' # Punctuation Space (U+2008)
37            - '            ' # Thin Space (U+2009)
38            - '            ' # Hair Space (U+200A)
39            - '            ' # No-Break Space (U+00A0)
40            - '            ' # Normal space
41    condition: all of selection_*
42falsepositives:
43    - Unlikely
44level: high