Detectionhighexperimental
FileFix - Command Evidence in TypedPaths
Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Alfie Champion (delivr.to), Swachchhanda Shrawan Poudel (Nextron Systems)Created Sat Jul 05Updated Wed Nov 194fee3d51-8069-4a4c-a0f7-924fcaff2c70windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic2 selectors
detection:
selection_base:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1'
Details|contains|all:
- '#'
- 'http'
selection_cmd:
- Details|contains:
# Add more suspicious keywords
- 'account'
- 'anti-bot'
- 'botcheck'
- 'captcha'
- 'challenge'
- 'confirmation'
- 'fraud'
- 'human'
- 'identification'
- 'identificator'
- 'identity'
- 'robot'
- 'validation'
- 'verification'
- 'verify'
- Details|contains:
- '%comspec%'
- 'bitsadmin'
- 'certutil'
- 'cmd'
- 'cscript'
- 'curl'
- 'finger'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'schtasks'
- 'wget'
- 'wscript'
condition: all of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Other
attack.t1204.004
Related Rules
Similar
Rule not found4be03877-d5b6-4520-85c9-a5911c0a656c
Rule Metadata
Rule ID
4fee3d51-8069-4a4c-a0f7-924fcaff2c70
Status
experimental
Level
high
Type
Detection
Created
Sat Jul 05
Modified
Wed Nov 19
Path
rules/windows/registry/registry_set/registry_set_filefix_typedpath_commands.yml
Raw Tags
attack.executionattack.t1204.004