Detectionhighexperimental

Suspicious Space Characters in TypedPaths Registry Path - FileFix

Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Tue Nov 048f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7ewindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic2 selectors
detection:
    selection_key:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1'
        Details|contains: '#'
    selection_space_variation:
        Details|contains:
            - '            ' # En Quad (U+2000)
            - '            ' # Em Quad (U+2001)
            - '            ' # En Space (U+2002)
            - '            ' # Em Space (U+2003)
            - '            ' # Three-Per-Em Space (U+2004)
            - '            ' # Four-Per-Em Space (U+2005)
            - '            ' # Six-Per-Em Space (U+2006)
            - '            ' # Figure Space (U+2007)
            - '            ' # Punctuation Space (U+2008)
            - '            ' # Thin Space (U+2009)
            - '            ' # Hair Space (U+200A)
            - '            ' # No-Break Space (U+00A0)
            - '            ' # Normal space
    condition: all of selection_*
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.