FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse

Rule Info

Name
FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse
Author
Alfie Champion (delivr.to)
Description
Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
Reference
https://x.com/russianpanda9xx/status/1940831134759506029
Date
2025-07-05 00:00:00
Modified
None
Id
4fee3d51-8069-4a4c-a0f7-924fcaff2c70
Tags
attack.execution attack.t1204.004
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=4fee3d51-8069-4a4c-a0f7-924fcaff2c70

Rule History

Author
Title
Date
Commit
Alfie Champion
Merge PR #5514 from @ajpc500 - Add Filefix TypedPaths Registry rule
2025-07-08
75d03ebfb
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022