Suspicious Space Characters in RunMRU Registry Path - ClickFix

Rule Info

Name
Suspicious Space Characters in RunMRU Registry Path - ClickFix
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
Reference
https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
Date
2025-11-04 00:00:00
Modified
None
Id
7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e
Tags
attack.execution attack.t1204.004 attack.defense-evasion attack.t1027.010
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5743 from @swachchhanda000 - new: clickfix/filefix space character padding
2025-11-05
251be1edd
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022