Suspicious Space Characters in TypedPaths Registry Path - FileFix

Rule Info

Name
Suspicious Space Characters in TypedPaths Registry Path - FileFix
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
Reference
https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
Date
2025-11-04 00:00:00
Modified
None
Id
8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e
Tags
attack.execution attack.t1204.004 attack.defense-evasion attack.t1027.010
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5743 from @swachchhanda000 - new: clickfix/filefix space character padding
2025-11-05
251be1edd
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022