heroui logo

FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse

Sigma Rules

View Source
Summary
The 'FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse' rule aims to detect potential attack vectors involving the misuse of browser capabilities to exploit the 'TypedPaths' registry key in Windows. This detection specifically focuses on monitoring the `url` value from the `TypedPaths` subkey found in `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`. The rule identifies executed commands and strings that suggest the presence of malicious activities, particularly through commonly used command-line tools. Typical executables monitored include `brave.exe`, `chrome.exe`, `firefox.exe`, and `msedge.exe`, and it looks for specific patterns in the command execution that may indicate an attempt to leverage the FileFix technique, which could facilitate unauthorized actions or data uploads.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • Windows Registry
Created: 2025-07-05