Filefix-Hunter is a forensic tool written in Rust for incident response. It enumerates TypedPaths entries in Windows registry to detect possible LOLBIN or FileFix exploitation traces.
- Scan all
HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPathsfor each user. - Look for suspicious commands, LOLBINs, known IOCs (Mimikatz, shellcode).
- Highlight suspicious entries (red) vs safe entries (yellow).
- Optionally export results to JSON or CSV.
The filefix attack exploits careless user behavior by getting them to paste malicious commands into Explorer’s address bar, leading to code execution with LOLBINs. More info here.
If building on Linux to produce a Windows binary:
sudo apt update
sudo apt install -y build-essential pkg-config libssl-dev rustup gcc-mingw-w64
rustup default stable
rustup target add x86_64-pc-windows-gnu
source $HOME/.cargo/envClone the repository and build the Windows binary:
git clone https://github.com/FreeDurok/Filefix-Hunter.git
cd filefix-hunter
cargo build --release --target x86_64-pc-windows-gnufilefix-hunter [options]Options:
-h, --help: show help-f, --format <json|csv|none>: export format-o, --output <file>: output file name
Examples:
filefix-hunter -f json -o report.json
filefix-hunter --format=csv --output=report.csvRecords highlighted in red are those that match suspicious entries detected by the tool.
JSON/CSV includes:
sid,username,name,valuesuspicious: true/falsematchedreason
MIT License