Detects execution of commands via the run dialog box on Windows by checking values of the “RunMRU” registry key. This technique was seen being abused by threat actors to deceive users into pasting and
title: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d
related:
- id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd
type: derived
status: test
description: |
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
references:
- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf
- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
- https://www.forensafe.com/blogs/runmrukey.html
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
author: Ahmed Farouk, Nasreddine Bencherchali
date: 2024-11-01
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: registry_set
detection:
selection_key:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
selection_powershell_command:
Details|contains:
- 'powershell'
- 'pwsh'
selection_powershell_susp_keywords:
Details|contains:
- ' -e '
- ' -ec '
- ' -en '
- ' -enc '
- ' -enco'
- 'ftp'
- 'Hidden'
- 'http'
- 'iex'
- 'Invoke-'
selection_wmic_command:
Details|contains: 'wmic'
selection_wmic_susp_keywords:
Details|contains:
- 'shadowcopy'
- 'process call create'
condition: selection_key and (all of selection_powershell_* or all of selection_wmic_*)
falsepositives:
- Unknown
level: high
imRegistry
| where RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU" and (((RegistryValueData contains "powershell" or RegistryValueData contains "pwsh") and (RegistryValueData contains " -e " or RegistryValueData contains " -ec " or RegistryValueData contains " -en " or RegistryValueData contains " -enc " or RegistryValueData contains " -enco" or RegistryValueData contains "ftp" or RegistryValueData contains "Hidden" or RegistryValueData contains "http" or RegistryValueData contains "iex" or RegistryValueData contains "Invoke-")) or (RegistryValueData contains "wmic" and (RegistryValueData contains "shadowcopy" or RegistryValueData contains "process call create")))DeviceRegistryEvents
| where RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU" and (((RegistryValueData contains "powershell" or RegistryValueData contains "pwsh") and (RegistryValueData contains " -e " or RegistryValueData contains " -ec " or RegistryValueData contains " -en " or RegistryValueData contains " -enc " or RegistryValueData contains " -enco" or RegistryValueData contains "ftp" or RegistryValueData contains "Hidden" or RegistryValueData contains "http" or RegistryValueData contains "iex" or RegistryValueData contains "Invoke-")) or (RegistryValueData contains "wmic" and (RegistryValueData contains "shadowcopy" or RegistryValueData contains "process call create")))| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |