Threat Huntlowtest
Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Ahmed Farouk, Nasreddine Bencherchali (Nextron Systems)Created Fri Nov 01f9d091f6-f1c7-4873-a24f-050b4a02b4ddwindows
Hunting Hypothesis
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic4 selectors
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
filter_main_mrulist:
TargetObject|endswith: '\MRUList'
filter_optional_ping:
Details|contains: 'ping'
filter_optional_generic:
Details:
- '%appdata%\1'
- '%localappdata%\1'
- '%public%\1'
- '%temp%\1'
- 'calc\1'
- 'dxdiag\1'
- 'explorer\1'
- 'gpedit.msc\1'
- 'mmc\1'
- 'notepad\1'
- 'regedit\1'
- 'services.msc\1'
- 'winver\1'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Likely
MITRE ATT&CK
Tactics
Other
detection.threat-hunting
Rule Metadata
Rule ID
f9d091f6-f1c7-4873-a24f-050b4a02b4dd
Status
test
Level
low
Type
Threat Hunt
Created
Fri Nov 01
Path
rules-threat-hunting/windows/registry/registry_set/registry_set_runmru_command_execution.yml
Raw Tags
detection.threat-huntingattack.execution