Potentially Suspicious Command Executed Via Run Dialog Box - Registry

 1title: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
 2id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d
 3related:
 4    - id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd
 5      type: derived
 6status: test
 7description: |
 8    Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
 9    This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.    
10references:
11    - https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf
12    - https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
13    - https://www.forensafe.com/blogs/runmrukey.html
14    - https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
15author: Ahmed Farouk, Nasreddine Bencherchali
16date: 2024-11-01
17tags:
18    - attack.execution
19    - attack.t1059.001
20logsource:
21    product: windows
22    category: registry_set
23detection:
24    selection_key:
25        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
26    selection_powershell_command:
27        Details|contains:
28            - 'powershell'
29            - 'pwsh'
30    selection_powershell_susp_keywords:
31        Details|contains:
32            - ' -e '
33            - ' -ec '
34            - ' -en '
35            - ' -enc '
36            - ' -enco'
37            - 'ftp'
38            - 'Hidden'
39            - 'http'
40            - 'iex'
41            - 'Invoke-'
42    selection_wmic_command:
43        Details|contains: 'wmic'
44    selection_wmic_susp_keywords:
45        Details|contains:
46            - 'shadowcopy'
47            - 'process call create'
48    condition: selection_key and (all of selection_powershell_* or all of selection_wmic_*)
49falsepositives:
50    - Unknown
51level: high

References

• Fake CAPTCHA Campaign on Arabic Pirated Movie Sites Delivers Lumma Stealer

  

  discovered a fake CAPTCHA campaign targeting visitors of Arabic pirated movie websites

  
  Read More

• Downloading Trojan(Lumma infostealer) Through Capatcha

  

  Following the Phishing campaign that targets users with fake Captcha and masquerades them to download Trojan malware(Lumma), I have gotten a new phishing newly created domain that contains 2 phishing…

  
  Read More

• Run MRU Blog

  

  Investigating Run MRU 29/04/2022 Friday The Run utility on Windows Systems enables the user to directly open an application, folder or document. In Windows 10, the Run utility can be accessed by ri...

  
  Read More

• Intelligence Insights: October 2024

  

  LummaC2 lurks thanks to PowerShell pasting in this month's edition of Intelligence Insights

  
  Read More

Related rules

• Renamed Powershell Under Powershell Channel
• Suspicious Non PowerShell WSMAN COM Provider
• Alternate PowerShell Hosts Pipe
• Lace Tempest PowerShell Evidence Eraser
• Lace Tempest PowerShell Launcher