Potentially Suspicious Command Executed Via Run Dialog Box - Registry

Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
 2id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d
 3related:
 4    - id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd
 5      type: derived
 6status: test
 7description: |
 8    Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
 9    This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.    
10references:
11    - https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf
12    - https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
13    - https://www.forensafe.com/blogs/runmrukey.html
14    - https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
15author: Ahmed Farouk, Nasreddine Bencherchali
16date: 2024-11-01
17tags:
18    - attack.execution
19    - attack.t1059.001
20logsource:
21    product: windows
22    category: registry_set
23detection:
24    selection_key:
25        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
26    selection_powershell_command:
27        Details|contains:
28            - 'powershell'
29            - 'pwsh'
30    selection_powershell_susp_keywords:
31        Details|contains:
32            - ' -e '
33            - ' -ec '
34            - ' -en '
35            - ' -enc '
36            - ' -enco'
37            - 'ftp'
38            - 'Hidden'
39            - 'http'
40            - 'iex'
41            - 'Invoke-'
42    selection_wmic_command:
43        Details|contains: 'wmic'
44    selection_wmic_susp_keywords:
45        Details|contains:
46            - 'shadowcopy'
47            - 'process call create'
48    condition: selection_key and (all of selection_powershell_* or all of selection_wmic_*)
49falsepositives:
50    - Unknown
51level: high

References

Related rules

to-top