Detection rules › Sigma

Command Executed Via Run Dialog Box - Registry

Status
test
Severity
low
Author
Ahmed Farouk, Nasreddine Bencherchali
Source
github.com/SigmaHQ/sigma

Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.

Event coverage

ProviderEventTitle
SysmonEvent ID 13RegistryEvent (Value Set)

Rule body yaml

title: Command Executed Via Run Dialog Box - Registry
id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd
related:
    - id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d
      type: derived
status: test
description: |
    Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
    This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
references:
    - https://www.forensafe.com/blogs/runmrukey.html
    - https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
    - https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
author: Ahmed Farouk, Nasreddine Bencherchali
date: 2024-11-01
tags:
    - detection.threat-hunting
    - attack.execution
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
    filter_main_mrulist:
        TargetObject|endswith: '\MRUList'
    filter_optional_ping:
        Details|contains: 'ping'
    filter_optional_generic:
        Details:
            - '%appdata%\1'
            - '%localappdata%\1'
            - '%public%\1'
            - '%temp%\1'
            - 'calc\1'
            - 'dxdiag\1'
            - 'explorer\1'
            - 'gpedit.msc\1'
            - 'mmc\1'
            - 'notepad\1'
            - 'regedit\1'
            - 'services.msc\1'
            - 'winver\1'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Likely
level: low

Stages and Predicates

Stage 0: condition

selection and not 1 of filter_main_* and not 1 of filter_optional_*

Stage 1: selection

selection:
    TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'

Stage 2: not filter_main_mrulist

filter_main_mrulist:
    TargetObject|endswith: '\MRUList'

Stage 3: not filter_optional_*

filter_optional_ping:
    Details|contains: 'ping'
filter_optional_generic:
    Details:
        - '%appdata%\1'
        - '%localappdata%\1'
        - '%public%\1'
        - '%temp%\1'
        - 'calc\1'
        - 'dxdiag\1'
        - 'explorer\1'
        - 'gpedit.msc\1'
        - 'mmc\1'
        - 'notepad\1'
        - 'regedit\1'
        - 'services.msc\1'
        - 'winver\1'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

StageFieldKindExcluded values
2TargetObjectends_with\MRUList
3Detailseq%appdata%\1
3Detailseq%localappdata%\1
3Detailseq%public%\1
3Detailseq%temp%\1
3Detailseqcalc\1
3Detailseqdxdiag\1
3Detailseqexplorer\1
3Detailseqgpedit.msc\1
3Detailseqmmc\1
3Detailseqnotepad\1
3Detailseqregedit\1
3Detailseqservices.msc\1
3Detailseqwinver\1
3Detailsmatchping

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetObjectmatch
  • \Microsoft\Windows\CurrentVersion\Explorer\RunMRU corpus 2 (sigma 2)