Detection rules › Splunk
Windows RunMRU Command Execution
The following analytic detects modifications to the Windows RunMRU registry key, which stores a history of commands executed through the Run dialog box (Windows+R). It leverages Endpoint Detection and Response (EDR) telemetry to monitor registry events targeting this key. This activity is significant as malware often uses the Run dialog to execute malicious commands while attempting to appear legitimate. If confirmed malicious, this could indicate an attacker using indirect command execution techniques for defense evasion or persistence. The detection excludes MRUList value changes to focus on actual command entries.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1202 Indirect Command Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: tstats
tstats WHERE NOT (NOT Registry.registry_value_data="unknown" Registry.registry_value_name="MRUList") Registry.registry_path="*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" BY Registry.dest, Registry.registry_value_data, Registry.action, Registry.process_guid, Registry.process_id, Registry.registry_key_name, Registry.user, Registry.registry_path, Registry.registry_hive, Registry.registry_value_name, Registry.status, Registry.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | Details | eq | "unknown" |
| 2 | registry_value_name | eq | "MRUList" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Registry.registry_path | eq |
|
Registry.registry_value_data | eq |
|