Potentially Suspicious Command Executed Via Run Dialog Box - Registry

Rule Info

Name
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Author
Ahmed Farouk, Nasreddine Bencherchali
Description
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
Date
2024-11-01 00:00:00
Modified
None
Id
a7df0e9e-91a5-459a-a003-4cde67c2ff5d
Tags
attack.execution attack.t1059.001 DEMO
Type
Community Rule

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5067 from @nasbench - Add missing reference links
2024-11-01
Ahmed Farouk
Merge PR #5058 from @ahmedfarou22 - Add new rules related to command execution via run dialogue
2024-11-01