Rule Info
Name
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Author
Ahmed Farouk, Nasreddine Bencherchali
Description
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
Date
2024-11-01 00:00:00
Modified
None
Id
a7df0e9e-91a5-459a-a003-4cde67c2ff5d
Tags
attack.execution attack.t1059.001
Type
Community Rule
Link to Public Repo