Potentially Suspicious Command Executed Via Run Dialog Box - Registry

Rule Info

Name
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Author
Ahmed Farouk, Nasreddine Bencherchali
Description
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
Reference
https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf
Date
2024-11-01 00:00:00
Modified
None
Id
a7df0e9e-91a5-459a-a003-4cde67c2ff5d
Tags
attack.execution attack.t1059.001 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=a7df0e9e-91a5-459a-a003-4cde67c2ff5d

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5067 from @nasbench - Add missing reference links
2024-11-01
e1787dad3
Ahmed Farouk
Merge PR #5058 from @ahmedfarou22 - Add new rules related to command execution via run dialogue
2024-11-01
14ce104a1
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022