Skip to content

Hide Navigation Hide TOC

Potentially Suspicious Command Executed Via Run Dialog Box - Registry (a7df0e9e-91a5-459a-a003-4cde67c2ff5d)

Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.

Cluster A Galaxy A Cluster B Galaxy B Level
Potentially Suspicious Command Executed Via Run Dialog Box - Registry (a7df0e9e-91a5-459a-a003-4cde67c2ff5d) Sigma-Rules PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2