Skip to content

Hide Navigation Hide TOC

Potentially Suspicious Command Executed Via Run Dialog Box - Registry (a7df0e9e-91a5-459a-a003-4cde67c2ff5d)

Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.

Cluster A Galaxy A Cluster B Galaxy B Level
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Potentially Suspicious Command Executed Via Run Dialog Box - Registry (a7df0e9e-91a5-459a-a003-4cde67c2ff5d) Sigma-Rules 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2