Suspicious RUNMRU Entry
Query
let Parameters = dynamic(['http', 'https', 'Encoded', 'EncodedCommand', '-e', '-eC', '-enc', "-w", '-i', '/i','/e', '/eC', '/enc', "/w", 'wind', 'nop', 'DownloadString', 'FromBase64String', 'iwr', '$env']);
let Executables = dynamic(["cmd", "powershell", "curl", "mshta", "msiexec", 'SyncAppvPublishingServer']);
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has "RunMRU"
| where RegistryValueData has_any (Parameters) and RegistryValueData has_any (Executables)
| project-reorder Timestamp, DeviceId, DeviceName, RegistryValueData, RegistryKeyAbout this query
Explanation
This query is designed to detect potentially suspicious activity on a Windows device by examining the Windows registry for specific entries. Here's a simple breakdown of what it does:
-
Purpose: The query aims to identify suspicious entries in the Windows "RunMRU" registry key. This key keeps track of commands that have been executed via the Run dialog, and certain entries can indicate malicious activity.
-
Parameters and Executables: The query looks for specific patterns or keywords within these entries. It checks for certain parameters (like 'http', 'EncodedCommand', 'DownloadString', etc.) and executables (like 'cmd', 'powershell', 'curl', etc.) that are commonly associated with malicious scripts or commands.
-
Detection: If a registry entry contains any of the specified parameters and executables, it is flagged as suspicious. This could indicate that a potentially harmful command was executed on the device.
-
Output: The query outputs relevant details such as the timestamp, device ID, device name, the suspicious registry value data, and the registry key itself. This information helps in further investigation.
-
Risk: The query highlights a high likelihood that the detected command is deploying malicious content, making it a critical detection tool for security teams.
Overall, this query is a proactive measure to detect and respond to potential threats by monitoring specific registry changes that could indicate malicious activity.
Details

Bert-Jan Pals
Released: January 11, 2026
Tables
Keywords
Operators