Query Details

Suspicious RUNMRU Entry

Query

let Parameters = dynamic(['http', 'https', 'Encoded', 'EncodedCommand', '-e', '-eC', '-enc', "-w", '-i', '/i','/e', '/eC', '/enc', "/w", 'wind', 'nop', 'DownloadString', 'FromBase64String', 'iwr', '$env']);
let Executables = dynamic(["cmd", "powershell", "curl", "mshta", "msiexec", 'SyncAppvPublishingServer']);
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has "RunMRU"
| where RegistryValueData has_any (Parameters) and RegistryValueData has_any (Executables)
| project-reorder Timestamp, DeviceId, DeviceName, RegistryValueData, RegistryKey

About this query

Explanation

This query is designed to detect potentially suspicious activity on a Windows device by examining the Windows registry for specific entries. Here's a simple breakdown of what it does:

  1. Purpose: The query aims to identify suspicious entries in the Windows "RunMRU" registry key. This key keeps track of commands that have been executed via the Run dialog, and certain entries can indicate malicious activity.

  2. Parameters and Executables: The query looks for specific patterns or keywords within these entries. It checks for certain parameters (like 'http', 'EncodedCommand', 'DownloadString', etc.) and executables (like 'cmd', 'powershell', 'curl', etc.) that are commonly associated with malicious scripts or commands.

  3. Detection: If a registry entry contains any of the specified parameters and executables, it is flagged as suspicious. This could indicate that a potentially harmful command was executed on the device.

  4. Output: The query outputs relevant details such as the timestamp, device ID, device name, the suspicious registry value data, and the registry key itself. This information helps in further investigation.

  5. Risk: The query highlights a high likelihood that the detected command is deploying malicious content, making it a critical detection tool for security teams.

Overall, this query is a proactive measure to detect and respond to potential threats by monitoring specific registry changes that could indicate malicious activity.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: January 11, 2026

Tables

DeviceRegistryEvents

Keywords

DeviceRegistryRunMRUParametersExecutablesTimestampDeviceIdDeviceNameRegistryValueDataRegistryKeyTimeGenerated

Operators

letdynamichashas_anywhereproject-reorder

Actions

GitHub