Query Details

Rule : Detection of Suspicious RunMRU Registry Modifications Related to info Stealers

Suspicious Run MR Uentries

Query

DeviceRegistryEvents 
| where RegistryKey contains "Runmru" 
| where RegistryValueData has_any("powershell", "iwr", "https", "iex", "cmd.exe", "rundll", "pwsh")

About this query

Explanation

This query is designed to detect suspicious activity related to the modification of the RunMRU registry key on Windows systems. The RunMRU key keeps a record of commands run through the Windows Run Dialog (Win + R). Attackers, such as those using the Lumma Stealer malware, might alter this key to execute harmful commands, download malicious files, or maintain persistence on a system using common tools like PowerShell, cmd.exe, and rundll32.exe.

The query specifically looks for changes in the registry where the RunMRU key is involved and checks if the changes include potentially harmful command-line keywords. These keywords include commands and tools often used in attacks, such as PowerShell commands (powershell, pwsh), web requests (iwr, https), command execution (cmd.exe), and DLL execution (rundll). By monitoring these changes, the query helps identify unauthorized command executions or attempts to maintain persistence through registry manipulation.

Details

Ali Hussein profile picture

Ali Hussein

Released: March 13, 2025

Tables

DeviceRegistryEvents

Keywords

DeviceRegistryEventsRunMRUPowerShellCmdRundllPwshIwrHttpsIex

Operators

DeviceRegistryEvents|wherecontainshas_any

Actions

GitHub