Rule : Detection of Suspicious RunMRU Registry Modifications Related to info Stealers
Suspicious Run MR Uentries
Query
DeviceRegistryEvents
| where RegistryKey contains "Runmru"
| where RegistryValueData has_any("powershell", "iwr", "https", "iex", "cmd.exe", "rundll", "pwsh")About this query
Explanation
This query is designed to detect suspicious activity related to the modification of the RunMRU registry key on Windows systems. The RunMRU key keeps a record of commands run through the Windows Run Dialog (Win + R). Attackers, such as those using the Lumma Stealer malware, might alter this key to execute harmful commands, download malicious files, or maintain persistence on a system using common tools like PowerShell, cmd.exe, and rundll32.exe.
The query specifically looks for changes in the registry where the RunMRU key is involved and checks if the changes include potentially harmful command-line keywords. These keywords include commands and tools often used in attacks, such as PowerShell commands (powershell, pwsh), web requests (iwr, https), command execution (cmd.exe), and DLL execution (rundll). By monitoring these changes, the query helps identify unauthorized command executions or attempts to maintain persistence through registry manipulation.
Details

Ali Hussein
Released: March 13, 2025
Tables
Keywords
Operators