Run MRU Click Fix Detection
Query
// ClickFix: Discovery of RunMRU Command
DeviceRegistryEvents
| where Timestamp >= ago(7d)
| where ActionType == "RegistryValueSet"
| where RegistryKey has @"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
| extend RunCommand = RegistryValueData
| extend RunCommandLength = strlen(RunCommand)
| where RunCommandLength > 50
// Exclusions
| where not(RunCommand has_any ( "SAMPLE1", "SAMPLE2"))About this query
RunMRU ClickFix Detection
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1012 | Query Registry | https://attack.mitre.org/techniques/T1012/ |
Description
This rule detects modifications to the 'RunMRU' registry key, specifically looking for new or changed entries where the command string is unusually long (greater than 50 characters). This can indicate an attempt to persist or execute malicious code via the RunMRU list, which stores recently executed commands.
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
References
Defender XDR
Explanation
This query is designed to detect potentially suspicious activity involving the Windows registry, specifically focusing on the 'RunMRU' key, which tracks recently executed commands. The query looks for any changes to this registry key within the past week. It specifically flags entries where the command string is unusually long (more than 50 characters), as this could indicate an attempt to execute or persist malicious code. The query also excludes certain known benign commands ("SAMPLE1" and "SAMPLE2") from being flagged. This detection method is associated with the MITRE ATT&CK technique T1012, which involves querying the registry for malicious purposes.
