KQL Search

Query Details

HomeAI ToolsDevice Query

Suspicious Run MR Uentries

Query

# Rule : Detection of Suspicious RunMRU Registry Modifications Related to info Stealers

## Description
This detection rule identifies suspicious modifications to the **RunMRU** registry key, which stores a history of commands executed via the Windows **Run Dialog** (`Win + R`). Adversaries, including those deploying **Lumma Stealer**, may use this technique to execute malicious commands, download payloads, or establish persistence by leveraging commonly abused executables like **PowerShell, cmd.exe, rundll32.exe, and pwsh**.

As observed in **Lumma Stealer** campaigns, attackers may use **CAPTCHA-based evasion** techniques to distribute malware and execute commands that interact with malicious infrastructure via `iwr`, `https`, and `iex` in PowerShell. Monitoring changes to the **RunMRU** registry key helps detect malicious activity attempting to execute unauthorized commands or establish persistence through registry manipulation.

- [Lumma Stealer Analysis - Medium](https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71)

## Detection Logic
- **Monitors `DeviceRegistryEvents`** where:
  - The `RegistryKey` contains `"RunMRU"` (indicating execution history manipulation).
  - The `RegistryValueData` contains **potentially malicious command-line keywords**, such as:
    - `"powershell"` – PowerShell execution
    - `"pwsh"` – PowerShell Core execution
    - `"iwr"` – Invoke-WebRequest (used for downloading files)
    - `"https"` – Suspicious external network access
    - `"iex"` – Invoke-Expression (often abused in PowerShell attacks)
    - `"cmd.exe"` – Execution via the command prompt
    - `"rundll"` – DLL execution

## Tags
- Malware Persistence
- Registry Modification
- Windows Run Dialog Abuse
- Command Execution
- Malicious Script Execution
- Suspicious Activity
- InfoStealers

## Search Query
```kql
DeviceRegistryEvents 
| where RegistryKey contains "Runmru" 
| where RegistryValueData has_any("powershell", "iwr", "https", "iex", "cmd.exe", "rundll", "pwsh")
```

Explanation

This query is designed to detect suspicious activity related to the modification of the RunMRU registry key on Windows systems. The RunMRU key keeps a record of commands run through the Windows Run Dialog (Win + R). Attackers, such as those using the Lumma Stealer malware, might alter this key to execute harmful commands, download malicious files, or maintain persistence on a system using common tools like PowerShell, cmd.exe, and rundll32.exe.

The query specifically looks for changes in the registry where the RunMRU key is involved and checks if the changes include potentially harmful command-line keywords. These keywords include commands and tools often used in attacks, such as PowerShell commands (powershell, pwsh), web requests (iwr, https), command execution (cmd.exe), and DLL execution (rundll). By monitoring these changes, the query helps identify unauthorized command executions or attempts to maintain persistence through registry manipulation.

Details

Ali Hussein profile picture

Ali Hussein

Released: March 13, 2025

Tables

DeviceRegistryEvents

Keywords

DeviceRegistryEventsRunMRUPowerShellCmdRundllPwshIwrHttpsIex

Operators

DeviceRegistryEvents|wherecontainshas_any

Actions