Adversaries may use non-ASCII characters in the RunMRU registry key to obfuscate malicious persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential persistence techniques that evade traditional detection methods.
KQL Query
//Identifies non-ASCII data written to the RunMRU registry key by explorer. This may indicate user-pasted commands from social engineering tactics like "ClickFix", where users are tricked into executing code.
DeviceRegistryEvents
| where InitiatingProcessFileName == "explorer.exe"
| where ActionType == "RegistryValueSet"
| where RegistryKey endswith "RunMRU"
| where RegistryValueData matches regex "[^[:ascii]]"
// If too noisy add the following filter
// | where RegistryValueData contains "#"
id: 6e8ee46f-80ee-46f6-be49-49a66f01edce
name: RunMRU with non-ASCII characters
description: |
Identifies non-ASCII data written to the RunMRU registry key by explorer.
description-detailed: |
Identifies non-ASCII data written to the RunMRU registry key by explorer. This may indicate user-pasted commands from social engineering tactics like "ClickFix", where users are tricked into executing code.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceRegistryEvents
tactics:
- Execution
relevantTechniques:
- T1204.004
query: |
//Identifies non-ASCII data written to the RunMRU registry key by explorer. This may indicate user-pasted commands from social engineering tactics like "ClickFix", where users are tricked into executing code.
DeviceRegistryEvents
| where InitiatingProcessFileName == "explorer.exe"
| where ActionType == "RegistryValueSet"
| where RegistryKey endswith "RunMRU"
| where RegistryValueData matches regex "[^[:ascii]]"
// If too noisy add the following filter
// | where RegistryValueData contains "#"
version: 1.0.1| Sentinel Table | Notes |
|---|---|
DeviceRegistryEvents | Ensure this data connector is enabled |
Scenario: A system administrator uses PowerShell to update the RunMRU registry key with a non-ASCII character for logging purposes.
Filter/Exclusion: Check for ProcessName containing powershell.exe and CommandLine containing -Command or -File.
Scenario: A scheduled task runs a script that writes non-ASCII characters to the RunMRU key for localization testing.
Filter/Exclusion: Filter by ProcessName containing schtasks.exe or TaskName matching the known scheduled task name.
Scenario: A third-party application (e.g., Notepad++ or Visual Studio) writes non-ASCII characters to the RunMRU key during a configuration export.
Filter/Exclusion: Exclude ProcessName matching the known application name or check for CommandLine containing export or configuration keywords.
Scenario: A Windows Update or Group Policy process writes non-ASCII characters to the RunMRU key during system configuration.
Filter/Exclusion: Filter by ProcessName containing wuauclt.exe, gpupdate.exe, or services.exe.
Scenario: A remote desktop session or terminal services user writes non-ASCII characters to the RunMRU key when setting up a custom shortcut.
Filter/Exclusion: Check for LogonSession or User fields indicating a remote session, or filter by ProcessName containing tsclient.exe or mstsc.exe.