RunMRU Atomic Test (#2981)

Co-authored-by: Bhavin Patel <[email protected]>

atomics/T1202/T1202.yaml

@@ -75,4 +75,34 @@ atomic_tests:
     cleanup_command: 
     name: powershell
     elevation_required: false
-
+- name: Indirect Command Execution - RunMRU Dialog
+  description: |
+    Simulates execution of commands via the Windows Run dialog (Win+R) by programmatically opening the Run dialog, 
+    copying a command to clipboard, and automating the paste and execution. This generates artifacts in the RunMRU registry key,
+    which is commonly abused by threat actors to execute malicious commands disguised as CAPTCHA verification steps.
+    Upon execution, a test PowerShell command will be executed through the Run dialog.
+  supported_platforms:
+  - windows
+  input_arguments:
+    command:
+      description: Command to execute via Run dialog
+      type: string
+      default: calc.exe
+  executor:
+    name: powershell
+    command: |
+      # Copy command to clipboard
+      Set-Clipboard -Value '#{command}'
+
+      # Open Run dialog
+      Start-Process -FilePath "powershell" -ArgumentList "-c (New-Object -ComObject 'Shell.Application').FileRun()" -WindowStyle Hidden
+
+      # Wait for Run dialog to open
+      Start-Sleep -Seconds 1
+
+      # Paste command and execute
+      Add-Type -AssemblyName System.Windows.Forms
+      [System.Windows.Forms.SendKeys]::SendWait('^v')
+      Start-Sleep -Milliseconds 500
+      [System.Windows.Forms.SendKeys]::SendWait('{ENTER}')
+