← Back to Explore
sigmahighHunting
RunMRU Registry Key Deletion
Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.
Detection Query
selection_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe
selection_cli:
CommandLine|contains|all:
- " del"
- \Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
condition: all of selection_*
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Created
2025-09-25
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1070.003
Raw Content
title: RunMRU Registry Key Deletion
id: c11aecef-9c37-45a6-9c07-bc0782f963fd
related:
- id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55
type: similar
status: experimental
description: |
Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog.
In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
Adversaries may delete this key to cover their tracks after executing commands.
references:
- https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-25
tags:
- attack.defense-evasion
- attack.t1070.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli:
CommandLine|contains|all:
- ' del'
- '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
condition: all of selection_*
falsepositives:
- Unknown
level: high