RunMRU Registry Key Deletion
Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.
Sigma rule (View on GitHub)
1title: RunMRU Registry Key Deletion
2id: c11aecef-9c37-45a6-9c07-bc0782f963fd
3related:
4 - id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55
5 type: similar
6status: experimental
7description: |
8 Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog.
9 In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
10 Adversaries may delete this key to cover their tracks after executing commands.
11references:
12 - https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
13author: Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2025-09-25
15tags:
16 - attack.defense-evasion
17 - attack.t1070.003
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\reg.exe'
24 - OriginalFileName: 'reg.exe'
25 selection_cli:
26 CommandLine|contains|all:
27 - ' del'
28 - '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
29 condition: all of selection_*
30falsepositives:
31 - Unknown
32level: high
References
-
The Russia-linked group COLDRIVER targeted dissidents and their supporters using a ClickFix technique, resulting in the deployment of BAITSWITCH and SIMPLEFIX.
Read More
Related rules
- RunMRU Registry Key Deletion - Registry
- Cisco Clear Logs
- Clearing Windows Console History
- Disable Powershell Command History
- Linux Command History Tampering