RunMRU Registry Key Deletion - Registry
Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.
Sigma rule (View on GitHub)
1title: RunMRU Registry Key Deletion - Registry
2id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55
3related:
4 - id: c11aecef-9c37-45a6-9c07-bc0782f963fd
5 type: similar
6status: experimental
7description: |
8 Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog.
9 In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
10 Adversaries may delete this key to cover their tracks after executing commands.
11references:
12 - https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
13author: Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2025-09-25
15tags:
16 - attack.defense-evasion
17 - attack.t1070.003
18logsource:
19 category: registry_delete
20 product: windows
21detection:
22 selection:
23 TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
-
The Russia-linked group COLDRIVER targeted dissidents and their supporters using a ClickFix technique, resulting in the deployment of BAITSWITCH and SIMPLEFIX.
Read More
Related rules
- RunMRU Registry Key Deletion
- Cisco Clear Logs
- Clearing Windows Console History
- Disable Powershell Command History
- Linux Command History Tampering