Detection rules › Sigma
RunMRU Registry Key Deletion - Registry
Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1070.003 Indicator Removal: Clear Command History |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 14 | RegistryEvent (Key and Value Rename) |
Stages and Predicates
Stage 1: selection
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
TargetObject | ends_with |
|