Title:RunMRU Registry Key Deletion - Registry Status:experimental Description:Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog.
In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
Adversaries may delete this key to cover their tracks after executing commands.
References: -https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix Author: Swachchhanda Shrawan Poudel (Nextron Systems) Date: 2025-09-25 modified:None Tags:
