Merge PR #5660 from @swachchhanda000 - feat: add rule to detect deletion of RunMRU registry key

new: RunMRU Registry Key Deletion
new: RunMRU Registry Key Deletion - Registry
---------

Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com>

rules/windows/process_creation/proc_creation_win_reg_delete_runmru.yml

@@ -0,0 +1,32 @@
+title: RunMRU Registry Key Deletion
+id: c11aecef-9c37-45a6-9c07-bc0782f963fd
+related:
+    - id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55
+      type: similar
+status: experimental
+description: |
+    Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog.
+    In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
+    Adversaries may delete this key to cover their tracks after executing commands.
+references:
+    - https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-09-25
+tags:
+    - attack.defense-evasion
+    - attack.t1070.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            - ' del'
+            - '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/windows/registry/registry_delete/registry_delete_runmru.yml

@@ -0,0 +1,27 @@
+title: RunMRU Registry Key Deletion - Registry
+id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55
+related:
+    - id: c11aecef-9c37-45a6-9c07-bc0782f963fd
+      type: similar
+status: experimental
+description: |
+    Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog.
+    In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
+    Adversaries may delete this key to cover their tracks after executing commands.
+references:
+    - https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-09-25
+tags:
+    - attack.defense-evasion
+    - attack.t1070.003
+logsource:
+    category: registry_delete
+    product: windows
+detection:
+    selection:
+        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

tests/thor.yml

@@ -134,6 +134,7 @@ logsources:
         product: windows
         conditions:
             EventID: 12
+            EventType: CreateKey
         rewrite:
             product: windows
             service: sysmon
@@ -142,6 +143,7 @@ logsources:
         product: windows
         conditions:
             EventID: 12
+            EventType: DeleteKey
         rewrite:
             product: windows
             service: sysmon