From d36fc36e085aadb7c1c6b1c6844d1a1344030c2f Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Wed, 22 Oct 2025 18:31:35 +0545 Subject: [PATCH] Merge PR #5660 from @swachchhanda000 - feat: add rule to detect deletion of RunMRU registry key new: RunMRU Registry Key Deletion new: RunMRU Registry Key Deletion - Registry --------- Co-authored-by: Nasreddine Bencherchali --- .../proc_creation_win_reg_delete_runmru.yml | 32 +++++++++++++++++++ .../registry_delete_runmru.yml | 27 ++++++++++++++++ tests/thor.yml | 2 ++ 3 files changed, 61 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_reg_delete_runmru.yml create mode 100644 rules/windows/registry/registry_delete/registry_delete_runmru.yml diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_runmru.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_runmru.yml new file mode 100644 index 000000000..e2b9611d7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_runmru.yml @@ -0,0 +1,32 @@ +title: RunMRU Registry Key Deletion +id: c11aecef-9c37-45a6-9c07-bc0782f963fd +related: + - id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55 + type: similar +status: experimental +description: | + Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog. + In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. + Adversaries may delete this key to cover their tracks after executing commands. +references: + - https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-09-25 +tags: + - attack.defense-evasion + - attack.t1070.003 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\reg.exe' + - OriginalFileName: 'reg.exe' + selection_cli: + CommandLine|contains|all: + - ' del' + - '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_delete/registry_delete_runmru.yml b/rules/windows/registry/registry_delete/registry_delete_runmru.yml new file mode 100644 index 000000000..7c168a96d --- /dev/null +++ b/rules/windows/registry/registry_delete/registry_delete_runmru.yml @@ -0,0 +1,27 @@ +title: RunMRU Registry Key Deletion - Registry +id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55 +related: + - id: c11aecef-9c37-45a6-9c07-bc0782f963fd + type: similar +status: experimental +description: | + Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. + In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. + Adversaries may delete this key to cover their tracks after executing commands. +references: + - https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-09-25 +tags: + - attack.defense-evasion + - attack.t1070.003 +logsource: + category: registry_delete + product: windows +detection: + selection: + TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/tests/thor.yml b/tests/thor.yml index 6c98afc10..704df684e 100644 --- a/tests/thor.yml +++ b/tests/thor.yml @@ -134,6 +134,7 @@ logsources: product: windows conditions: EventID: 12 + EventType: CreateKey rewrite: product: windows service: sysmon @@ -142,6 +143,7 @@ logsources: product: windows conditions: EventID: 12 + EventType: DeleteKey rewrite: product: windows service: sysmon