Detecting ClickFix Malware via RunMRU Registry Key in Microsoft Defender

Listen to this Post

Featured Image
Microsoft Defender for Endpoint (MDE) can detect ClickFix malware by monitoring the RunMRU (Most Recently Used) registry key. This key logs commands executed via the Windows Run dialog (Win + R). While useful for threat hunting, it has limitations: no timestamps, potential clearing by attackers, and only captures manually entered Run commands.

KQL Query for RunMRU Detection

// Query to detect modifications to RunMRU registry key 
DeviceRegistryEvents 
| where Timestamp > ago(30d) 
| where RegistryKey contains "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" 
| project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName 
| order by Timestamp desc 

You Should Know:

1. Manual Registry Inspection (Windows)

Check RunMRU entries manually via:

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" 

2. Clearing RunMRU (Forensic Evasion)

Attackers may clear RunMRU using:

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /f 

3. Monitoring RunMRU via PowerShell

Automate logging with:

Get-WinEvent -FilterHashtable @{ 
LogName='Security'; 
ProviderName='Microsoft-Windows-Security-Auditing'; 
ID=4657  Registry key modification event 
} | Where-Object { $_.Message -like "RunMRU" } 

4. Linux Equivalent (Bash History Monitoring)

For Linux threat hunting, track suspicious commands via:

cat ~/.bash_history | grep -E "(wget|curl|chmod|sh|.\/)" 

5. Sysmon Configuration for Registry Monitoring

Enhance detection with Sysmon:

<RuleGroup name="RunMRU Monitoring"> 
<RegistryEvent onmatch="include"> 
<TargetObject name="RunMRU" condition="contains"> 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU 
</TargetObject> 
</RegistryEvent> 
</RuleGroup> 

6. YARA Rule for ClickFix Payload

Detect ClickFix binaries:

rule ClickFix_Malware { 
meta: 
description = "Detects ClickFix malware" 
strings: 
$s1 = "ClickFix" nocase 
$s2 = { 6A 40 68 00 30 00 00 6A 14 8D 91 } // Common shellcode pattern 
condition: 
any of them 
} 

What Undercode Say

The RunMRU registry key is a valuable forensic artifact but should not be the sole detection method. Combine it with:
– Process Creation Logging (Sysmon Event ID 1)
– Persistence Mechanisms (e.g., HKCU\...\Run, Scheduled Tasks)
– Network Telemetry (e.g., `DeviceNetworkEvents` in MDE)

For Linux defenders:

  • Monitor ~/.bash_history, auth.log, and `cron` jobs.
  • Use `auditd` for real-time command tracking:
    sudo auditctl -a always,exit -F arch=b64 -S execve 
    

Windows admins should:

  • Enable PSRemoting logging (Microsoft-Windows-PowerShell/Operational)
  • Hunt for living-off-the-land binaries (LOLBAS) like mshta.exe, certutil.exe.

Expected Output:

A structured threat-hunting workflow combining RunMRU checks, process monitoring, and network detection for ClickFix and similar malware.

Prediction

Increased attacker use of registry-less persistence (e.g., WMI subscriptions, fileless techniques) will reduce reliance on RunMRU, pushing defenders toward memory forensics and behavioral analytics.

(Source: LinkedIn Post)

References:

Reported By: Vasilis Orlof – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram