The 'RunMRU Registry Key Deletion' detection rule is designed to identify unauthorized deletions of the RunMRU registry key in Windows operating systems. This key maintains a history of commands executed via the Run dialog (Windows + R), which means it holds potential evidence of user activity. Cyber adversaries often leverage phishing techniques that involve commanding users to execute malicious activities through the Run dialog. Once they have done so, they may delete the RunMRU key to erase traces of their actions, thereby complicating forensic investigations. This rule tracks executions of the Windows Registry command (reg.exe) that end with a delete command aimed specifically at the RunMRU registry path, as well as any instances where this corresponds to the reg.exe filename. The detection requires that all specified conditions are met to confirm a deletion event. Given its focus on malicious behavior linked to command execution and track obfuscation, the rule is tagged with attack techniques related to defense evasion (T1070.003). It has a high severity level due to the potential implications of such activity in a compromised environment.