This detection rule identifies the deletion or modification of the Most Recently Used (MRU) entries stored in the Windows Registry, specifically targeting the key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'. Adversaries often target this registry to erase evidence of commands that were executed using the Windows Run dialog, which could hinder incident response after an attack. This detection mechanism focuses on monitoring changes to these registry values, particularly when such changes are made by unusual processes or deviate from standard user behavior. Anomalous deletions can signify attempts at defense evasion or cleanup actions by attackers post-exploitation.