From a94928e2c4921e580fa000389ea46f44793a8d9b Mon Sep 17 00:00:00 2001
From: swachchhanda000 <swachchhandashrawan@gmail.com>
Date: Mon, 7 Jul 2025 18:40:24 +0545
Subject: [PATCH 1/4] feat: Add RunMRU annd TypedPaths Registry to detect
 potential clickfix and filefix attacks

---
 sysmonconfig-export-block.xml | 3 +++
 sysmonconfig-export.xml       | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/sysmonconfig-export-block.xml b/sysmonconfig-export-block.xml
index f36f5080..75ad3ec2 100644
--- a/sysmonconfig-export-block.xml
+++ b/sysmonconfig-export-block.xml
@@ -799,6 +799,9 @@
 			<TargetObject condition="contains">Microsoft\Cryptography\Providers\Trust\</TargetObject> <!-- Important trust registry values to monitor -->
 			<TargetObject condition="contains">WOW6432Node\Microsoft\Cryptography\Providers\Trust\</TargetObject> <!-- Important trust registry values to monitor -->
 			<TargetObject condition="contains">Control\Print\Environments\Windows x64\Drivers</TargetObject> <!-- PrinterNightmare coverage -->
+            <!--RunMRU annd TypedPaths monitoring to detect potential clickfixing and filefixing attacks-->
+            <TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\</TargetObject>
+            <TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\</TargetObject>
 		</RegistryEvent>
 	</RuleGroup>
 
diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index e804b8ab..8ee7229a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -842,6 +842,9 @@
 			<TargetObject condition="contains">Microsoft\Cryptography\Providers\Trust\</TargetObject> <!-- Important trust registry values to monitor -->
 			<TargetObject condition="contains">WOW6432Node\Microsoft\Cryptography\Providers\Trust\</TargetObject> <!-- Important trust registry values to monitor -->
 			<TargetObject condition="contains">Control\Print\Environments\Windows x64\Drivers</TargetObject> <!-- PrinterNightmare coverage -->
+            <!--RunMRU annd TypedPaths monitoring to detect potential clickfixing and filefixing attacks-->
+            <TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\</TargetObject>
+            <TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\</TargetObject>
 		</RegistryEvent>
 	</RuleGroup>
 

From 00e6db94827d38e0b349da08cfd74e2d4bde8939 Mon Sep 17 00:00:00 2001
From: swachchhanda000 <swachchhandashrawan@gmail.com>
Date: Mon, 7 Jul 2025 18:47:09 +0545
Subject: [PATCH 2/4] fix: indentation

---
 sysmonconfig-export-block.xml | 6 +++---
 sysmonconfig-export.xml       | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/sysmonconfig-export-block.xml b/sysmonconfig-export-block.xml
index 75ad3ec2..d9a3ba55 100644
--- a/sysmonconfig-export-block.xml
+++ b/sysmonconfig-export-block.xml
@@ -799,9 +799,9 @@
 			<TargetObject condition="contains">Microsoft\Cryptography\Providers\Trust\</TargetObject> <!-- Important trust registry values to monitor -->
 			<TargetObject condition="contains">WOW6432Node\Microsoft\Cryptography\Providers\Trust\</TargetObject> <!-- Important trust registry values to monitor -->
 			<TargetObject condition="contains">Control\Print\Environments\Windows x64\Drivers</TargetObject> <!-- PrinterNightmare coverage -->
-            <!--RunMRU annd TypedPaths monitoring to detect potential clickfixing and filefixing attacks-->
-            <TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\</TargetObject>
-            <TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\</TargetObject>
+			<!--RunMRU annd TypedPaths monitoring to detect potential clickfixing and filefixing attacks-->
+			<TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\</TargetObject>
 		</RegistryEvent>
 	</RuleGroup>
 
diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 8ee7229a..9761e486 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -843,8 +843,8 @@
 			<TargetObject condition="contains">WOW6432Node\Microsoft\Cryptography\Providers\Trust\</TargetObject> <!-- Important trust registry values to monitor -->
 			<TargetObject condition="contains">Control\Print\Environments\Windows x64\Drivers</TargetObject> <!-- PrinterNightmare coverage -->
             <!--RunMRU annd TypedPaths monitoring to detect potential clickfixing and filefixing attacks-->
-            <TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\</TargetObject>
-            <TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\</TargetObject>
+			<TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\</TargetObject>
+			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\</TargetObject>
 		</RegistryEvent>
 	</RuleGroup>
 

From 547aad7f76779512f815b9318bf2c1b64a653093 Mon Sep 17 00:00:00 2001
From: swachchhanda000 <swachchhandashrawan@gmail.com>
Date: Mon, 7 Jul 2025 18:48:52 +0545
Subject: [PATCH 3/4] fix: casing

---
 sysmonconfig-export-block.xml | 2 +-
 sysmonconfig-export.xml       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export-block.xml b/sysmonconfig-export-block.xml
index d9a3ba55..6cb85043 100644
--- a/sysmonconfig-export-block.xml
+++ b/sysmonconfig-export-block.xml
@@ -801,7 +801,7 @@
 			<TargetObject condition="contains">Control\Print\Environments\Windows x64\Drivers</TargetObject> <!-- PrinterNightmare coverage -->
 			<!--RunMRU annd TypedPaths monitoring to detect potential clickfixing and filefixing attacks-->
 			<TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\</TargetObject>
-			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\</TargetObject>
+			<TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\</TargetObject>
 		</RegistryEvent>
 	</RuleGroup>
 
diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 9761e486..de219323 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -844,7 +844,7 @@
 			<TargetObject condition="contains">Control\Print\Environments\Windows x64\Drivers</TargetObject> <!-- PrinterNightmare coverage -->
             <!--RunMRU annd TypedPaths monitoring to detect potential clickfixing and filefixing attacks-->
 			<TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\</TargetObject>
-			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\</TargetObject>
+			<TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\</TargetObject>
 		</RegistryEvent>
 	</RuleGroup>
 

From 467b9f98120fe6ebd4066df7d5dda586b94c8136 Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Mon, 7 Jul 2025 18:59:49 +0545
Subject: [PATCH 4/4] Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 sysmonconfig-export-block.xml | 2 +-
 sysmonconfig-export.xml       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export-block.xml b/sysmonconfig-export-block.xml
index 6cb85043..8de5eb26 100644
--- a/sysmonconfig-export-block.xml
+++ b/sysmonconfig-export-block.xml
@@ -799,7 +799,7 @@
 			<TargetObject condition="contains">Microsoft\Cryptography\Providers\Trust\</TargetObject> <!-- Important trust registry values to monitor -->
 			<TargetObject condition="contains">WOW6432Node\Microsoft\Cryptography\Providers\Trust\</TargetObject> <!-- Important trust registry values to monitor -->
 			<TargetObject condition="contains">Control\Print\Environments\Windows x64\Drivers</TargetObject> <!-- PrinterNightmare coverage -->
-			<!--RunMRU annd TypedPaths monitoring to detect potential clickfixing and filefixing attacks-->
+			<!--RunMRU and TypedPaths monitoring to detect potential clickfixing and filefixing attacks-->
 			<TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\</TargetObject>
 			<TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\</TargetObject>
 		</RegistryEvent>
diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index de219323..233d10e5 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -842,7 +842,7 @@
 			<TargetObject condition="contains">Microsoft\Cryptography\Providers\Trust\</TargetObject> <!-- Important trust registry values to monitor -->
 			<TargetObject condition="contains">WOW6432Node\Microsoft\Cryptography\Providers\Trust\</TargetObject> <!-- Important trust registry values to monitor -->
 			<TargetObject condition="contains">Control\Print\Environments\Windows x64\Drivers</TargetObject> <!-- PrinterNightmare coverage -->
-            <!--RunMRU annd TypedPaths monitoring to detect potential clickfixing and filefixing attacks-->
+            <!--RunMRU and TypedPaths monitoring to detect potential clickfixing and filefixing attacks-->
 			<TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\</TargetObject>
 			<TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\</TargetObject>
 		</RegistryEvent>