IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI

calendar Aug 12, 2024 · attack.execution attack.defense-evasion  ·
Share on: linkedin copy

Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.

Sigma rule (View on GitHub)

 1title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
 2id: 10344bb3-7f65-46c2-b915-2d00d47be5b0
 3related:
 4    - id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724
 5      type: similar
 6status: test
 7description: |
 8        Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
 9references:
10    - https://twitter.com/M_haggis/status/1699056847154725107
11    - https://twitter.com/JAMESWT_MHT/status/1699042827261391247
12    - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
13    - https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023-09-05
16tags:
17    - attack.execution
18    - attack.defense-evasion
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        CommandLine|contains|all:
25            - '\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults'
26            - 'http'
27            - ' 0'
28    condition: selection
29falsepositives:
30    - Unknown
31level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

  • IE security zones registry entries for advanced users - Browsers

    Describes how and where Internet Explorer security zones and privacy settings are stored and managed in the registry.


    Read More

  • VirusTotal

    VirusTotal


    Read More

Related rules

to-top