IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI

calendar Sep 7, 2023 · attack.execution attack.defense_evasion  ·
Share on: linkedin copy

Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.

Sigma rule (View on GitHub)

 1title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
 2id: 10344bb3-7f65-46c2-b915-2d00d47be5b0
 3related:
 4    - id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724
 5      type: similar
 6status: experimental
 7description: |
 8        Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
 9references:
10    - https://twitter.com/M_haggis/status/1699056847154725107
11    - https://twitter.com/JAMESWT_MHT/status/1699042827261391247
12    - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
13    - https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023/09/05
16tags:
17    - attack.execution
18    - attack.defense_evasion
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        CommandLine|contains|all:
25            - '\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults'
26            - 'http'
27            - ' 0'
28    condition: selection
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top