Windows Registry Trust Record Modification
Alerts on trust record modification within the registry, indicating usage of macros
Sigma rule (View on GitHub)
1title: Windows Registry Trust Record Modification
2id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
3related:
4 - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
5 type: similar
6status: test
7description: Alerts on trust record modification within the registry, indicating usage of macros
8references:
9 - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/
10 - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
11 - https://twitter.com/inversecos/status/1494174785621819397
12author: Antonlovesdnb, Trent Liffick (@tliffick)
13date: 2020/02/19
14modified: 2023/06/21
15tags:
16 - attack.initial_access
17 - attack.t1566.001
18logsource:
19 category: registry_event
20 product: windows
21detection:
22 selection:
23 TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
24 condition: selection
25falsepositives:
26 - This will alert on legitimate macro usage as well, additional tuning is required
27level: medium
References
-
In many of our red teaming and incident response engagements, we encounter the abuse of MS Office macros as a vector to drop a remote access trojan and thereby gain initial foothold. From many disc...
Read More -
There is a registry key that keeps track of which documents a user has enabled editing and macros for from untrusted locations. This ha...
Read More -
Related rules
- Exploit for CVE-2017-0261
- Exploit for CVE-2017-8759
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution
- Suspicious Double Extension File Execution