Windows Registry Trust Record Modification
Alerts on trust record modification within the registry, indicating usage of macros
Sigma rule (View on GitHub)
1title: Windows Registry Trust Record Modification
2id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
3related:
4 - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
5 type: similar
6status: test
7description: Alerts on trust record modification within the registry, indicating usage of macros
8references:
9 - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/
10 - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
11 - https://twitter.com/inversecos/status/1494174785621819397
12author: Antonlovesdnb, Trent Liffick (@tliffick)
13date: 2020-02-19
14modified: 2023-06-21
15tags:
16 - attack.initial-access
17 - attack.t1566.001
18logsource:
19 category: registry_event
20 product: windows
21detection:
22 selection:
23 TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
24 condition: selection
25falsepositives:
26 - This will alert on legitimate macro usage as well, additional tuning is required
27level: medium
References
Related rules
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- Disk Image Mounting Via Hdiutil - MacOS
- Droppers Exploiting CVE-2017-11882
- Exploit for CVE-2017-0261
- Exploit for CVE-2017-8759