Macro Enabled In A Potentially Suspicious Document
Detects registry changes to Office trust records where the path is located in a potentially suspicious location
Sigma rule (View on GitHub)
1title: Macro Enabled In A Potentially Suspicious Document
2id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
3related:
4 - id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
5 type: derived
6status: test
7description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location
8references:
9 - https://twitter.com/inversecos/status/1494174785621819397
10 - Internal Research
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-06-21
13modified: 2023-08-17
14tags:
15 - attack.persistence
16 - attack.defense-evasion
17 - attack.t1112
18logsource:
19 category: registry_set
20 product: windows
21detection:
22 selection_value:
23 TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
24 selection_paths:
25 TargetObject|contains:
26 # Note: add more locations where you don't expect a user to executed macro enabled docs
27 - '/AppData/Local/Microsoft/Windows/INetCache/'
28 - '/AppData/Local/Temp/'
29 - '/PerfLogs/'
30 - 'C:/Users/Public/'
31 - 'file:///D:/'
32 - 'file:///E:/'
33 condition: all of selection_*
34falsepositives:
35 - Unlikely
36level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Blackbyte Ransomware Registry
- Blue Mockingbird
- Change User Account Associated with the FAX Service