Macro Enabled In A Potentially Suspicious Document

Detects registry changes to Office trust records where the path is located in a potentially suspicious location

Sigma rule (View on GitHub)

 1title: Macro Enabled In A Potentially Suspicious Document
 2id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
 3related:
 4    - id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
 5      type: derived
 6status: test
 7description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location
 8references:
 9    - https://twitter.com/inversecos/status/1494174785621819397
10    - Internal Research
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-06-21
13modified: 2023-08-17
14tags:
15    - attack.defense-evasion
16    - attack.t1112
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection_value:
22        TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
23    selection_paths:
24        TargetObject|contains:
25            # Note: add more locations where you don't expect a user to executed macro enabled docs
26            - '/AppData/Local/Microsoft/Windows/INetCache/'
27            - '/AppData/Local/Temp/'
28            - '/PerfLogs/'
29            - 'C:/Users/Public/'
30            - 'file:///D:/'
31            - 'file:///E:/'
32    condition: all of selection_*
33falsepositives:
34    - Unlikely
35level: high

References

Related rules

to-top