Macro Enabled In A Potentially Suspicious Document
Detects registry changes to Office trust records where the path is located in a potentially suspicious location
Sigma rule (View on GitHub)
1title: Macro Enabled In A Potentially Suspicious Document
2id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
3related:
4 - id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
5 type: derived
6status: test
7description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location
8references:
9 - https://twitter.com/inversecos/status/1494174785621819397
10 - Internal Research
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-06-21
13modified: 2023-08-17
14tags:
15 - attack.defense-evasion
16 - attack.t1112
17logsource:
18 category: registry_set
19 product: windows
20detection:
21 selection_value:
22 TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
23 selection_paths:
24 TargetObject|contains:
25 # Note: add more locations where you don't expect a user to executed macro enabled docs
26 - '/AppData/Local/Microsoft/Windows/INetCache/'
27 - '/AppData/Local/Temp/'
28 - '/PerfLogs/'
29 - 'C:/Users/Public/'
30 - 'file:///D:/'
31 - 'file:///E:/'
32 condition: all of selection_*
33falsepositives:
34 - Unlikely
35level: high
References
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry