Uncommon Microsoft Office Trusted Location Added

calendar Oct 23, 2025 · attack.persistence attack.defense-evasion attack.t1112  ·
Share on: linkedin copy

Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.

Sigma rule (View on GitHub)

 1title: Uncommon Microsoft Office Trusted Location Added
 2id: f742bde7-9528-42e5-bd82-84f51a8387d2
 3related:
 4    - id: a0bed973-45fa-4625-adb5-6ecdf9be70ac
 5      type: derived
 6status: test
 7description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
 8references:
 9    - Internal Research
10    - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-06-21
13modified: 2023-09-29
14tags:
15    - attack.persistence
16    - attack.defense-evasion
17    - attack.t1112
18logsource:
19    category: registry_set
20    product: windows
21detection:
22    selection:
23        TargetObject|contains: 'Security\Trusted Locations\Location'
24        TargetObject|endswith: '\Path'
25    filter_exclude_known_paths:
26        Details|contains:
27            - '%APPDATA%\Microsoft\Templates'
28            - '%%APPDATA%%\Microsoft\Templates'
29            - '%APPDATA%\Microsoft\Word\Startup'
30            - '%%APPDATA%%\Microsoft\Word\Startup'
31            - ':\Program Files (x86)\Microsoft Office\root\Templates\'
32            - ':\Program Files\Microsoft Office (x86)\Templates'
33            - ':\Program Files\Microsoft Office\root\Templates\'
34            - ':\Program Files\Microsoft Office\Templates\'
35    filter_main_office_click_to_run:
36        Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
37        Image|endswith: '\OfficeClickToRun.exe'
38    filter_main_office_apps:
39        Image|contains:
40            - ':\Program Files\Microsoft Office\'
41            - ':\Program Files (x86)\Microsoft Office\'
42    condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_*
43falsepositives:
44    - Other unknown legitimate or custom paths need to be filtered to avoid false positives
45level: high

References

Related rules

to-top