Uncommon Microsoft Office Trusted Location Added

calendar Sep 29, 2023 · attack.defense_evasion attack.t1112  ·
Share on: linkedin copy

Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.

Sigma rule (View on GitHub)

 1title: Uncommon Microsoft Office Trusted Location Added
 2id: f742bde7-9528-42e5-bd82-84f51a8387d2
 3related:
 4    - id: a0bed973-45fa-4625-adb5-6ecdf9be70ac
 5      type: derived
 6status: experimental
 7description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
 8references:
 9    - Internal Research
10    - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023/06/21
13modified: 2023/09/29
14tags:
15    - attack.defense_evasion
16    - attack.t1112
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection:
22        TargetObject|contains: 'Security\Trusted Locations\Location'
23        TargetObject|endswith: '\Path'
24    filter_exclude_known_paths:
25        Details|contains:
26            - '%APPDATA%\Microsoft\Templates'
27            - '%%APPDATA%%\Microsoft\Templates'
28            - '%APPDATA%\Microsoft\Word\Startup'
29            - '%%APPDATA%%\Microsoft\Word\Startup'
30            - ':\Program Files (x86)\Microsoft Office\root\Templates\'
31            - ':\Program Files\Microsoft Office (x86)\Templates'
32            - ':\Program Files\Microsoft Office\root\Templates\'
33            - ':\Program Files\Microsoft Office\Templates\'
34    filter_main_office_click_to_run:
35        Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
36        Image|endswith: '\OfficeClickToRun.exe'
37    filter_main_office_apps:
38        Image|contains:
39            - ':\Program Files\Microsoft Office\'
40            - ':\Program Files (x86)\Microsoft Office\'
41    condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_*
42falsepositives:
43    - Other unknown legitimate or custom paths need to be filtered to avoid false positives
44level: high

References

  • Internal Research


    Read More

  • Trusted Location #1

    This policy setting allows you to specify a folder as a trusted location from which to open 2016 Word, Excel, PowerPoint, Access and Visio files. Files in trusted locations bypass file validation, active content checks and Protected View. Macros and code in these files will execute without displaying warnings to the user. If you change or add a location make sure that the new location is secured, with only appropriate user permissions to add document/files.


    Read More

Related rules

to-top