Uncommon Microsoft Office Trusted Location Added
Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
Sigma rule (View on GitHub)
1title: Uncommon Microsoft Office Trusted Location Added
2id: f742bde7-9528-42e5-bd82-84f51a8387d2
3related:
4 - id: a0bed973-45fa-4625-adb5-6ecdf9be70ac
5 type: derived
6status: experimental
7description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
8references:
9 - Internal Research
10 - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023/06/21
13modified: 2023/09/29
14tags:
15 - attack.defense_evasion
16 - attack.t1112
17logsource:
18 category: registry_set
19 product: windows
20detection:
21 selection:
22 TargetObject|contains: 'Security\Trusted Locations\Location'
23 TargetObject|endswith: '\Path'
24 filter_exclude_known_paths:
25 Details|contains:
26 - '%APPDATA%\Microsoft\Templates'
27 - '%%APPDATA%%\Microsoft\Templates'
28 - '%APPDATA%\Microsoft\Word\Startup'
29 - '%%APPDATA%%\Microsoft\Word\Startup'
30 - ':\Program Files (x86)\Microsoft Office\root\Templates\'
31 - ':\Program Files\Microsoft Office (x86)\Templates'
32 - ':\Program Files\Microsoft Office\root\Templates\'
33 - ':\Program Files\Microsoft Office\Templates\'
34 filter_main_office_click_to_run:
35 Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
36 Image|endswith: '\OfficeClickToRun.exe'
37 filter_main_office_apps:
38 Image|contains:
39 - ':\Program Files\Microsoft Office\'
40 - ':\Program Files (x86)\Microsoft Office\'
41 condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_*
42falsepositives:
43 - Other unknown legitimate or custom paths need to be filtered to avoid false positives
44level: high
References
Related rules
- New BgInfo.EXE Custom DB Path Registry Configuration
- New BgInfo.EXE Custom VBScript Registry Configuration
- New BgInfo.EXE Custom WMI Query Registry Configuration
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry