Modification of IE Registry Settings

Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence

Sigma rule (View on GitHub)

 1title: Modification of IE Registry Settings
 2id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
 3status: test
 4description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone
 7    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry
 8author: frack113
 9date: 2022/01/22
10modified: 2023/08/17
11tags:
12    - attack.defense_evasion
13    - attack.t1112
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection_domains:
19        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Internet Settings'
20    filter_dword:
21        Details|startswith: 'DWORD'
22    filter_office:
23        Details:
24            - 'Cookie:'
25            - 'Visited:'
26            - '(Empty)'
27    filter_path:
28        TargetObject|contains:
29            - '\Cache'
30            - '\ZoneMap'
31            - '\WpadDecision'
32    filter_binary:
33        Details: 'Binary Data'
34    filter_accepted_documents:
35        # Spotted during office installations
36        TargetObject|contains: '\Accepted Documents\'
37    condition: selection_domains and not 1 of filter_*
38falsepositives:
39    - Unknown
40level: low

References

Related rules

to-top