Potential Attachment Manager Settings Associations Tamper
Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
Sigma rule (View on GitHub)
1title: Potential Attachment Manager Settings Associations Tamper
2id: a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47
3status: test
4description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
5references:
6 - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
7 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-08-01
10modified: 2023-08-17
11tags:
12 - attack.defense-evasion
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection_main:
18 TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\'
19 selection_value_default_file_type_rsik:
20 TargetObject|endswith: '\DefaultFileTypeRisk'
21 Details: 'DWORD (0x00006152)'
22 selection_value_low_risk_filetypes:
23 TargetObject|endswith: '\LowRiskFileTypes'
24 Details|contains: # Add more as you see fit
25 - '.zip;'
26 - '.rar;'
27 - '.exe;'
28 - '.bat;'
29 - '.com;'
30 - '.cmd;'
31 - '.reg;'
32 - '.msi;'
33 - '.htm;'
34 - '.html;'
35 condition: selection_main and 1 of selection_value_*
36falsepositives:
37 - Unlikely
38level: high
References
-
The Attachment Manager classifies files that you receive or that you download based on the file type and the file name extension. The Attachment Manager classifies files types as high risk, medium risk, and low risk.
Read More -
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity