Potential Attachment Manager Settings Associations Tamper

Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)

Sigma rule (View on GitHub)

 1title: Potential Attachment Manager Settings Associations Tamper
 2id: a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47
 3status: test
 4description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
 5references:
 6    - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
 7    - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-08-01
10modified: 2023-08-17
11tags:
12    - attack.defense-evasion
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection_main:
18        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\'
19    selection_value_default_file_type_rsik:
20        TargetObject|endswith: '\DefaultFileTypeRisk'
21        Details: 'DWORD (0x00006152)'
22    selection_value_low_risk_filetypes:
23        TargetObject|endswith: '\LowRiskFileTypes'
24        Details|contains: # Add more as you see fit
25            - '.zip;'
26            - '.rar;'
27            - '.exe;'
28            - '.bat;'
29            - '.com;'
30            - '.cmd;'
31            - '.reg;'
32            - '.msi;'
33            - '.htm;'
34            - '.html;'
35    condition: selection_main and 1 of selection_value_*
36falsepositives:
37    - Unlikely
38level: high

References

Related rules

to-top