Potential Attachment Manager Settings Associations Tamper
Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
Sigma rule (View on GitHub)
1title: Potential Attachment Manager Settings Associations Tamper
2id: a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47
3status: experimental
4description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
5references:
6 - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
7 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/08/01
10modified: 2023/08/17
11tags:
12 - attack.defense_evasion
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection_main:
18 TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\'
19 selection_value_default_file_type_rsik:
20 TargetObject|endswith: '\DefaultFileTypeRisk'
21 Details: 'DWORD (0x00006152)'
22 selection_value_low_risk_filetypes:
23 TargetObject|endswith: '\LowRiskFileTypes'
24 Details|contains: # Add more as you see fit
25 - '.zip;'
26 - '.rar;'
27 - '.exe;'
28 - '.bat;'
29 - '.com;'
30 - '.cmd;'
31 - '.reg;'
32 - '.msi;'
33 - '.htm;'
34 - '.html;'
35 condition: selection_main and 1 of selection_value_*
36falsepositives:
37 - Unlikely
38level: high
References
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- Bypass UAC Using DelegateExecute