Potential Attachment Manager Settings Attachments Tamper

 1title: Potential Attachment Manager Settings Attachments Tamper
 2id: ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a
 3status: test
 4description: Detects tampering with attachment manager settings policies attachments (See reference for more information)
 5references:
 6    - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
 7    - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-08-01
10modified: 2023-08-17
11tags:
12    - attack.defense-evasion
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection_main:
18        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\'
19    selection_value_hide_zone_info:
20        TargetObject|endswith: '\HideZoneInfoOnProperties'
21        Details: 'DWORD (0x00000001)' # On
22    selection_value_save_zone_info:
23        TargetObject|endswith: '\SaveZoneInformation'
24        Details: 'DWORD (0x00000002)' # Off
25    selection_value_scan_with_av:
26        TargetObject|endswith: '\ScanWithAntiVirus'
27        Details: 'DWORD (0x00000001)' # Disabled
28    condition: selection_main and 1 of selection_value_*
29falsepositives:
30    - Unlikely
31level: high

References

• Information about the Attachment Manager in Microsoft Windows - Microsoft Support

  The Attachment Manager classifies files that you receive or that you download based on the file type and the file name extension. The Attachment Manager classifies files types as high risk, medium risk, and low risk.

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

Related rules

• AD Object WriteDAC Access
• ADS Zone.Identifier Deleted By Uncommon Application
• AMSI Bypass Pattern Assembly GetType
• APT PRIVATELOG Image Load Pattern
• APT27 - Emissary Panda Activity