Potential Attachment Manager Settings Attachments Tamper
Detects tampering with attachment manager settings policies attachments (See reference for more information)
Sigma rule (View on GitHub)
1title: Potential Attachment Manager Settings Attachments Tamper
2id: ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a
3status: experimental
4description: Detects tampering with attachment manager settings policies attachments (See reference for more information)
5references:
6 - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
7 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/08/01
10modified: 2023/08/17
11tags:
12 - attack.defense_evasion
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection_main:
18 TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\'
19 selection_value_hide_zone_info:
20 TargetObject|endswith: '\HideZoneInfoOnProperties'
21 Details: 'DWORD (0x00000001)' # On
22 selection_value_save_zone_info:
23 TargetObject|endswith: '\SaveZoneInformation'
24 Details: 'DWORD (0x00000002)' # Off
25 selection_value_scan_with_av:
26 TargetObject|endswith: '\ScanWithAntiVirus'
27 Details: 'DWORD (0x00000001)' # Disabled
28 condition: selection_main and 1 of selection_value_*
29falsepositives:
30 - Unlikely
31level: high
References
-
The Attachment Manager classifies files that you receive or that you download based on the file type and the file name extension. The Attachment Manager classifies files types as high risk, medium risk, and low risk.
Read More -
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- Bypass UAC Using DelegateExecute