Potential Attachment Manager Settings Attachments Tamper

Detects tampering with attachment manager settings policies attachments (See reference for more information)

Sigma rule (View on GitHub)

 1title: Potential Attachment Manager Settings Attachments Tamper
 2id: ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a
 3status: test
 4description: Detects tampering with attachment manager settings policies attachments (See reference for more information)
 5references:
 6    - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
 7    - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-08-01
10modified: 2023-08-17
11tags:
12    - attack.defense-evasion
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection_main:
18        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\'
19    selection_value_hide_zone_info:
20        TargetObject|endswith: '\HideZoneInfoOnProperties'
21        Details: 'DWORD (0x00000001)' # On
22    selection_value_save_zone_info:
23        TargetObject|endswith: '\SaveZoneInformation'
24        Details: 'DWORD (0x00000002)' # Off
25    selection_value_scan_with_av:
26        TargetObject|endswith: '\ScanWithAntiVirus'
27        Details: 'DWORD (0x00000001)' # Disabled
28    condition: selection_main and 1 of selection_value_*
29falsepositives:
30    - Unlikely
31level: high

References

Related rules

to-top