← Library
sigmaDRL-1.1from SigmaHQ/sigma

Macro Enabled In A Potentially Suspicious Document

Detects registry changes to Office trust records where the path is located in a potentially suspicious location

Quality
84
FP risk
Forks
0
Views
0
ATT&CK techniques
T1112
Rule sourcerules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml
title: Macro Enabled In A Potentially Suspicious Document
id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
related:
    - id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
      type: derived
status: test
description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location
references:
    - https://twitter.com/inversecos/status/1494174785621819397
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-evasion
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_value:
        TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
    selection_paths:
        TargetObject|contains:
            # Note: add more locations where you don't expect a user to executed macro enabled docs
            - '/AppData/Local/Microsoft/Windows/INetCache/'
            - '/AppData/Local/Temp/'
            - '/PerfLogs/'
            - 'C:/Users/Public/'
            - 'file:///D:/'
            - 'file:///E:/'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high