← Library
sigmaDRL-1.1from SigmaHQ/sigma

Modification of IE Registry Settings

Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence

Quality
52
FP risk
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/registry/registry_set/registry_set_persistence_ie.yml
title: Modification of IE Registry Settings
id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
status: test
description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry
author: frack113
date: 2022-01-22
modified: 2025-10-22
tags:
    - attack.persistence
    - attack.defense-evasion
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_domains:
        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Internet Settings'
    filter_main_dword:
        Details|startswith: 'DWORD'
    filter_main_null:
        Details: null
    filter_main_office:
        Details:
            - 'Cookie:'
            - 'Visited:'
            - '(Empty)'
    filter_main_path:
        TargetObject|contains:
            - '\Cache'
            - '\ZoneMap'
            - '\WpadDecision'
    filter_main_binary:
        Details: 'Binary Data'
    filter_optional_accepted_documents:
        # Spotted during Office installations
        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents'
    condition: selection_domains and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: low