sigmaDRL-1.1from SigmaHQ/sigma
Modification of IE Registry Settings
Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence
Quality
52
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/registry/registry_set/registry_set_persistence_ie.yml
title: Modification of IE Registry Settings
id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
status: test
description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry
author: frack113
date: 2022-01-22
modified: 2025-10-22
tags:
- attack.persistence
- attack.defense-evasion
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_domains:
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Internet Settings'
filter_main_dword:
Details|startswith: 'DWORD'
filter_main_null:
Details: null
filter_main_office:
Details:
- 'Cookie:'
- 'Visited:'
- '(Empty)'
filter_main_path:
TargetObject|contains:
- '\Cache'
- '\ZoneMap'
- '\WpadDecision'
filter_main_binary:
Details: 'Binary Data'
filter_optional_accepted_documents:
# Spotted during Office installations
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents'
condition: selection_domains and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: low