Detectionmediumtest

Windows Registry Trust Record Modification

Alerts on trust record modification within the registry, indicating usage of macros

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Antonlovesdnb, Trent LiffickCreated Wed Feb 19Updated Wed Jun 21295a59c1-7b79-4b47-a930-df12c15fc9c2windows

Log Source

WindowsRegistry Event

ProductWindows← raw: windows

CategoryRegistry Event← raw: registry_event

Events for Windows Registry modifications including key creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
    condition: selection

False Positives

This will alert on legitimate macro usage as well, additional tuning is required

References

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Sub-techniques

T1566.001 · Spearphishing Attachment

Related Rules

SimilarDetectionhigh

Macro Enabled In A Potentially Suspicious Document

Detects registry changes to Office trust records where the path is located in a potentially suspicious location

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

295a59c1-7b79-4b47-a930-df12c15fc9c2

Status

test

Level

medium

Type

Detection

Created

Wed Feb 19

Modified

Wed Jun 21

Author

Antonlovesdnb, Trent Liffick

Path

rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml

Raw Tags

attack.initial-accessattack.t1566.001

View on GitHub