Detectionmediumtest

IE Change Domain Zone

Hides the file extension through modification of the registry

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Sat Jan 22Updated Thu Aug 1745e112d0-7759-4c2a-aa36-9f8fb79d3393windows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection_domains:
        TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
    filter:
        Details:
            - DWORD (0x00000000) # My Computer
            - DWORD (0x00000001) # Local Intranet Zone
            - '(Empty)'
    condition: selection_domains and not filter

False Positives

Administrative scripts

References

Testing & Validation

Simulations

atomic-red-teamT1112

View on ART

Add Domain to Trusted Sites Zone

GUID: cf447677-5a4e-4937-a82c-e47d254afd57

Regression Tests

by SigmaHQ Team

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0003 · Persistence

Techniques

T1137 · Office Application Startup

Related Rules

DerivedDetectionlow

Modification of IE Registry Settings

Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

45e112d0-7759-4c2a-aa36-9f8fb79d3393

Status

test

Level

medium

Type

Detection

Created

Sat Jan 22

Modified

Thu Aug 17

Author

François Hubaut

Path

rules/windows/registry/registry_set/registry_set_change_security_zones.yml

Raw Tags

attack.persistenceattack.t1137

View on GitHub