Threat Huntmediumtest
Microsoft Office Trusted Location Updated
Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed Jun 21Updated Thu Aug 17a0bed973-45fa-4625-adb5-6ecdf9be70acwindows
Hunting Hypothesis
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic3 selectors
detection:
selection:
TargetObject|contains: 'Security\Trusted Locations\Location'
TargetObject|endswith: '\Path'
filter_main_office_click_to_run:
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_office_apps:
Image|contains:
- ':\Program Files\Microsoft Office\'
- ':\Program Files (x86)\Microsoft Office\'
condition: selection and not 1 of filter_main_*False Positives
During office installations or setup, trusted locations are added, which will trigger this rule.
References
MITRE ATT&CK
Techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
a0bed973-45fa-4625-adb5-6ecdf9be70ac
Status
test
Level
medium
Type
Threat Hunt
Created
Wed Jun 21
Modified
Thu Aug 17
Path
rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.t1112detection.threat-hunting