Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Macro Enabled In A Potentially Suspicious Document

Detects registry changes to Office trust records where the path is located in a potentially suspicious location

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed Jun 21Updated Thu Aug 17a166f74e-bf44-409d-b9ba-ea4b2dd8b3cdwindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic2 selectors
detection:
    selection_value:
        TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
    selection_paths:
        TargetObject|contains:
            # Note: add more locations where you don't expect a user to executed macro enabled docs
            - '/AppData/Local/Microsoft/Windows/INetCache/'
            - '/AppData/Local/Temp/'
            - '/PerfLogs/'
            - 'C:/Users/Public/'
            - 'file:///D:/'
            - 'file:///E:/'
    condition: all of selection_*
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
twitter.com
2
Resolving title…
Internal Research
MITRE ATT&CK
Related Rules
DerivedDetectionmedium

Windows Registry Trust Record Modification

Alerts on trust record modification within the registry, indicating usage of macros

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
Status
test
Level
high
Type
Detection
Created
Wed Jun 21
Modified
Thu Aug 17
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.t1112
View on GitHub