Detectionhightest
Microsoft Office Protected View Disabled
Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, Nasreddine Bencherchali (Nextron Systems)Created Tue Jun 08Updated Thu Aug 17a5c7a43f-6009-4a8c-80c5-32abf1c53eccwindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic3 selectors
detection:
selection_path:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Office\'
- '\Security\ProtectedView\'
selection_values_1:
Details: 'DWORD (0x00000001)'
TargetObject|endswith:
- '\DisableAttachementsInPV' # Turn off Protected View for attachments opened from Outlook
- '\DisableInternetFilesInPV' # Turn off Protected View for files downloaded from Internet zone
- '\DisableIntranetCheck' # Turn off Protected View for file located in UNC paths
- '\DisableUnsafeLocationsInPV' # Turn off Protected View for unsafe locations
selection_values_0:
Details: 'DWORD (0x00000000)'
TargetObject|endswith:
- '\enabledatabasefileprotectedview'
- '\enableforeigntextfileprotectedview'
condition: selection_path and 1 of selection_values_*False Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
MITRE ATT&CK
Tactics
Sub-techniques
Related Rules
Similar
Rule not found7c637634-c95d-4bbf-b26c-a82510874b34
Rule Metadata
Rule ID
a5c7a43f-6009-4a8c-80c5-32abf1c53ecc
Status
test
Level
high
Type
Detection
Created
Tue Jun 08
Modified
Thu Aug 17
Path
rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml
Raw Tags
attack.defense-evasionattack.t1562.001