Detectionmediumtest
Internet Explorer DisableFirstRunCustomize Enabled
Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue May 16Updated Tue Oct 07ab567429-1dfb-4674-b6d2-979fd2f9d125windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic4 selectors
detection:
selection:
TargetObject|endswith: '\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize'
Details:
- 'DWORD (0x00000001)' # Home Page
- 'DWORD (0x00000002)' # Welcome To IE
filter_main_generic:
Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\System32\ie4uinit.exe'
filter_optional_avira:
Image|contains|all:
- '\Temp\'
- '\.cr\avira_'
Details|contains: 'DWORD (0x00000001)'
filter_optional_foxit:
Image:
- 'C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
- 'C:\Program Files\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
Details|contains: 'DWORD (0x00000001)'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
As this is controlled by group policy as well as user settings. Some false positives may occur.
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
ab567429-1dfb-4674-b6d2-979fd2f9d125
Status
test
Level
medium
Type
Detection
Created
Tue May 16
Modified
Tue Oct 07
Path
rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml
Raw Tags
attack.defense-evasion