Detectionlowtest
Modification of IE Registry Settings
Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic7 selectors
detection:
selection_domains:
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Internet Settings'
filter_main_dword:
Details|startswith: 'DWORD'
filter_main_null:
Details: null
filter_main_office:
Details:
- 'Cookie:'
- 'Visited:'
- '(Empty)'
filter_main_path:
TargetObject|contains:
- '\Cache'
- '\ZoneMap'
- '\WpadDecision'
filter_main_binary:
Details: 'Binary Data'
filter_optional_accepted_documents:
# Spotted during Office installations
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents'
condition: selection_domains and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Techniques
Rule Metadata
Rule ID
d88d0ab2-e696-4d40-a2ed-9790064e66b3
Status
test
Level
low
Type
Detection
Created
Sat Jan 22
Modified
Wed Oct 22
Author
Path
rules/windows/registry/registry_set/registry_set_persistence_ie.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.t1112