Detectionhightest
Uncommon Microsoft Office Trusted Location Added
Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed Jun 21Updated Fri Sep 29f742bde7-9528-42e5-bd82-84f51a8387d2windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic4 selectors
detection:
selection:
TargetObject|contains: 'Security\Trusted Locations\Location'
TargetObject|endswith: '\Path'
filter_exclude_known_paths:
Details|contains:
- '%APPDATA%\Microsoft\Templates'
- '%%APPDATA%%\Microsoft\Templates'
- '%APPDATA%\Microsoft\Word\Startup'
- '%%APPDATA%%\Microsoft\Word\Startup'
- ':\Program Files (x86)\Microsoft Office\root\Templates\'
- ':\Program Files\Microsoft Office (x86)\Templates'
- ':\Program Files\Microsoft Office\root\Templates\'
- ':\Program Files\Microsoft Office\Templates\'
filter_main_office_click_to_run:
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_office_apps:
Image|contains:
- ':\Program Files\Microsoft Office\'
- ':\Program Files (x86)\Microsoft Office\'
condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_*False Positives
Other unknown legitimate or custom paths need to be filtered to avoid false positives
References
1
2Resolving title…
Internal ResearchResolving title…
admx.helpMITRE ATT&CK
Techniques
Rule Metadata
Rule ID
f742bde7-9528-42e5-bd82-84f51a8387d2
Status
test
Level
high
Type
Detection
Created
Wed Jun 21
Modified
Fri Sep 29
Path
rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.t1112