Techniques
Sample rules
Internet Explorer DisableFirstRunCustomize Enabled
- source: sigma
- technicques:
Description
Detects changes to the Internet Explorer “DisableFirstRunCustomize” value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_generic:
Image:
- C:\Windows\explorer.exe
- C:\Windows\System32\ie4uinit.exe
selection:
Details:
- DWORD (0x00000001)
- DWORD (0x00000002)
TargetObject|endswith: \Microsoft\Internet Explorer\Main\DisableFirstRunCustomize