Techniques
Sample rules
Uncommon Microsoft Office Trusted Location Added
- source: sigma
- technicques:
- t1112
Description
Detects changes to registry keys related to “Trusted Location” of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_*
filter_exclude_known_paths:
Details|contains:
- '%APPDATA%\Microsoft\Templates'
- '%%APPDATA%%\Microsoft\Templates'
- '%APPDATA%\Microsoft\Word\Startup'
- '%%APPDATA%%\Microsoft\Word\Startup'
- :\Program Files (x86)\Microsoft Office\root\Templates\
- :\Program Files\Microsoft Office (x86)\Templates
- :\Program Files\Microsoft Office\root\Templates\
- :\Program Files\Microsoft Office\Templates\
filter_main_office_apps:
Image|contains:
- :\Program Files\Microsoft Office\
- :\Program Files (x86)\Microsoft Office\
filter_main_office_click_to_run:
Image|contains: :\Program Files\Common Files\Microsoft Shared\ClickToRun\
Image|endswith: \OfficeClickToRun.exe
selection:
TargetObject|contains: Security\Trusted Locations\Location
TargetObject|endswith: \Path