LoFP / this will alert on legitimate macro usage as well, additional tuning is required

Techniques

• t1566
• t1566.001

Sample rules

Windows Registry Trust Record Modification

• source: sigma
• technicques:
  • t1566
  • t1566.001

Description

Alerts on trust record modification within the registry, indicating usage of macros

Detection logic

condition: selection
selection:
  TargetObject|contains: \Security\Trusted Documents\TrustRecords