Adversaries may leverage macro-enabled documents in suspicious registry paths to execute malicious code and establish persistence by manipulating Office trust records
title: Macro Enabled In A Potentially Suspicious Document
id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
related:
- id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
type: derived
status: test
description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location
references:
- https://twitter.com/inversecos/status/1494174785621819397
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_value:
TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
selection_paths:
TargetObject|contains:
# Note: add more locations where you don't expect a user to executed macro enabled docs
- '/AppData/Local/Microsoft/Windows/INetCache/'
- '/AppData/Local/Temp/'
- '/PerfLogs/'
- 'C:/Users/Public/'
- 'file:///D:/'
- 'file:///E:/'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
imRegistry
| where RegistryKey contains "\\Security\\Trusted Documents\\TrustRecords" and (RegistryKey contains "/AppData/Local/Microsoft/Windows/INetCache/" or RegistryKey contains "/AppData/Local/Temp/" or RegistryKey contains "/PerfLogs/" or RegistryKey contains "C:/Users/Public/" or RegistryKey contains "file:///D:/" or RegistryKey contains "file:///E:/")DeviceRegistryEvents
| where RegistryKey contains "\\Security\\Trusted Documents\\TrustRecords" and (RegistryKey contains "/AppData/Local/Microsoft/Windows/INetCache/" or RegistryKey contains "/AppData/Local/Temp/" or RegistryKey contains "/PerfLogs/" or RegistryKey contains "C:/Users/Public/" or RegistryKey contains "file:///D:/" or RegistryKey contains "file:///E:/")| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |