SigmaHQ/rules/windows/registry_event/sysmon_reg_office_security.yml

29 lines
777 B
YAML
Raw Normal View History

title: Office Security Settings Changed
id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
status: experimental
description: Detects registry changes to Office macro settings
author: Trent Liffick (@tliffick)
date: 2020/05/22
modified: 2020/07/01
references:
- Internal Research
tags:
- attack.defense_evasion
- attack.t1112
logsource:
category: registry_event
product: windows
detection:
sec_settings:
TargetObject|endswith:
- '*\Security\Trusted Documents\TrustRecords'
- '*\Security\AccessVBOM'
- '*\Security\VBAWarnings'
EventType:
2020-06-10 14:35:14 +00:00
- SetValue
- DeleteValue
- CreateValue
condition: sec_settings
falsepositives:
- Valid Macros and/or internal documents
level: high