Uncommon Microsoft Office Trusted Location Added

Severity: high
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1112` Modify Registry
Defense Evasion	`T1112` Modify Registry

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `selection`

TargetObject|endswith: '\Path'
TargetObject|contains: 'Security\Trusted Locations\Location'

Stage 2: `not 1 of filter_main_*`

or:
Image|endswith: '\OfficeClickToRun.exe'
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|contains: ':\Program Files (x86)\Microsoft Office\'
Image|contains: ':\Program Files\Microsoft Office\'

Stage 3: `not 1 of filter_exclude_known_paths`

or:
Details|contains: '%%APPDATA%%\Microsoft\Templates'
Details|contains: '%%APPDATA%%\Microsoft\Word\Startup'
Details|contains: '%APPDATA%\Microsoft\Templates'
Details|contains: '%APPDATA%\Microsoft\Word\Startup'
Details|contains: ':\Program Files (x86)\Microsoft Office\root\Templates\'
Details|contains: ':\Program Files\Microsoft Office (x86)\Templates'
Details|contains: ':\Program Files\Microsoft Office\Templates\'
Details|contains: ':\Program Files\Microsoft Office\root\Templates\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	match	`%%APPDATA%%\Microsoft\Templates` `%%APPDATA%%\Microsoft\Word\Startup` `%APPDATA%\Microsoft\Templates` `%APPDATA%\Microsoft\Word\Startup` `:\Program Files (x86)\Microsoft Office\root\Templates\` `:\Program Files\Microsoft Office (x86)\Templates` `:\Program Files\Microsoft Office\Templates\` `:\Program Files\Microsoft Office\root\Templates\`
`Image`	ends_with	`\OfficeClickToRun.exe` corpus 10 (sigma 10)
`Image`	match	`:\Program Files (x86)\Microsoft Office\` corpus 2 (sigma 2) `:\Program Files\Common Files\Microsoft Shared\ClickToRun\` corpus 2 (sigma 2) `:\Program Files\Microsoft Office\` corpus 4 (sigma 4)
`TargetObject`	ends_with	`\Path`
`TargetObject`	match	`Security\Trusted Locations\Location`