Detection rules › Sigma

Potential Attachment Manager Settings Associations Tamper

Status
test
Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)

Event coverage

ProviderEventTitle
SysmonEvent ID 13RegistryEvent (Value Set)

Rule body yaml

title: Potential Attachment Manager Settings Associations Tamper
id: a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47
status: test
description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
references:
    - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
    - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-08-17
tags:
    - attack.defense-impairment
logsource:
    category: registry_set
    product: windows
detection:
    selection_main:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\'
    selection_value_default_file_type_rsik:
        TargetObject|endswith: '\DefaultFileTypeRisk'
        Details: 'DWORD (0x00006152)'
    selection_value_low_risk_filetypes:
        TargetObject|endswith: '\LowRiskFileTypes'
        Details|contains: # Add more as you see fit
            - '.zip;'
            - '.rar;'
            - '.exe;'
            - '.bat;'
            - '.com;'
            - '.cmd;'
            - '.reg;'
            - '.msi;'
            - '.htm;'
            - '.html;'
    condition: selection_main and 1 of selection_value_*
falsepositives:
    - Unlikely
level: high

Stages and Predicates

Stage 0: condition

selection_main and 1 of selection_value_*

Stage 1: selection_main

selection_main:
    TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\'

Stage 2: selection_value_default_file_type_rsik

selection_value_default_file_type_rsik:
    TargetObject|endswith: '\DefaultFileTypeRisk'
    Details: 'DWORD (0x00006152)'

Stage 3: selection_value_low_risk_filetypes

selection_value_low_risk_filetypes:
    TargetObject|endswith: '\LowRiskFileTypes'
    Details|contains: # Add more as you see fit
        - '.zip;'
        - '.rar;'
        - '.exe;'
        - '.bat;'
        - '.com;'
        - '.cmd;'
        - '.reg;'
        - '.msi;'
        - '.htm;'
        - '.html;'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailseq
  • DWORD (0x00006152)
Detailsmatch
  • .bat;
  • .cmd;
  • .com;
  • .exe;
  • .htm;
  • .html;
  • .msi;
  • .rar;
  • .reg;
  • .zip;
TargetObjectends_with
  • \DefaultFileTypeRisk
  • \LowRiskFileTypes
TargetObjectmatch
  • \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\