← Back to Explore
sigmamediumHunting
IE Change Domain Zone
Hides the file extension through modification of the registry
Detection Query
selection_domains:
TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
filter:
Details:
- DWORD (0x00000000)
- DWORD (0x00000001)
- (Empty)
condition: selection_domains and not filter
Author
frack113
Created
2022-01-22
Data Sources
windowsRegistry Set Events
Platforms
windows
References
Tags
attack.persistenceattack.t1137
Raw Content
title: IE Change Domain Zone
id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393
related:
- id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
type: derived
status: test
description: Hides the file extension through modification of the registry
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone
- https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
author: frack113
date: 2022-01-22
modified: 2023-08-17
tags:
- attack.persistence
- attack.t1137
logsource:
category: registry_set
product: windows
detection:
selection_domains:
TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
filter:
Details:
- DWORD (0x00000000) # My Computer
- DWORD (0x00000001) # Local Intranet Zone
- '(Empty)'
condition: selection_domains and not filter
falsepositives:
- Administrative scripts
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_change_security_zones/info.yml
simulation:
- type: atomic-red-team
name: Add Domain to Trusted Sites Zone
technique: T1112
atomic_guid: cf447677-5a4e-4937-a82c-e47d254afd57