← Back to Explore
sigmalowHunting
Modification of IE Registry Settings
Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence
Detection Query
selection_domains:
TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Internet Settings
filter_main_dword:
Details|startswith: DWORD
filter_main_null:
Details: null
filter_main_office:
Details:
- "Cookie:"
- "Visited:"
- (Empty)
filter_main_path:
TargetObject|contains:
- \Cache
- \ZoneMap
- \WpadDecision
filter_main_binary:
Details: Binary Data
filter_optional_accepted_documents:
TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Accepted Documents
condition: selection_domains and not 1 of filter_main_* and not 1 of filter_optional_*
Author
frack113
Created
2022-01-22
Data Sources
windowsRegistry Set Events
Platforms
windows
References
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry
Tags
attack.persistenceattack.defense-evasionattack.t1112
Raw Content
title: Modification of IE Registry Settings
id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
status: test
description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry
author: frack113
date: 2022-01-22
modified: 2025-10-22
tags:
- attack.persistence
- attack.defense-evasion
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_domains:
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Internet Settings'
filter_main_dword:
Details|startswith: 'DWORD'
filter_main_null:
Details: null
filter_main_office:
Details:
- 'Cookie:'
- 'Visited:'
- '(Empty)'
filter_main_path:
TargetObject|contains:
- '\Cache'
- '\ZoneMap'
- '\WpadDecision'
filter_main_binary:
Details: 'Binary Data'
filter_optional_accepted_documents:
# Spotted during Office installations
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents'
condition: selection_domains and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: low