KQL Search

Query Details

Macro Trustrecords

Query

name: Initial Access, Indicators of Macro document enabled/trusted by user
description: Detects users enabling a macro based file which could indicate a spearphishing attachment
references: https://attack.mitre.org/techniques/T1566/001/,https://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
tags: Initial Access, T1566.001
search_query: 
(DeviceRegistryEvents
| where RegistryKey contains "TrustRecords")
Notes:
This will alert on  some legit users, you need to modify it to have proper exclusions

Explanation

The query is looking for instances where users enable a macro in a document, which could indicate a spearphishing attachment. It searches for events related to the device's registry, specifically looking for entries containing "TrustRecords". It is important to note that this query may generate false positives and should be modified to exclude legitimate users.

Details

Ali Hussein

Released: January 22, 2024

Tables

DeviceRegistryEvents

Keywords

Devices,Intune,User

Operators

|wherecontains

KQL Search

Macro Trustrecords

Query

Explanation

Details

Actions