Initial Access, Indicators of Macro document enabled/trusted by user
Macro Trustrecords
Query
DeviceRegistryEvents
| where RegistryKey contains "TrustRecords"Explanation
The query is looking for instances where users enable a macro in a document, which could indicate a spearphishing attachment. It searches for events related to the device's registry, specifically looking for entries containing "TrustRecords". It is important to note that this query may generate false positives and should be modified to exclude legitimate users.
