Query Details

Initial Access, Indicators of Macro document enabled/trusted by user

Macro Trustrecords

Query

DeviceRegistryEvents
| where RegistryKey contains "TrustRecords"

Explanation

The query is looking for instances where users enable a macro in a document, which could indicate a spearphishing attachment. It searches for events related to the device's registry, specifically looking for entries containing "TrustRecords". It is important to note that this query may generate false positives and should be modified to exclude legitimate users.

Details

Ali Hussein profile picture

Ali Hussein

Released: January 22, 2024

Tables

DeviceRegistryEvents

Keywords

DevicesIntuneUser

Operators

|wherecontains

MITRE Techniques

Actions

GitHub