Suspicious MS Office Registry Modifications

Adversaries may attempt to lower security controls around macro-enabled objects via malicious documents. By modifying these settings such as trusting future macros or disabling security warnings, adversaries increase their chances of success to re-gain access to machine.

id:53745477-dafc-43ba-8eaf-6578a6758794 categories:detect confidence:low os:windows created:02/12/2020 updated:02/12/2020

MITRE ATT&CK™ Mapping

tactics:Defense Evasion techniques:T1112 Modify Registry

Query

sequence by unique_pid
  [process where process_name in ("winword.exe", "excel.exe", "powerpnt.exe")]
  [registry where wildcard(registry_path, "*\\Software\\Microsoft\\Office\\*\\Word\\Security\\AccessVBOM",
                                          "*\\Software\\Microsoft\\Office\\*\\Word\\Security\\VBAWarnings")]
| unique unique_pid

Contributors

• Daniel Stepanic

References

• https://www.elastic.co/blog/playing-defense-against-gamaredon-group