Suspicious MS Office Registry Modifications¶
Adversaries may attempt to lower security controls around macro-enabled objects via malicious documents. By modifying these settings such as trusting future macros or disabling security warnings, adversaries increase their chances of success to re-gain access to machine.
id: | 53745477-dafc-43ba-8eaf-6578a6758794 |
---|---|
categories: | detect |
confidence: | low |
os: | windows |
created: | 02/12/2020 |
updated: | 02/12/2020 |
MITRE ATT&CK™ Mapping¶
tactics: | Defense Evasion |
---|---|
techniques: | T1112 Modify Registry |
Query¶
sequence by unique_pid
[process where process_name in ("winword.exe", "excel.exe", "powerpnt.exe")]
[registry where wildcard(registry_path, "*\\Software\\Microsoft\\Office\\*\\Word\\Security\\AccessVBOM",
"*\\Software\\Microsoft\\Office\\*\\Word\\Security\\VBAWarnings")]
| unique unique_pid