MS Office Macro Security Registry Modifications

Microsoft Office applications allow users and developers to manage macro security settings. Attackers can abuse these settings by modifying the registry to automatically trust macros or disable security warnings. This increases the likelihood of successful macro execution, potentially establishing persistence or enabling further malicious activities on the compromised system. The modifications specifically target the AccessVBOM and VbaWarnings registry values. This is a common tactic used to bypass security controls and execute malicious code within an organization, often as part of a phishing or spear phishing campaign.

Attack Chain

1. The attacker crafts a malicious Office document containing VBA macros.
2. The victim receives the malicious document via email or other means (T1566).
3. The victim opens the document, potentially triggering a prompt to enable macros.
4. If macros are enabled or trusted due to existing settings, the malicious VBA code executes (T1204.002).
5. The VBA code modifies the Windows Registry to disable macro security warnings by setting HKEY_CURRENT_USER\Software\Microsoft\Office\*\Security\VbaWarnings to 1 or modifying AccessVBOM (T1112).
6. The attacker can then use the trusted macro environment to execute arbitrary code (T1059.005).
7. The attacker may establish persistence by creating scheduled tasks or modifying startup entries (T1547.001).
8. The attacker achieves their final objective, which may include data exfiltration, lateral movement, or deploying ransomware (TA0005, TA0002).

Impact

Successful exploitation allows attackers to bypass Office macro security protections, potentially leading to arbitrary code execution and system compromise. Disabling macro security warnings increases the attack surface within an organization, as users are no longer prompted to approve macro execution, which can lead to further malware infection and data breaches. The rule is designed to detect registry changes that could enable this type of attack.

Recommendation

• Enable Sysmon registry event logging to detect the registry modifications described in this brief to trigger the detections (Sysmon Registry Events).
• Deploy the Sigma rule “MS Office Macro Security Registry Modifications” to your SIEM and tune for your environment.
• Use Group Policy Objects (GPOs) to centrally manage Office macro security settings and prevent users from modifying them (references).
• Investigate any alerts generated by this rule to determine the source of the registry modification and whether malicious macros were subsequently executed (rule description).