{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-office/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["low"],"_cs_tags":["persistence","registry","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe \u0026ldquo;Office Test\u0026rdquo; registry key, located under \u003ccode\u003eHKCU\\Software\\Microsoft\\Office Test\\Special\\Perf\u003c/code\u003e, is a legitimate feature that allows specifying a DLL to be executed every time an MS Office application is started. Attackers can abuse this functionality by modifying the registry to point to a malicious DLL, achieving persistence on a compromised host. This allows for continued malicious activity even after a system restart or user logout. Elastic has published a rule to detect this behavior. The modification of this registry key, excluding deletions, is a strong indicator of potential abuse, and can be detected via endpoint detection and response (EDR) solutions as well as traditional Sysmon logging.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, often through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a foothold and escalates privileges to make necessary registry modifications.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eHKCU\\Software\\Microsoft\\Office Test\\Special\\Perf\u003c/code\u003e registry key, adding a new entry or modifying an existing one to point to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe attacker ensures the malicious DLL is present on the system, either by dropping it directly or using existing system tools to download it.\u003c/li\u003e\n\u003cli\u003eA user launches a Microsoft Office application (e.g., Word, Excel, PowerPoint).\u003c/li\u003e\n\u003cli\u003eThe Office application loads the DLL specified in the \u0026ldquo;Office Test\u0026rdquo; registry key during startup.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes its payload, which could include establishing a reverse shell, installing malware, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence, allowing them to regain access to the system each time an Office application is started.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to a compromised system. The injected DLL can be used to execute arbitrary code, potentially leading to data theft, malware installation, or further compromise of the network. The relatively low risk score suggests a common technique, but the potential for persistent access makes it a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect unauthorized modifications to the \u0026ldquo;Office Test\u0026rdquo; registry key (\u003ccode\u003eHKCU\\Software\\Microsoft\\Office Test\\Special\\Perf\\*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Registry event logging to capture registry modifications and activate the Sigma rule above.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for Office applications to detect if a suspicious DLL has been loaded or executed, as described in the investigation guide.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and alerting for similar registry modifications across the network, as described in the remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T17:30:00Z","date_published":"2024-01-27T17:30:00Z","id":"/briefs/2024-01-office-test-registry-persistence/","summary":"Attackers modify the Microsoft Office 'Office Test' Registry key to achieve persistence by specifying a malicious DLL that executes upon application startup.","title":"Microsoft Office 'Office Test' Registry Persistence Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-office-test-registry-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office","Excel","PowerPoint","Word"],"_cs_severities":["medium"],"_cs_tags":["xsl-script","com-interface","office-macro"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging the Microsoft.XMLDOM COM interface in Microsoft Office applications to execute malicious scripts. This technique involves embedding malicious JScript or VBScript within XSL transformations, which are then processed by Office applications like Word, Excel, PowerPoint, and Publisher. The exploitation begins when a user opens a specially crafted document. This campaign abuses legitimate functionalities for malicious purposes. This technique can be used for initial access, defense evasion, and execution of arbitrary code. The observed behavior includes the loading of \u003ccode\u003emsxml3.dll\u003c/code\u003e and the spawning of child processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a phishing email containing a malicious Office document.\u003c/li\u003e\n\u003cli\u003eThe user opens the document in Microsoft Word (winword.exe), Excel (excel.exe), PowerPoint (powerpnt.exe), or Publisher (mspub.exe).\u003c/li\u003e\n\u003cli\u003eThe Office application loads \u003ccode\u003emsxml3.dll\u003c/code\u003e to process XML content within the document.\u003c/li\u003e\n\u003cli\u003eThe document contains an embedded XSL script with malicious JScript or VBScript code.\u003c/li\u003e\n\u003cli\u003eThe XSL transformation is initiated, executing the embedded script via the COM interface.\u003c/li\u003e\n\u003cli\u003eThe script spawns a new process (cmd.exe, powershell.exe, or mshta.exe) to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe spawned process downloads and executes a payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe payload establishes persistence, escalates privileges, and performs malicious activities such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, potentially compromising sensitive data and allowing attackers to gain initial access to the targeted system. This can result in data breaches, financial losses, and reputational damage. The scope of impact includes any Windows systems running vulnerable versions of Microsoft Office. If successful, the attacker can achieve persistence, perform lateral movement and compromise other systems on the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;XSL Script Execution via COM\u0026rdquo; to your SIEM to detect the execution of hosted XSL scripts using the Microsoft.XMLDOM COM interface.\u003c/li\u003e\n\u003cli\u003eMonitor for the loading of \u003ccode\u003emsxml3.dll\u003c/code\u003e by Microsoft Office applications and subsequent process creations to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized scripts and executables, particularly those not located in standard directories.\u003c/li\u003e\n\u003cli\u003eBlock the execution of unusual or unsigned child processes spawned by Microsoft Office applications to prevent malicious script execution.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening suspicious attachments or clicking on links in phishing emails (T1566).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:22:00Z","date_published":"2024-01-26T18:22:00Z","id":"/briefs/2024-01-xsl-script-execution-via-com/","summary":"Adversaries may exploit Microsoft Office applications to execute malicious JScript or VBScript by leveraging the Microsoft.XMLDOM COM interface to process and transform XML documents using XSL scripts, potentially leading to initial access or defense evasion.","title":"XSL Script Execution via COM Interface in Microsoft Office","url":"https://feed.craftedsignal.io/briefs/2024-01-xsl-script-execution-via-com/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office","Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","LogiOptions","Sidekick.vsto"],"_cs_severities":["medium"],"_cs_tags":["office-addins","phishing","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Logitech","Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging malicious Microsoft Office Add-Ins to gain initial access and persistence on victim systems. These add-ins, often delivered through phishing campaigns, contain embedded malicious code. This detection identifies unusual execution patterns, such as Office applications (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSACCESS.EXE, VSTOInstaller.exe) launching add-ins (wll, xll, ppa, ppam, xla, xlam, vsto) from suspicious paths like Temp or Downloads directories, or with atypical parent processes (explorer.exe, OpenWith.exe, cmd.exe, powershell.exe). The detection logic filters out known benign activities to minimize false positives, focusing on anomalies indicative of malicious intent, such as installations of Logitech software. This activity matters because successful exploitation can lead to arbitrary code execution, data theft, and further compromise of the victim\u0026rsquo;s network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a phishing email containing a malicious Microsoft Office document.\u003c/li\u003e\n\u003cli\u003eThe user opens the document, which prompts them to enable macros or install an add-in.\u003c/li\u003e\n\u003cli\u003eThe malicious add-in (wll, xll, ppa, ppam, xla, xlam, vsto) is downloaded from a remote server or dropped into a suspicious directory, such as %TEMP% or %APPDATA%.\u003c/li\u003e\n\u003cli\u003eThe user executes an Office application (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSACCESS.EXE), which loads the malicious add-in.\u003c/li\u003e\n\u003cli\u003eThe malicious add-in executes arbitrary code, potentially downloading and executing a second-stage payload.\u003c/li\u003e\n\u003cli\u003eThe add-in may establish persistence by modifying registry keys or creating scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the system and can perform reconnaissance, lateral movement, and data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include data theft, ransomware deployment, or intellectual property theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to complete system compromise, data theft, and potential ransomware deployment. Organizations across all sectors are at risk, particularly those with a high volume of email traffic. The use of malicious Office Add-Ins provides attackers with a persistent foothold within the victim\u0026rsquo;s environment, allowing for long-term data collection and disruption of business operations. This can lead to significant financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOffice Add-In Loaded From Suspicious Path\u003c/code\u003e to detect add-ins loaded from temporary or download directories based on \u003ccode\u003eprocess.args\u003c/code\u003e and \u003ccode\u003eprocess.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOffice Add-In Loaded By Suspicious Parent\u003c/code\u003e to detect add-ins loaded by \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e based on \u003ccode\u003eprocess.parent.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eVSTOInstaller.exe\u003c/code\u003e executing with the \u003ccode\u003e/Uninstall\u003c/code\u003e argument, as this may indicate suspicious activity, correlating with the exclusion rule in the provided query.\u003c/li\u003e\n\u003cli\u003eMonitor for Office applications launching add-ins with parent processes of \u003ccode\u003eexplorer.exe\u003c/code\u003e or \u003ccode\u003eOpenWith.exe\u003c/code\u003e using process creation logs and the provided query logic.\u003c/li\u003e\n\u003cli\u003eImplement stricter email filtering to prevent phishing emails containing malicious Office documents from reaching end-users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-office-addins/","summary":"This rule detects suspicious execution of Microsoft Office applications launching Office Add-Ins from unusual paths or with atypical parent processes, potentially indicating an attempt to gain initial access via a malicious phishing campaign.","title":"Suspicious Execution via Microsoft Office Add-Ins","url":"https://feed.craftedsignal.io/briefs/2024-01-office-addins/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office","Microsoft Word","Microsoft Excel","Microsoft PowerPoint","Outlook"],"_cs_severities":["medium"],"_cs_tags":["initial-access","defense-evasion","execution","discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies suspicious child processes spawned by Microsoft Office applications (Word, PowerPoint, Excel, Outlook), which are commonly targeted for initial access via malicious documents or macro exploitation. The rule focuses on identifying anomalous process executions originating from these applications, a tactic often employed to execute arbitrary code or download additional payloads. Attackers leverage Office applications due to their widespread use and inherent scripting capabilities. Successful exploitation can lead to arbitrary code execution, lateral movement, and data exfiltration. This detection helps defenders identify and respond to potential security breaches originating from Microsoft Office applications, reducing the attack surface and minimizing potential damage. The rule specifically looks for processes like \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, and others being spawned by Office applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a malicious Microsoft Office document (e.g., Word, Excel) via email or downloads it from a compromised website.\u003c/li\u003e\n\u003cli\u003eThe user opens the document, triggering the execution of a malicious macro or exploitation of a vulnerability within the Office application.\u003c/li\u003e\n\u003cli\u003eThe Office application (e.g., \u003ccode\u003ewinword.exe\u003c/code\u003e, \u003ccode\u003eexcel.exe\u003c/code\u003e) spawns a suspicious child process such as \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes a command to download a malicious payload from a remote server using \u003ccode\u003ebitsadmin.exe\u003c/code\u003e or \u003ccode\u003ecertutil.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is a reverse shell or a malware dropper, which establishes a connection to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the compromised system and attempts to escalate privileges and perform reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe attacker uses discovery commands with \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003eipconfig.exe\u003c/code\u003e, \u003ccode\u003etasklist.exe\u003c/code\u003e, and \u003ccode\u003ewhoami.exe\u003c/code\u003e to map the environment and identify valuable targets.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems within the network, aiming to compromise critical assets and achieve their objectives, such as data theft or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to gain initial access to the compromised system. This can result in data theft, installation of malware, lateral movement to other systems, and ultimately, significant disruption to business operations. The widespread use of Microsoft Office makes it a prime target, potentially affecting a large number of users and organizations. Failure to detect and respond to these attacks can result in significant financial losses, reputational damage, and compromise of sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging (Sysmon Event ID 1 or Windows Security Event Logs) to ensure the visibility required to detect suspicious child processes.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious MS Office Child Process\u003c/code\u003e to your SIEM and tune the rule based on your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eSuspicious MS Office Child Process\u003c/code\u003e Sigma rule by examining the parent process tree and associated network connections.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized processes from Microsoft Office applications.\u003c/li\u003e\n\u003cli\u003eRegularly update Microsoft Office applications to patch known vulnerabilities.\u003c/li\u003e\n\u003cli\u003eBlock known malicious domains or IPs associated with malware delivery and command and control, based on threat intelligence feeds and IOCs from external sources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-office-child-process/","summary":"Detects suspicious child processes of Microsoft Office applications, indicating potential exploitation or malicious macros for initial access, defense evasion, and execution.","title":"Suspicious MS Office Child Process","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-office-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office","Microsoft Visual Studio"],"_cs_severities":["medium"],"_cs_tags":["persistence","office","vsto"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers can leverage Visual Studio Tools for Office (VSTO) add-ins to establish persistence within Microsoft Office applications. VSTO add-ins, designed to extend the functionality of Office applications, can be manipulated by threat actors to execute malicious code upon application startup. By modifying specific registry keys associated with VSTO add-ins, adversaries can ensure their code is loaded and executed each time an Office application is launched. This technique allows for covert and persistent access to compromised systems, enabling further malicious activities such as data exfiltration, lateral movement, or the deployment of additional payloads. The detection of this persistence mechanism is crucial for defenders to identify and mitigate potential compromises within their environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system via unspecified means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the registry keys associated with VSTO add-ins for Office applications (Outlook, Word, Excel, PowerPoint). These keys are typically located under \u003ccode\u003e\\Software\\Microsoft\\Office\\[Application]\\Addins\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry to add or modify entries related to a malicious VSTO add-in. This involves setting the \u003ccode\u003eLoadBehavior\u003c/code\u003e value to \u003ccode\u003e3\u003c/code\u003e to ensure the add-in is loaded on startup.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious VSTO add-in files (DLLs) in a location accessible to the Office application.\u003c/li\u003e\n\u003cli\u003eThe attacker may also modify the \u003ccode\u003e\\Software\\Microsoft\\VSTO\\Security\\Inclusion\\\u003c/code\u003e registry key to bypass security warnings related to unsigned add-ins.\u003c/li\u003e\n\u003cli\u003eThe user launches the targeted Office application (e.g., Outlook).\u003c/li\u003e\n\u003cli\u003eThe Office application loads the malicious VSTO add-in based on the modified registry entries.\u003c/li\u003e\n\u003cli\u003eThe malicious VSTO add-in executes its payload, enabling the attacker to perform malicious activities on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistent code execution within Microsoft Office applications. This can lead to the compromise of sensitive data, the deployment of additional malware, and the establishment of a long-term foothold within the targeted environment. The scope of impact depends on the privileges of the user account and the capabilities of the malicious VSTO add-in. Since Office applications are commonly used, a successful attack could potentially affect a large number of users within an organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential Persistence Via Visual Studio Tools for Office\u003c/code\u003e to your SIEM to detect suspicious registry modifications related to VSTO add-ins.\u003c/li\u003e\n\u003cli\u003eMonitor registry modifications under the paths \u003ccode\u003e\\Software\\Microsoft\\Office\\Outlook\\Addins\\\u003c/code\u003e, \u003ccode\u003e\\Software\\Microsoft\\Office\\Word\\Addins\\\u003c/code\u003e, \u003ccode\u003e\\Software\\Microsoft\\Office\\Excel\\Addins\\\u003c/code\u003e, \u003ccode\u003e\\Software\\Microsoft\\Office\\Powerpoint\\Addins\\\u003c/code\u003e, and \u003ccode\u003e\\Software\\Microsoft\\VSTO\\Security\\Inclusion\\\u003c/code\u003e (see Sigma rule and references).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted VSTO add-ins.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit installed Office add-ins to identify and remove any suspicious or unauthorized extensions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-vsto-persistence/","summary":"The Visual Studio Tools for Office (VSTO) add-ins can be abused by attackers to establish persistence in Microsoft Office applications by modifying registry keys.","title":"Persistence via Visual Studio Tools for Office (VSTO) Add-ins","url":"https://feed.craftedsignal.io/briefs/2024-01-vsto-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office"],"_cs_severities":["medium"],"_cs_tags":["attack.privilege-escalation","attack.persistence","attack.t1547.001"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may target Microsoft Office applications\u0026rsquo; autostart extensibility points (ASEPs) in the Windows Registry to establish persistence. By modifying specific registry keys, malicious actors can ensure that their code is executed each time an Office application, such as Word, Excel, or Outlook, is launched. This technique is often employed to maintain a foothold on a compromised system. While legitimate add-ins also leverage these registry keys, unauthorized modifications can lead to the execution of arbitrary code, potentially resulting in data theft, system compromise, or further exploitation. Defenders should be aware that many legitimate applications modify these keys. Thorough testing and tuning is required.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system via an unrelated method.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the relevant Office application ASEP registry keys: \u003ccode\u003e\\Software\\Wow6432Node\\Microsoft\\Office\u003c/code\u003e, \u003ccode\u003e\\Software\\Microsoft\\Office\u003c/code\u003e and specific application keys like \u003ccode\u003e\\Word\\Addins\u003c/code\u003e, \u003ccode\u003e\\Excel\\Addins\u003c/code\u003e, etc.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key to point to a malicious executable or script. This could be achieved using tools like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe registry modification ensures that the malicious code is executed upon the next launch of the targeted Office application.\u003c/li\u003e\n\u003cli\u003eThe user launches the Office application (e.g., Word, Excel, Outlook).\u003c/li\u003e\n\u003cli\u003eThe Office application reads the modified registry key and executes the associated malicious code.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs its intended actions, such as downloading additional payloads, establishing command and control, or stealing data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system through the modified registry key, ensuring continued access and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistence on compromised systems. This can lead to data exfiltration, deployment of ransomware, or further lateral movement within the network. The modification of these keys is often performed to maintain a persistent presence, allowing attackers to regain access to the system even after reboots or user logoffs. While the number of direct victims is unknown, the potential for widespread impact is significant, especially in organizations heavily reliant on Microsoft Office applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable registry modification logging and deploy the provided Sigma rules to your SIEM to detect suspicious changes to Office application autostart registry keys.\u003c/li\u003e\n\u003cli\u003eRegularly audit the Office application add-ins installed on systems to identify and remove any unauthorized or malicious extensions (reference: Sigma rules).\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent the execution of unauthorized executables and scripts (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for Office applications launching unusual or suspicious child processes (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eTune and customize the provided Sigma rules based on your environment\u0026rsquo;s baseline of legitimate Office add-in activity to minimize false positives (reference: Sigma rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-office-autorun-registry-modification/","summary":"Adversaries modify Office application autostart extensibility point (ASEP) registry keys to achieve persistence and execute malicious code when Office applications are launched.","title":"Office Application Autorun Registry Key Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-03-office-autorun-registry-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office"],"_cs_severities":["medium"],"_cs_tags":["office","macro","registry","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eMicrosoft Office applications allow users and developers to manage macro security settings. Attackers can abuse these settings by modifying the registry to automatically trust macros or disable security warnings. This increases the likelihood of successful macro execution, potentially establishing persistence or enabling further malicious activities on the compromised system. The modifications specifically target the \u003ccode\u003eAccessVBOM\u003c/code\u003e and \u003ccode\u003eVbaWarnings\u003c/code\u003e registry values. This is a common tactic used to bypass security controls and execute malicious code within an organization, often as part of a phishing or spear phishing campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious Office document containing VBA macros.\u003c/li\u003e\n\u003cli\u003eThe victim receives the malicious document via email or other means (T1566).\u003c/li\u003e\n\u003cli\u003eThe victim opens the document, potentially triggering a prompt to enable macros.\u003c/li\u003e\n\u003cli\u003eIf macros are enabled or trusted due to existing settings, the malicious VBA code executes (T1204.002).\u003c/li\u003e\n\u003cli\u003eThe VBA code modifies the Windows Registry to disable macro security warnings by setting \u003ccode\u003eHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\*\\Security\\VbaWarnings\u003c/code\u003e to 1 or modifying \u003ccode\u003eAccessVBOM\u003c/code\u003e (T1112).\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the trusted macro environment to execute arbitrary code (T1059.005).\u003c/li\u003e\n\u003cli\u003eThe attacker may establish persistence by creating scheduled tasks or modifying startup entries (T1547.001).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which may include data exfiltration, lateral movement, or deploying ransomware (TA0005, TA0002).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass Office macro security protections, potentially leading to arbitrary code execution and system compromise. Disabling macro security warnings increases the attack surface within an organization, as users are no longer prompted to approve macro execution, which can lead to further malware infection and data breaches. The rule is designed to detect registry changes that could enable this type of attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon registry event logging to detect the registry modifications described in this brief to trigger the detections (Sysmon Registry Events).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;MS Office Macro Security Registry Modifications\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eUse Group Policy Objects (GPOs) to centrally manage Office macro security settings and prevent users from modifying them (references).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule to determine the source of the registry modification and whether malicious macros were subsequently executed (rule description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-office-macro-security-regmod/","summary":"Attackers may modify Microsoft Office registry settings related to macro security (AccessVBOM, VbaWarnings) to disable security warnings, enabling malicious macros for persistence and further compromise.","title":"MS Office Macro Security Registry Modifications","url":"https://feed.craftedsignal.io/briefs/2024-01-office-macro-security-regmod/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office"],"_cs_severities":["medium"],"_cs_tags":["initial-access","phishing","macro"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe creation of Office macro files (.docm, .xlsm, .pptm, etc.) can be an indicator of malicious activity, often linked to initial access attempts such as phishing campaigns or malware distribution. Attackers frequently embed malicious macros within these files to execute arbitrary code on a victim\u0026rsquo;s machine upon opening the document and enabling macros. While legitimate use cases for macro-enabled documents exist, their creation should be monitored, especially when originating from unusual processes or locations. This activity is related to the technique T1566.001 (Phishing: Spearphishing Attachment). Defenders need to monitor file creation events for specific Office macro extensions, filtering out common false positives to identify potential threats.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Office document (e.g., .docm, .xlsm) containing a VBA macro.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious document as an attachment via email (spearphishing).\u003c/li\u003e\n\u003cli\u003eThe user receives the email and opens the attached Office document.\u003c/li\u003e\n\u003cli\u003eThe user is prompted to enable macros within the document.\u003c/li\u003e\n\u003cli\u003eIf the user enables macros, the embedded VBA code executes.\u003c/li\u003e\n\u003cli\u003eThe VBA code may execute PowerShell or other scripting languages to download a malicious payload.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to disk (e.g., in the user\u0026rsquo;s temp directory).\u003c/li\u003e\n\u003cli\u003eThe payload executes, establishing persistence or performing other malicious actions, such as ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, malware installation, data exfiltration, and potentially complete system compromise. The impact can range from individual user infection to widespread organizational damage, depending on the attacker\u0026rsquo;s objectives and the level of access gained. In a widespread attack, numerous systems could be infected, leading to significant downtime, data loss, and financial repercussions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOffice Macro File Creation\u003c/code\u003e to your SIEM to detect the creation of suspicious Office macro files (logsource: file_event/windows).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes of the file creation event.\u003c/li\u003e\n\u003cli\u003eImplement user awareness training to educate employees about the risks of opening unsolicited attachments and enabling macros.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation logging to capture the necessary events for the Sigma rule to function effectively.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-office-macro-creation/","summary":"This brief outlines a threat involving the creation of new Office macro files, potentially indicating malicious activity such as phishing or malware distribution, targeting Windows systems.","title":"Detection of Office Macro File Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-office-macro-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft Office","version":"https://jsonfeed.org/version/1.1"}