{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/macro/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office"],"_cs_severities":["medium"],"_cs_tags":["office","macro","registry","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eMicrosoft Office applications allow users and developers to manage macro security settings. Attackers can abuse these settings by modifying the registry to automatically trust macros or disable security warnings. This increases the likelihood of successful macro execution, potentially establishing persistence or enabling further malicious activities on the compromised system. The modifications specifically target the \u003ccode\u003eAccessVBOM\u003c/code\u003e and \u003ccode\u003eVbaWarnings\u003c/code\u003e registry values. This is a common tactic used to bypass security controls and execute malicious code within an organization, often as part of a phishing or spear phishing campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious Office document containing VBA macros.\u003c/li\u003e\n\u003cli\u003eThe victim receives the malicious document via email or other means (T1566).\u003c/li\u003e\n\u003cli\u003eThe victim opens the document, potentially triggering a prompt to enable macros.\u003c/li\u003e\n\u003cli\u003eIf macros are enabled or trusted due to existing settings, the malicious VBA code executes (T1204.002).\u003c/li\u003e\n\u003cli\u003eThe VBA code modifies the Windows Registry to disable macro security warnings by setting \u003ccode\u003eHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\*\\Security\\VbaWarnings\u003c/code\u003e to 1 or modifying \u003ccode\u003eAccessVBOM\u003c/code\u003e (T1112).\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the trusted macro environment to execute arbitrary code (T1059.005).\u003c/li\u003e\n\u003cli\u003eThe attacker may establish persistence by creating scheduled tasks or modifying startup entries (T1547.001).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which may include data exfiltration, lateral movement, or deploying ransomware (TA0005, TA0002).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass Office macro security protections, potentially leading to arbitrary code execution and system compromise. Disabling macro security warnings increases the attack surface within an organization, as users are no longer prompted to approve macro execution, which can lead to further malware infection and data breaches. The rule is designed to detect registry changes that could enable this type of attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon registry event logging to detect the registry modifications described in this brief to trigger the detections (Sysmon Registry Events).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;MS Office Macro Security Registry Modifications\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eUse Group Policy Objects (GPOs) to centrally manage Office macro security settings and prevent users from modifying them (references).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule to determine the source of the registry modification and whether malicious macros were subsequently executed (rule description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-office-macro-security-regmod/","summary":"Attackers may modify Microsoft Office registry settings related to macro security (AccessVBOM, VbaWarnings) to disable security warnings, enabling malicious macros for persistence and further compromise.","title":"MS Office Macro Security Registry Modifications","url":"https://feed.craftedsignal.io/briefs/2024-01-office-macro-security-regmod/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office"],"_cs_severities":["medium"],"_cs_tags":["initial-access","phishing","macro"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe creation of Office macro files (.docm, .xlsm, .pptm, etc.) can be an indicator of malicious activity, often linked to initial access attempts such as phishing campaigns or malware distribution. Attackers frequently embed malicious macros within these files to execute arbitrary code on a victim\u0026rsquo;s machine upon opening the document and enabling macros. While legitimate use cases for macro-enabled documents exist, their creation should be monitored, especially when originating from unusual processes or locations. This activity is related to the technique T1566.001 (Phishing: Spearphishing Attachment). Defenders need to monitor file creation events for specific Office macro extensions, filtering out common false positives to identify potential threats.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Office document (e.g., .docm, .xlsm) containing a VBA macro.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious document as an attachment via email (spearphishing).\u003c/li\u003e\n\u003cli\u003eThe user receives the email and opens the attached Office document.\u003c/li\u003e\n\u003cli\u003eThe user is prompted to enable macros within the document.\u003c/li\u003e\n\u003cli\u003eIf the user enables macros, the embedded VBA code executes.\u003c/li\u003e\n\u003cli\u003eThe VBA code may execute PowerShell or other scripting languages to download a malicious payload.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to disk (e.g., in the user\u0026rsquo;s temp directory).\u003c/li\u003e\n\u003cli\u003eThe payload executes, establishing persistence or performing other malicious actions, such as ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, malware installation, data exfiltration, and potentially complete system compromise. The impact can range from individual user infection to widespread organizational damage, depending on the attacker\u0026rsquo;s objectives and the level of access gained. In a widespread attack, numerous systems could be infected, leading to significant downtime, data loss, and financial repercussions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOffice Macro File Creation\u003c/code\u003e to your SIEM to detect the creation of suspicious Office macro files (logsource: file_event/windows).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes of the file creation event.\u003c/li\u003e\n\u003cli\u003eImplement user awareness training to educate employees about the risks of opening unsolicited attachments and enabling macros.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation logging to capture the necessary events for the Sigma rule to function effectively.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-office-macro-creation/","summary":"This brief outlines a threat involving the creation of new Office macro files, potentially indicating malicious activity such as phishing or malware distribution, targeting Windows systems.","title":"Detection of Office Macro File Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-office-macro-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Macro","version":"https://jsonfeed.org/version/1.1"}