https://feed.craftedsignal.io/tags/macro/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 02 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-office-macro-security-regmod/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-office-macro-security-regmod/Attackers may modify Microsoft Office registry settings related to macro security (AccessVBOM, VbaWarnings) to disable security warnings, enabling malicious macros for persistence and further compromise.Microsoft Office applications allow users and developers to manage macro security settings. Attackers can abuse these settings by modifying the registry to automatically trust macros or disable security warnings. This increases the likelihood of successful macro execution, potentially establishing persistence or enabling further malicious activities on the compromised system. The modifications specifically target the AccessVBOM and VbaWarnings registry values. This is a common tactic used to bypass security controls and execute malicious code within an organization, often as part of a phishing or spear phishing campaign.

Attack Chain

1. The attacker crafts a malicious Office document containing VBA macros.
2. The victim receives the malicious document via email or other means (T1566).
3. The victim opens the document, potentially triggering a prompt to enable macros.
4. If macros are enabled or trusted due to existing settings, the malicious VBA code executes (T1204.002).
5. The VBA code modifies the Windows Registry to disable macro security warnings by setting HKEY_CURRENT_USER\Software\Microsoft\Office\*\Security\VbaWarnings to 1 or modifying AccessVBOM (T1112).
6. The attacker can then use the trusted macro environment to execute arbitrary code (T1059.005).
7. The attacker may establish persistence by creating scheduled tasks or modifying startup entries (T1547.001).
8. The attacker achieves their final objective, which may include data exfiltration, lateral movement, or deploying ransomware (TA0005, TA0002).

Impact

Successful exploitation allows attackers to bypass Office macro security protections, potentially leading to arbitrary code execution and system compromise. Disabling macro security warnings increases the attack surface within an organization, as users are no longer prompted to approve macro execution, which can lead to further malware infection and data breaches. The rule is designed to detect registry changes that could enable this type of attack.

Recommendation

• Enable Sysmon registry event logging to detect the registry modifications described in this brief to trigger the detections (Sysmon Registry Events).
• Deploy the Sigma rule “MS Office Macro Security Registry Modifications” to your SIEM and tune for your environment.
• Use Group Policy Objects (GPOs) to centrally manage Office macro security settings and prevent users from modifying them (references).
• Investigate any alerts generated by this rule to determine the source of the registry modification and whether malicious macros were subsequently executed (rule description).

]]>mediumadvisoryofficemacroregistrydefense-evasionwindowshttps://feed.craftedsignal.io/briefs/2024-01-office-macro-creation/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-office-macro-creation/This brief outlines a threat involving the creation of new Office macro files, potentially indicating malicious activity such as phishing or malware distribution, targeting Windows systems.The creation of Office macro files (.docm, .xlsm, .pptm, etc.) can be an indicator of malicious activity, often linked to initial access attempts such as phishing campaigns or malware distribution. Attackers frequently embed malicious macros within these files to execute arbitrary code on a victim’s machine upon opening the document and enabling macros. While legitimate use cases for macro-enabled documents exist, their creation should be monitored, especially when originating from unusual processes or locations. This activity is related to the technique T1566.001 (Phishing: Spearphishing Attachment). Defenders need to monitor file creation events for specific Office macro extensions, filtering out common false positives to identify potential threats.

Attack Chain

1. An attacker crafts a malicious Office document (e.g., .docm, .xlsm) containing a VBA macro.
2. The attacker sends the malicious document as an attachment via email (spearphishing).
3. The user receives the email and opens the attached Office document.
4. The user is prompted to enable macros within the document.
5. If the user enables macros, the embedded VBA code executes.
6. The VBA code may execute PowerShell or other scripting languages to download a malicious payload.
7. The downloaded payload is saved to disk (e.g., in the user’s temp directory).
8. The payload executes, establishing persistence or performing other malicious actions, such as ransomware deployment.

Impact

Successful exploitation can lead to arbitrary code execution, malware installation, data exfiltration, and potentially complete system compromise. The impact can range from individual user infection to widespread organizational damage, depending on the attacker’s objectives and the level of access gained. In a widespread attack, numerous systems could be infected, leading to significant downtime, data loss, and financial repercussions.

Recommendation

• Deploy the Sigma rule Office Macro File Creation to your SIEM to detect the creation of suspicious Office macro files (logsource: file_event/windows).
• Investigate any alerts generated by the Sigma rule, focusing on the parent processes of the file creation event.
• Implement user awareness training to educate employees about the risks of opening unsolicited attachments and enabling macros.
• Enable Sysmon file creation logging to capture the necessary events for the Sigma rule to function effectively.

]]>mediumadvisoryinitial-accessphishingmacro