Disable Macro Runtime Scan Scope

 1title: Disable Macro Runtime Scan Scope
 2id: ab871450-37dc-4a3a-997f-6662aa8ae0f1
 3description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
 4status: test
 5date: 2022-10-25
 6modified: 2023-08-17
 7author: Nasreddine Bencherchali (Nextron Systems)
 8references:
 9    - https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/
10    - https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope
11    - https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba
12tags:
13    - attack.defense-evasion
14logsource:
15    product: windows
16    category: registry_set
17detection:
18    selection:
19        TargetObject|contains|all:
20            - '\SOFTWARE\'
21            - '\Microsoft\Office\'
22            - '\Common\Security'
23        TargetObject|endswith: '\MacroRuntimeScanScope'
24        Details: DWORD (0x00000000)
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

• Office VBA + AMSI: Parting the veil on malicious macros | Microsoft Security Blog

  

  As part of our continued efforts to tackle entire classes of threats, Office 365 client applications now integrate with Antimalware Scan Interface (AMSI), enabling antivirus and other security solutions to scan macros and other scripts at runtime to check for malicious behavior. Macro-based threats have always been a prevalent entry point for malware, but we […]

  
  Read More

• Macro Runtime Scan Scope

  This policy setting specifies the behavior for both the VBA and Excel 4.0 (XLM) runtime scan features. Multiple Office apps support VBA macros, but XLM macros are only supported by Excel. Macros can only be scanned if the anti-virus software registers as an Antimalware Scan Interface (AMSI) provider on the device.

  
  Read More

• OffensiveVBA/src/AMSIbypasses.vba at 28cc6a2802d8176195ac19b3c8e9a749009a82a3 · S3cur3Th1sSh1t/OffensiveVBA

  

  This repo covers some code execution and AV Evasion methods for Macros in Office documents - S3cur3Th1sSh1t/OffensiveVBA

  
  Read More

Related rules

• AD Object WriteDAC Access
• ADS Zone.Identifier Deleted By Uncommon Application
• AMSI Bypass Pattern Assembly GetType
• APT PRIVATELOG Image Load Pattern
• APT27 - Emissary Panda Activity