Disable Macro Runtime Scan Scope

Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros

Sigma rule (View on GitHub)

 1title: Disable Macro Runtime Scan Scope
 2id: ab871450-37dc-4a3a-997f-6662aa8ae0f1
 3description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
 4status: test
 5date: 2022/10/25
 6modified: 2023/08/17
 7author: Nasreddine Bencherchali (Nextron Systems)
 8references:
 9    - https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/
10    - https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope
11    - https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba
12tags:
13    - attack.defense_evasion
14logsource:
15    product: windows
16    category: registry_set
17detection:
18    selection:
19        TargetObject|contains|all:
20            - '\SOFTWARE\'
21            - '\Microsoft\Office\'
22            - '\Common\Security'
23        TargetObject|endswith: '\MacroRuntimeScanScope'
24        Details: DWORD (0x00000000)
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

Related rules

to-top