Disable Macro Runtime Scan Scope
Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
Sigma rule (View on GitHub)
1title: Disable Macro Runtime Scan Scope
2id: ab871450-37dc-4a3a-997f-6662aa8ae0f1
3description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
4status: experimental
5date: 2022/10/25
6modified: 2023/08/17
7author: Nasreddine Bencherchali (Nextron Systems)
8references:
9 - https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/
10 - https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope
11 - https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba
12tags:
13 - attack.defense_evasion
14logsource:
15 product: windows
16 category: registry_set
17detection:
18 selection:
19 TargetObject|contains|all:
20 - '\SOFTWARE\'
21 - '\Microsoft\Office\'
22 - '\Common\Security'
23 TargetObject|endswith: '\MacroRuntimeScanScope'
24 Details: DWORD (0x00000000)
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
-
This policy setting specifies the behavior for both the VBA and Excel 4.0 (XLM) runtime scan features. Multiple Office apps support VBA macros, but XLM macros are only supported by Excel. Macros can only be scanned if the anti-virus software registers as an Antimalware Scan Interface (AMSI) provider on the device.
Read More -
This repo covers some code execution and AV Evasion methods for Macros in Office documents - S3cur3Th1sSh1t/OffensiveVBA
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- Bypass UAC Using DelegateExecute