Trust Access Disable For VBApplications

calendar Oct 23, 2025 · attack.persistence attack.defense-evasion attack.t1112  ·
Share on: linkedin copy

Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.

Sigma rule (View on GitHub)

 1title: Trust Access Disable For VBApplications
 2id: 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf
 3related:
 4    - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
 5      type: obsolete
 6status: test
 7description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
 8references:
 9    - https://twitter.com/inversecos/status/1494174785621819397
10    - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
11    - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
12author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
13date: 2020-05-22
14modified: 2023-08-17
15tags:
16    - attack.persistence
17    - attack.defense-evasion
18    - attack.t1112
19logsource:
20    category: registry_set
21    product: windows
22detection:
23    selection:
24        TargetObject|endswith: '\Security\AccessVBOM'
25        Details: 'DWORD (0x00000001)'
26    condition: selection
27falsepositives:
28    - Unlikely
29level: high

References

Related rules

to-top