Trust Access Disable For VBApplications
Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
Sigma rule (View on GitHub)
1title: Trust Access Disable For VBApplications
2id: 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf
3related:
4 - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
5 type: obsoletes
6status: test
7description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
8references:
9 - https://twitter.com/inversecos/status/1494174785621819397
10 - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
11 - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
12author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
13date: 2020/05/22
14modified: 2023/08/17
15tags:
16 - attack.defense_evasion
17 - attack.t1112
18logsource:
19 category: registry_set
20 product: windows
21detection:
22 selection:
23 TargetObject|endswith: '\Security\AccessVBOM'
24 Details: 'DWORD (0x00000001)'
25 condition: selection
26falsepositives:
27 - Unlikely
28level: high
References
-
-
This blog was written by Kiran Raj & Kishan N. Introduction In the last few years, Microsoft Office macro malware using social engineering as a means
Read More -
The ScarCruft group (also known as APT37 or Temp.Reaper) is a nation-state sponsored APT actor. Recently, we had an opportunity to perform a deeper investigation on a host compromised by this group.
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- ClickOnce Trust Prompt Tampering