Microsoft Office Protected View Disabled

 1title: Microsoft Office Protected View Disabled
 2id: a5c7a43f-6009-4a8c-80c5-32abf1c53ecc
 3related:
 4    - id: 7c637634-c95d-4bbf-b26c-a82510874b34
 5      type: obsolete
 6status: test
 7description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
10    - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
11    - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
12    - https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview
13author: frack113, Nasreddine Bencherchali (Nextron Systems)
14date: 2021-06-08
15modified: 2023-08-17
16tags:
17    - attack.defense-evasion
18    - attack.t1562.001
19logsource:
20    product: windows
21    category: registry_set
22detection:
23    selection_path:
24        TargetObject|contains|all:
25            - '\SOFTWARE\Microsoft\Office\'
26            - '\Security\ProtectedView\'
27    selection_values_1:
28        Details: 'DWORD (0x00000001)'
29        TargetObject|endswith:
30            - '\DisableAttachementsInPV' # Turn off Protected View for attachments opened from Outlook
31            - '\DisableInternetFilesInPV' # Turn off Protected View for files downloaded from Internet zone
32            - '\DisableIntranetCheck' # Turn off Protected View for file located in UNC paths
33            - '\DisableUnsafeLocationsInPV' # Turn off Protected View for unsafe locations
34    selection_values_0:
35        Details: 'DWORD (0x00000000)'
36        TargetObject|endswith:
37            - '\enabledatabasefileprotectedview'
38            - '\enableforeigntextfileprotectedview'
39    condition: selection_path and 1 of selection_values_*
40falsepositives:
41    - Unlikely
42level: high

References

• atomic-red-team/atomics/T1562.001/T1562.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• The Gorgon Group: Slithering Between Nation State and Cybercrime

  

  Slithering between nation state and cybercrime: Unit 42 examines the Gorgon Group’s unsophisticated yet effective attacks. Read the full report.

  
  Read More

• Cyber-Criminal espionage Operation insists on Italian Manufacturing

  

  Introduction During our Cyber Threat Intelligence monitoring we spotted new malicious activities targeting some Italian companies operating worldwide in the manufacturing sector, some of them also part of the automotive production chain. The group behind this activity is the same we identified in the past malicious operations described in Roma225 (12/2018), Hagga (08/2019), Mana (09/2019), […]

  
  Read More

• HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview

  Search in Group Policy Administrative Templates

  
  Read More

Related rules

• AMSI Bypass Pattern Assembly GetType
• AWS CloudTrail Important Change
• AWS Config Disabling Channel/Recorder
• AWS GuardDuty Important Change
• Add SafeBoot Keys Via Reg Utility