Microsoft Office Protected View Disabled

 1title: Microsoft Office Protected View Disabled
 2id: a5c7a43f-6009-4a8c-80c5-32abf1c53ecc
 3related:
 4    - id: 7c637634-c95d-4bbf-b26c-a82510874b34
 5      type: obsoletes
 6status: test
 7description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
10    - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
11    - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
12    - https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview
13author: frack113, Nasreddine Bencherchali (Nextron Systems)
14date: 2021/06/08
15modified: 2023/08/17
16tags:
17    - attack.defense_evasion
18    - attack.t1562.001
19logsource:
20    product: windows
21    category: registry_set
22detection:
23    selection_path:
24        TargetObject|contains|all:
25            - '\SOFTWARE\Microsoft\Office\'
26            - '\Security\ProtectedView\'
27    selection_values_1:
28        Details: 'DWORD (0x00000001)'
29        TargetObject|endswith:
30            - '\DisableAttachementsInPV' # Turn off Protected View for attachments opened from Outlook
31            - '\DisableInternetFilesInPV' # Turn off Protected View for files downloaded from Internet zone
32            - '\DisableIntranetCheck' # Turn off Protected View for file located in UNC paths
33            - '\DisableUnsafeLocationsInPV' # Turn off Protected View for unsafe locations
34    selection_values_0:
35        Details: 'DWORD (0x00000000)'
36        TargetObject|endswith:
37            - '\enabledatabasefileprotectedview'
38            - '\enableforeigntextfileprotectedview'
39    condition: selection_path and 1 of selection_values_*
40falsepositives:
41    - Unlikely
42level: high

References

• atomic-red-team/atomics/T1562.001/T1562.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• The Gorgon Group: Slithering Between Nation State and Cybercrime

  

  Slithering between nation state and cybercrime: Unit 42 examines the Gorgon Group’s unsophisticated yet effective attacks. Read the full report.

  
  Read More

• Cyber-Criminal espionage Operation insists on Italian Manufacturing

  

  Introduction During our Cyber Threat Intelligence monitoring we spotted new malicious activities targeting some Italian companies operating worldwide in the manufacturing sector, some of them also part of the automotive production chain. The group behind this activity is the same we identified in the past malicious operations described in Roma225 (12/2018), Hagga (08/2019), Mana (09/2019), […]

  
  Read More

• HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview

  Search in Group Policy Administrative Templates

  
  Read More

Related rules

• Disable Exploit Guard Network Protection on Windows Defender
• Disable PUA Protection on Windows Defender
• Disable Privacy Settings Experience in Registry
• Disable Tamper Protection on Windows Defender
• Disable Windows Defender Functionalities Via Registry Keys