Disabling Python warnings for executing untrusted code
Detecting the registry change that would prevent any warnings or alerts when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
Sigma rule (View on GitHub)
1title: Disabling Python warnings for executing untrusted code
2id: 023c654f-8f16-44d9-bb2b-00ff36a62af9
3description: Detecting the registry change that would prevent any warnings or alerts when Python functions are about to be executed. Threat actors could run malicious code through the new
4 Microsoft Excel feature that allows Python to run within the spreadsheet.
5status: experimental
6references:
7 - https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
8author: '@Kostastsale'
9date: 2023/08/22
10logsource:
11 category: process_creation
12 product: windows
13detection:
14 selection1:
15 Image|endswith:
16 - '\reg.exe'
17 - '\powershell.exe'
18 CommandLine|contains|all:
19 - 'software\policies\microsoft\office\*\excel\security'
20 - 'pythonfunctionwarnings*0'
21 selection2:
22 CommandLine|contains:
23 - 'reg*add'
24 - 'Set-ItemProperty'
25 condition: selection1 and selection2
26falsepositives:
27 - Uknown
28level: high
29tags:
30 - attack.Defense-Evansion
31 - attack.T1562.001
References
-
This article describes how python in Excel handle workbooks from Internet, data privacy, and security containers.
Read More