Disabling Python warnings for executing untrusted code

Aug 24, 2023 · attack.Defense-Evansion attack.T1562.001 ·

Detecting the registry change that would prevent any warnings or alerts when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.

Sigma rule (View on GitHub)

 1title: Disabling Python warnings for executing untrusted code
 2description: Detecting the registry change that would prevent any warnings or alerts when Python functions are about to be executed. Threat actors could run malicious code through the new 
 3  Microsoft Excel feature that allows Python to run within the spreadsheet.
 4status: experimental
 5references:
 6  - https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
 7author: '@Kostastsale'
 8date: 2023/08/22
 9logsource:
10    category: process_creation
11    product: windows
12detection:
13    selection1:
14        Image|endswith:
15          - '\reg.exe'
16          - '\powershell.exe'
17        CommandLine|contains|all:
18          - 'software\policies\microsoft\office\*\excel\security'
19          - 'pythonfunctionwarnings*0'
20    selection2:
21        CommandLine|contains:
22          - 'reg*add'
23          - 'Set-ItemProperty'
24    condition: selection1 and selection2
25falsepositives:
26    - Uknown
27level: high
28tags:
29    - attack.Defense-Evansion
30    - attack.T1562.001

References

Data security and Python in Excel - Microsoft Support

This article describes how python in Excel handle workbooks from Internet, data privacy, and security containers.

Read More

Disabling Python warnings for executing untrusted code

Sigma rule (View on GitHub)

References

Data security and Python in Excel - Microsoft Support