Disabling Python warnings for executing untrusted code
Detecting the registry change that would prevent any warnings or alerts when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
Sigma rule (View on GitHub)
1title: Disabling Python warnings for executing untrusted code
2description: Detecting the registry change that would prevent any warnings or alerts when Python functions are about to be executed. Threat actors could run malicious code through the new
3 Microsoft Excel feature that allows Python to run within the spreadsheet.
4status: experimental
5references:
6 - https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
7author: '@Kostastsale'
8date: 2023/08/22
9logsource:
10 category: process_creation
11 product: windows
12detection:
13 selection1:
14 Image|endswith:
15 - '\reg.exe'
16 - '\powershell.exe'
17 CommandLine|contains|all:
18 - 'software\policies\microsoft\office\*\excel\security'
19 - 'pythonfunctionwarnings*0'
20 selection2:
21 CommandLine|contains:
22 - 'reg*add'
23 - 'Set-ItemProperty'
24 condition: selection1 and selection2
25falsepositives:
26 - Uknown
27level: high
28tags:
29 - attack.Defense-Evansion
30 - attack.T1562.001