itman 1,748 Posted March 11, 2020 Share Posted March 11, 2020 (edited) This is a great article on how to perform security forensics after a malware attack to determine the source MS Office entity responsible: Quote If a Windows computer becomes infected and you are trying to find its source, a good place to check is for malicious Microsoft Office documents that have been allowed to run on the computer. Ransomware, donwloaders, RATs, and info-stealing Trojans are commonly distributed through phishing emails containing Word and Excel documents with malicious macros. When a user opens one of these documents in Microsoft Office, depending on the protection of the document or if the document contains macros, Office will restrict the functionality of the document unless the user clicks on 'Enable Editing' or 'Enable Content' buttons. When a user enables a particular feature such as editing or macros, the document will be added as a Trusted Document to the TrustRecords subkey under the following Registry keys depending if it's a Word or Excel document: HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Word\Security\Trusted Documents\TrustRecords HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Excel\Security\Trusted Documents\TrustRecords This allows Microsoft Office to remember the decision a user made and not prompt them again in the future. This also means that if a user allowed editing or macros in a document by pressing the appropriate button, Office will remember this decision the next time you open the document and not ask again. The good news is we can use this information to our advantage to find Word and Excel documents with macros that have been enabled on the computer. https://www.bleepingcomputer.com/news/security/windows-registry-helps-find-malicious-docs-behind-infections/ Edited March 12, 2020 by itman SeriousHoax 1 Link to comment Share on other sites More sharing options...
itman 1,748 Posted March 12, 2020 Author Share Posted March 12, 2020 (edited) Note the text I underlined in the above posting. It means that if macros are allowed to run initially and the document contained malicious ones, a user who opens the document again at a later date would cause the malware to run unabated and reinfect the device/network all over again. Edited March 12, 2020 by itman Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted March 12, 2020 Share Posted March 12, 2020 Does ESET have any defense against this except manually creating HIPS rules? Link to comment Share on other sites More sharing options...
itman 1,748 Posted March 13, 2020 Author Share Posted March 13, 2020 Since this posting is about macro malware, there is an excellent way to protect against this yet allow macros in locally created MS Office documents, spreadsheets, and the like: Quote The Group Policy setting (‘block macros from running in Office files from the Internet’) can be utilised to disable macros in Office documents received from specific high risk locations. The setting cannot be bypassed by the user; the user is unable to accidentally infect the machine as the setting is enabled in Group Policy by the Admin. The feature in Office 2016 blocks macros from loading in certain high-risk circumstances such as documents downloaded from the internet or storage providers (Dropbox, OneDrive and Google Drive), document attachments sent from outside of the organization and documents from file-sharing or public sharing. Organizations can define macro use to precise situations and block other macro enablement allowing for better control over macro usage. Not only can the feature be controlled via Group Policy but it can be configured per application too. The Group Policy element can be enabled for Word, Excel and PowerPoint. Finally, if a user attempts to enable a macro the user is issued with a strict notification/warning and they are directed to Admin. http://techgenix.com/return-macro-attacks/ Note that this policy would enable use of macros for documents created within the organization and even e-mail those documents to other organizations. Link to comment Share on other sites More sharing options...
Recommended Posts