Jump to content

Archived

This topic is now archived and is closed to further replies.

itman

Windows Registry Helps Find Malicious Docs Behind Infections

Recommended Posts

This is a great article on how to perform security forensics after a malware attack to determine the source MS Office entity responsible:

Quote

If a Windows computer becomes infected and you are trying to find its source, a good place to check is for malicious Microsoft Office documents that have been allowed to run on the computer.

Ransomware, donwloaders, RATs, and info-stealing Trojans are commonly distributed through phishing emails containing Word and Excel documents with malicious macros.

When a user opens one of these documents in Microsoft Office, depending on the protection of the document or if the document contains macros, Office will restrict the functionality of the document unless the user clicks on 'Enable Editing' or 'Enable Content' buttons.

When a user enables a particular feature such as editing or macros, the document will be added as a Trusted Document to the TrustRecords subkey under the following Registry keys depending if it's a Word or Excel document:


HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Word\Security\Trusted Documents\TrustRecords
HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Excel\Security\Trusted Documents\TrustRecords

This allows Microsoft Office to remember the decision a user made and not prompt them again in the future.

This also means that if a user allowed editing or macros in a document by pressing the appropriate button, Office will remember this decision the next time you open the document and not ask again.

The good news is we can use this information to our advantage to find Word and Excel documents with macros that have been enabled on the computer.

https://www.bleepingcomputer.com/news/security/windows-registry-helps-find-malicious-docs-behind-infections/

Share this post


Link to post
Share on other sites

Note the text I underlined in the above posting.

It means that if macros are allowed to run initially and the document contained malicious ones, a user who opens the document again at a later date would cause the malware to run unabated and reinfect the device/network all over again.

Share this post


Link to post
Share on other sites

Does ESET have any defense against this except manually creating HIPS rules?

Share this post


Link to post
Share on other sites

Since this posting is about macro malware, there is an excellent way to protect against this yet allow macros in locally created MS Office documents, spreadsheets, and the like:

Quote

The Group Policy setting (‘block macros from running in Office files from the Internet’) can be utilised to disable macros in Office documents received from specific high risk locations. The setting cannot be bypassed by the user; the user is unable to accidentally infect the machine as the setting is enabled in Group Policy by the Admin.

The feature in Office 2016 blocks macros from loading in certain high-risk circumstances such as documents downloaded from the internet or storage providers (Dropbox, OneDrive and Google Drive), document attachments sent from outside of the organization and documents from file-sharing or public sharing. Organizations can define macro use to precise situations and block other macro enablement allowing for better control over macro usage. Not only can the feature be controlled via Group Policy but it can be configured per application too. The Group Policy element can be enabled for Word, Excel and PowerPoint. Finally, if a user attempts to enable a macro the user is issued with a strict notification/warning and they are directed to Admin.

http://techgenix.com/return-macro-attacks/

Note that this policy would enable use of macros for documents created within the organization and even e-mail those documents to other organizations.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...