security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b2acd800981e1c8d9f747173eb7803f0405cebd6
blue-team-tools/deprecated/windows/registry_set_disable_microsoft_office_security_features.yml
T
frack113 bb2aea7c4d Refractor registry_set rules 
Signed-off-by: frack113 <magicfrancois@gmail.com>
2023-08-17 08:57:52 +02:00

37 lines
1.5 KiB
YAML
Raw Blame History

title: Disable Microsoft Office Security Features
id: 7c637634-c95d-4bbf-b26c-a82510874b34
status: deprecated
description: Disable Microsoft Office Security Features by registry
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
- https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
author: frack113
date: 2021/06/08
modified: 2023/08/17
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
product: windows
category: registry_set
definition: key must be add to the sysmon configuration to works
# Sysmon
# <TargetObject name="T1562,office" condition="end with">\VBAWarnings</TargetObject>
# <TargetObject name="T1562,office" condition="end with">\DisableInternetFilesInPV</TargetObject>
# <TargetObject name="T1562,office" condition="end with">\DisableUnsafeLocationsInPV</TargetObject>
# <TargetObject name="T1562,office" condition="end with">\DisableAttachementsInPV</TargetObject>
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Office\'
TargetObject|endswith:
- VBAWarnings
- DisableInternetFilesInPV
- DisableUnsafeLocationsInPV
- DisableAttachementsInPV
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink