Detectionhightest

Trust Access Disable For VBApplications

Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Trent Liffick, Nasreddine Bencherchali (Nextron Systems)Created Fri May 22Updated Thu Aug 171a5c46e9-f32f-42f7-b2bc-6e9084db7fbfwindows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|endswith: '\Security\AccessVBOM'
        Details: 'DWORD (0x00000001)'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion

Techniques

T1112 · Modify Registry

Related Rules

Similar

9b894e57-033f-46cf-b7fa-a52804181973

Rule not found

Rule Metadata

Rule ID

1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf

Status

test

Level

high

Type

Detection

Created

Fri May 22

Modified

Thu Aug 17

Author

Trent Liffick, Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.t1112

View on GitHub