Detectionhightest

Office Macros Warning Disabled

Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Trent Liffick, Nasreddine Bencherchali (Nextron Systems)Created Fri May 22Updated Tue Mar 1991239011-fe3c-4b54-9f24-15c86bb65913windows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|endswith: '\Security\VBAWarnings'
        Details: 'DWORD (0x00000001)'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion

Techniques

T1112 · Modify Registry

Related Rules

Similar

9b894e57-033f-46cf-b7fa-a52804181973

Rule not found

Rule Metadata

Rule ID

91239011-fe3c-4b54-9f24-15c86bb65913

Status

test

Level

high

Type

Detection

Created

Fri May 22

Modified

Tue Mar 19

Author

Trent Liffick, Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.t1112

View on GitHub