← Back to Explore
sigmahighHunting
Trust Access Disable For VBApplications
Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
Detection Query
selection:
TargetObject|endswith: \Security\AccessVBOM
Details: DWORD (0x00000001)
condition: selection
Author
Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
Created
2020-05-22
Data Sources
windowsRegistry Set Events
Platforms
windows
References
Tags
attack.persistenceattack.defense-evasionattack.t1112
Raw Content
title: Trust Access Disable For VBApplications
id: 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf
related:
- id: 9b894e57-033f-46cf-b7fa-a52804181973
type: obsolete
status: test
description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
references:
- https://twitter.com/inversecos/status/1494174785621819397
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
- https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-22
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-evasion
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Security\AccessVBOM'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unlikely
level: high