Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
title: Disable Macro Runtime Scan Scope
id: ab871450-37dc-4a3a-997f-6662aa8ae0f1
description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
status: test
date: 2022-10-25
modified: 2023-08-17
author: Nasreddine Bencherchali (Nextron Systems)
references:
- https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/
- https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope
- https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba
tags:
- attack.defense-impairment
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\'
- '\Microsoft\Office\'
- '\Common\Security'
TargetObject|endswith: '\MacroRuntimeScanScope'
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Unknown
level: high
imRegistry
| where (RegistryKey endswith "\\SOFTWARE*" and RegistryKey endswith "\\Microsoft\\Office*" and RegistryKey contains "\\Common\\Security") and RegistryKey endswith "\\MacroRuntimeScanScope" and RegistryValueData =~ "DWORD (0x00000000)"DeviceRegistryEvents
| where (RegistryKey endswith "\\SOFTWARE*" and RegistryKey endswith "\\Microsoft\\Office*" and RegistryKey contains "\\Common\\Security") and RegistryKey endswith "\\MacroRuntimeScanScope" and RegistryValueData =~ "DWORD (0x00000000)"| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |