Detects registry changes to Microsoft Office “AccessVBOM” to a value of “1” which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft
title: Trust Access Disable For VBApplications
id: 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf
related:
- id: 9b894e57-033f-46cf-b7fa-a52804181973
type: obsolete
status: test
description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
references:
- https://twitter.com/inversecos/status/1494174785621819397
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
- https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-22
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Security\AccessVBOM'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unlikely
level: high
imRegistry
| where RegistryKey endswith "\\Security\\AccessVBOM" and RegistryValueData =~ "DWORD (0x00000001)"DeviceRegistryEvents
| where RegistryKey endswith "\\Security\\AccessVBOM" and RegistryValueData =~ "DWORD (0x00000001)"| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |