Skip to main content

Hi all



Are you guys seeing a sudden spike of Emotet related spam mails arriving? The org I’m working in is seeing this. They arrive from compromised email accounts. The email messages are hijacked from original email conversations so the content looks 100% legit. The email has a password encrypted ZIP file, which has macros, which decrypts some obfuscated Powershell, which then runs to download the actual Emotet payload.



I would like to share a worklet I’ve developed based on: https://www.microsoft.com/security/blog/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/.



The necessary registry settings can be found here: https://www.slipstick.com/outlook/block-macros-office-20132016/



Here’s the worklet. The registry settings are under HKCU, so the powershell code to do this is a bit more convoluted. The nice thing about the code below is it will work whether there is a current user logged in or not (since Automox’s agent runs in the SYSTEM context, accessing HKCU directly makes no contextual sense). It loops through all user profiles in the system and applies the necessary registry settings.



# Regex pattern for SIDs


$PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'


 


# Get Username, SID, and location of ntuser.dat for all users


$ProfileList = gp 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object {$_.PSChildName -match $PatternSID} | 


    Select  @{name="SID";expression={$_.PSChildName}}, 


            @{name="UserHive";expression={"$($_.ProfileImagePath)\ntuser.dat"}}, 


            @{name="Username";expression={$_.ProfileImagePath -replace '^(.*c\\\/])', ''}}


 


# Get all user SIDs found in HKEY_USERS (ntuder.dat files that are loaded)


$LoadedHives = gci Registry::HKEY_USERS | ? {$_.PSChildname -match $PatternSID} | Select @{name="SID";expression={$_.PSChildName}}


 


# Get all users that are not currently logged


$UnloadedHives = Compare-Object $ProfileList.SID $LoadedHives.SID | Select @{name="SID";expression={$_.InputObject}}, UserHive, Username


 


# Loop through each profile on the machine


Foreach ($item in $ProfileList) {


    # Load User ntuser.dat if it's not already loaded


    IF ($item.SID -in $UnloadedHives.SID) {


        reg load HKU\$($Item.SID) $($Item.UserHive) | Out-Null


    }


 


    #####################################################################


    # This is where you can read/modify a users portion of the registry 


 


    # Word


    New-Item -Path registry::HKEY_USERS\$($Item.SID)\Software\Policies\Microsoft\Office\16.0\Word\Security -Force


    Set-ItemProperty -Path registry::HKEY_USERS\$($Item.SID)\Software\Policies\Microsoft\Office\16.0\Word\Security -Name blockcontentexecutionfrominternet -Value 1 -Type DWord -Force


    


    # Excel


    New-Item -Path registry::HKEY_USERS\$($Item.SID)\Software\Policies\Microsoft\Office\16.0\Excel\Security -Force


    Set-ItemProperty -Path registry::HKEY_USERS\$($Item.SID)\Software\Policies\Microsoft\Office\16.0\Excel\Security -Name blockcontentexecutionfrominternet -Value 1 -Type DWord -Force


    


    # Powerpoint


    New-Item -Path registry::HKEY_USERS\$($Item.SID)\Software\Policies\Microsoft\Office\16.0\Powerpoint\Security -Force


    Set-ItemProperty -Path registry::HKEY_USERS\$($Item.SID)\Software\Policies\Microsoft\Office\16.0\Powerpoint\Security -Name blockcontentexecutionfrominternet -Value 1 -Type DWord -Force


    


    


    #####################################################################


 


    # Unload ntuser.dat        


    IF ($item.SID -in $UnloadedHives.SID) {


        ### Garbage collection and closing of ntuser.dat ###


         gc]::Collect()


        reg unload HKU\$($Item.SID) | Out-Null


    }


}
Be the first to reply!

Reply


Terms & ConditionsCookie settings