Disable Office Macros - Malware Protection

Hi all

Are you guys seeing a sudden spike of Emotet related spam mails arriving? The org I’m working in is seeing this. They arrive from compromised email accounts. The email messages are hijacked from original email conversations so the content looks 100% legit. The email has a password encrypted ZIP file, which has macros, which decrypts some obfuscated Powershell, which then runs to download the actual Emotet payload.

I would like to share a worklet I’ve developed based on: https://www.microsoft.com/security/blog/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/.

The necessary registry settings can be found here: https://www.slipstick.com/outlook/block-macros-office-20132016/

Here’s the worklet. The registry settings are under HKCU, so the powershell code to do this is a bit more convoluted. The nice thing about the code below is it will work whether there is a current user logged in or not (since Automox’s agent runs in the SYSTEM context, accessing HKCU directly makes no contextual sense). It loops through all user profiles in the system and applies the necessary registry settings.

# Regex pattern for SIDs
$PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'
 
# Get Username, SID, and location of ntuser.dat for all users
$ProfileList = gp 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object {$_.PSChildName -match $PatternSID} | 
    Select  @{name="SID";expression={$_.PSChildName}}, 
            @{name="UserHive";expression={"$($_.ProfileImagePath)\ntuser.dat"}}, 
            @{name="Username";expression={$_.ProfileImagePath -replace '^(.*[\\\/])', ''}}
 
# Get all user SIDs found in HKEY_USERS (ntuder.dat files that are loaded)
$LoadedHives = gci Registry::HKEY_USERS | ? {$_.PSChildname -match $PatternSID} | Select @{name="SID";expression={$_.PSChildName}}
 
# Get all users that are not currently logged
$UnloadedHives = Compare-Object $ProfileList.SID $LoadedHives.SID | Select @{name="SID";expression={$_.InputObject}}, UserHive, Username
 
# Loop through each profile on the machine
Foreach ($item in $ProfileList) {
    # Load User ntuser.dat if it's not already loaded
    IF ($item.SID -in $UnloadedHives.SID) {
        reg load HKU\$($Item.SID) $($Item.UserHive) | Out-Null
    }
 
    #####################################################################
    # This is where you can read/modify a users portion of the registry 
 
    # Word
    New-Item -Path registry::HKEY_USERS\$($Item.SID)\Software\Policies\Microsoft\Office\16.0\Word\Security -Force
    Set-ItemProperty -Path registry::HKEY_USERS\$($Item.SID)\Software\Policies\Microsoft\Office\16.0\Word\Security -Name blockcontentexecutionfrominternet -Value 1 -Type DWord -Force
    
    # Excel
    New-Item -Path registry::HKEY_USERS\$($Item.SID)\Software\Policies\Microsoft\Office\16.0\Excel\Security -Force
    Set-ItemProperty -Path registry::HKEY_USERS\$($Item.SID)\Software\Policies\Microsoft\Office\16.0\Excel\Security -Name blockcontentexecutionfrominternet -Value 1 -Type DWord -Force
    
    # Powerpoint
    New-Item -Path registry::HKEY_USERS\$($Item.SID)\Software\Policies\Microsoft\Office\16.0\Powerpoint\Security -Force
    Set-ItemProperty -Path registry::HKEY_USERS\$($Item.SID)\Software\Policies\Microsoft\Office\16.0\Powerpoint\Security -Name blockcontentexecutionfrominternet -Value 1 -Type DWord -Force
    
    
    #####################################################################
 
    # Unload ntuser.dat        
    IF ($item.SID -in $UnloadedHives.SID) {
        ### Garbage collection and closing of ntuser.dat ###
        [gc]::Collect()
        reg unload HKU\$($Item.SID) | Out-Null
    }
}
2 Likes