8/28/2018

Office Macro Exploitation: Sponsored by

Mitigating and Threat

Hunting This Widely
Exploited Vector

© 2018 Monterey Technology Group Inc.

 Made possible by

Thanks to

1
 8/28/2018

Preview of Key  Assessing use of Office macros in your environment

Points  Preventive controls of Office macros
 Threat hunting macros

 Scan using YARA

 File Servers
Assessing use  Can’t find anything for SharePoint, OneDrive
 Email Security Products
of Office  Next Gen Firewalls
macros in your  Microsoft tools
environment  Office Telemetry
 Readiness Toolkit for Office
 Office tools give some visibility into how frequent macro-
enabled documents is

2
 8/28/2018

 https://github.com/Yara-
Rules/rules/blob/master/Malicious_Documents/Maldoc_VBA_m
acro_code.yar

Yara Rules for

VBA detection

Office
Telemetry

3
 8/28/2018

 How to install
 https://docs.microsoft.com/en-us/deployoffice/compat/plan-
Office telemetry-dashboard-deployment
Telemetry  https://docs.microsoft.com/en-us/deployoffice/compat/deploy-
telemetry-dashboard
 Custom report
 Inventory table
 “Has VBA” = 1

 Command line tool

 Options
 Scan shared folders from a single PC
 ReadinessReportCreator.exe -p c:\officefiles\ -r -output
\\server01\finance -silent

Readiness  Scan multiple users Most Recently Used lists

 ReadinessReportCreator.exe -mru -output \\server01\finance -silent
Toolkit for
Office

4
 8/28/2018

Disable VBA
Preventive Disable VBA
completely in
Office

controls except for signed

macros
Disable VBA in
files from the
Internet

Leave your
fate in the
hands of users
•Default behavior of
Office

 https://www.microsoft.com/e
n-
us/download/details.aspx?id=
Controlling 49030
Office Security  Run installer 32/64

Settings via  Move main files to

 C:\Windows\PolicyDefiniti
Group Policy ons
 And then the language
specific files
 Such as
C:\Windows\PolicyDefiniti
ons\en-US

5
 8/28/2018

 It’s not a security control – it’s convenience

 Under control of the user

Supposedly able to configure with

the Office Customization tool.
HKEY_CURRENT_USER/Software

Why not use /Microsoft/Office/12.0/application

_name/Security/Trusted Locations
https://docs.microsoft.com/en-

“Trusted us/previous-versions/office/office-
2007-resource-
kit/cc179039(v=office.12)

Locations”?
 Better to disable it

 User Configuration > Administrative templates > Microsoft

WORD 2016 > WORD options > Security > Trust Center
Disable VBA in  Block macros from running in Office files from the Internet
files from the  Attacker just needs to get the user to unblock this file by
Internet  Unchecking the block in file’s properties in Explorer
 Saving to a trusted location of enabled

 Fate still in the hands of the user

6
 8/28/2018

 This is better but your

protection evaporates if
attacker
 Successfully obtains a
valid Office Macro Code
Signing certificate
Disable VBA  Either directly from a
commercial CA
except for  Steals a cert (and private
key) from someone
signed macros legitimate
 Convinces user to self-sign
the certificate
 Get’s them to trust the
publisher
 The problem is that Office
doesn’t obey the “Trusted
Publishers” policy in Windows
 User can choose Trusted
Publishers

Enforcing
 Take control of
more control  Trusted Locations
over digital  Trusted Publishers
 Office Customization Tool
signatures  Registry settings
 Registry permissions

7
 8/28/2018

How to sign
 Digitally sign your macro project
macros  https://support.office.com/en-us/article/Digitally-sign-your-
macro-project-956e9cc8-bbf6-4365-8bfa-98505ecd1c01

 The only way to completely protect against Office VBA

 But it also completely breaks legitimate use of macros

Disable VBA
completely in
Office

8
 8/28/2018

 Prevent Word 2016 and Excel 2016 from loading managed code
extension
 VSTO Add-in or a document-level customization
Additional  Macro Runtime Scan Scope
 Documents opened while macro security settings are set to
mitigations "Enable All Macros"
short of  Documents opened from a Trusted Location
 Documents that are Trusted Documents
complete  Documents that contain VBA that is digitally signed by a
disablement Trusted Publisher
 Change how Office 2016 VBA macros behave in applications that
are started programmatically
 https://docs.microsoft.com/en-us/deployoffice/security/plan-
security-settings-for-vba-macros-in-office#change-how-office-
2016-vba-macros-behave-in-applications-that-are-started-
programmatically

 Don’t hold back from using some of these controls just because
they aren’t fool (user) proof
 Can’t stop every incident but we can reduce the incidence
 There’s only so much you can do in terms of prevention in any
Bottom line technology without breaking the very technology you are trying
to protect
 That’s where vigilance and monitoring comes in
 Threat hunting is where our sponsor, Carbon Black, takes over
and Tristan Morris, Security Strategist at Carbon Black will show
you how they can use advanced threat hunting capabilities to
proactively track down exploited macros.

© 2018 Monterey Technology Group Inc.

9
 8/28/2018

8-28-18

Office Macro Exploitation: Mitigating and Threat

Hunting This Widely Exploited Vector
Tristan Morris, Security Strategist

19 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

Indicators vs Patterns
Static, Historic, & Isolated Dynamic, Contextual, & Behavioral

20 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

10
 8/28/2018

Proactive Threat Hunting

WHAT IS IT? WHAT IS IT NOT?

• Proactive and iterative search • Out-of-the-box detection
for attacks
• A checklist of indicators of
• Informed by knowledge of compromise
your environment
• Applying 3rd party threat intel
• Often hypothesis-based feeds

21 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

Knowing When to Hunt

1 2 3

When you When you When you

come across read about encounter
new research a breach something odd

22 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

11
 8/28/2018

Executing Your Threat Hunt

Find
suspicious activity
KILL CHAIN

Search Filter out Deeper Discover Scope Remediate Harden

on suspicion legitimate investigation malicious the attack the threat defenses
(e.g. PowerShell) activity (in seconds) activity

START REFINE ROOT CAUSE RESPONSE & CONTINUOUS

THE HUNT THE HUNT ANALYSIS REMEDIATION IMPROVEMENT

23 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

Threat Hunting Process

•Having the right tools is only part of threat hunting
•Threat hunting is a mindset and a process, results are not instantaneous

24 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

12
 8/28/2018

Live Threat Hunting Demo

with Cb Response

25 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

Introducing
Cb LiveOps

26 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

13
 8/28/2018

Cb LiveOps
EASY QUERY SAVE & RE-RUN
BUILDER QUERIES

INSPECT ENDPOINTS ON DEMAND

TAKE IMMEDIATE ACTION

SIMPLIFY OPERATIONAL REPORTING

OSQUERY

BUILT ON A COMPLETE SECURITY PLATFORM

LIVE RESPONSE FILTER & EXPORT

& REMEDIATION RESULTS
27 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

Live Query

Query-based
security & operations
tool

Immediate access to
granular endpoint data

Save & schedule

queries for easy
operational reporting

28 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

14
 8/28/2018

Live Query

Query-based
security & operations
tool

Immediate access to
granular endpoint data

Save & schedule

queries for easy
operational reporting

29 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

Live Response

Fastest way to
take action

Investigate and
remediate in real
time

Puts you in
complete control

30 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

15
 8/28/2018

Unlocking Security & IT Operations

IOC Search Insider Threat Hunt

Detect &
Does this registry value Where has this removable What devices is this user
Investigate exist? Where? device been used? logged into?

Log Analysis FIM Governance

What process violations Have OS configurations Which devices aren’t
have occurred? changed? running Cb Response?

Compliance Vuln. Assessment License Mgmt

Hygiene &
What patch levels are my Where does this version How many Camtasia
Audit devices on? of Adobe Flash exist? licenses are being used?

31 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

16