Professional Documents
Culture Documents
Webinar 1517 Slides
Webinar 1517 Slides
Made possible by
Thanks to
1
8/28/2018
2
8/28/2018
https://github.com/Yara-
Rules/rules/blob/master/Malicious_Documents/Maldoc_VBA_m
acro_code.yar
Office
Telemetry
3
8/28/2018
How to install
https://docs.microsoft.com/en-us/deployoffice/compat/plan-
Office telemetry-dashboard-deployment
Telemetry https://docs.microsoft.com/en-us/deployoffice/compat/deploy-
telemetry-dashboard
Custom report
Inventory table
“Has VBA” = 1
4
8/28/2018
Disable VBA
Preventive Disable VBA
completely in
Office
Leave your
fate in the
hands of users
•Default behavior of
Office
https://www.microsoft.com/e
n-
us/download/details.aspx?id=
Controlling 49030
Office Security Run installer 32/64
5
8/28/2018
“Trusted us/previous-versions/office/office-
2007-resource-
kit/cc179039(v=office.12)
Locations”?
Better to disable it
6
8/28/2018
Enforcing
Take control of
more control Trusted Locations
over digital Trusted Publishers
Office Customization Tool
signatures Registry settings
Registry permissions
7
8/28/2018
How to sign
Digitally sign your macro project
macros https://support.office.com/en-us/article/Digitally-sign-your-
macro-project-956e9cc8-bbf6-4365-8bfa-98505ecd1c01
Disable VBA
completely in
Office
8
8/28/2018
Prevent Word 2016 and Excel 2016 from loading managed code
extension
VSTO Add-in or a document-level customization
Additional Macro Runtime Scan Scope
Documents opened while macro security settings are set to
mitigations "Enable All Macros"
short of Documents opened from a Trusted Location
Documents that are Trusted Documents
complete Documents that contain VBA that is digitally signed by a
disablement Trusted Publisher
Change how Office 2016 VBA macros behave in applications that
are started programmatically
https://docs.microsoft.com/en-us/deployoffice/security/plan-
security-settings-for-vba-macros-in-office#change-how-office-
2016-vba-macros-behave-in-applications-that-are-started-
programmatically
Don’t hold back from using some of these controls just because
they aren’t fool (user) proof
Can’t stop every incident but we can reduce the incidence
There’s only so much you can do in terms of prevention in any
Bottom line technology without breaking the very technology you are trying
to protect
That’s where vigilance and monitoring comes in
Threat hunting is where our sponsor, Carbon Black, takes over
and Tristan Morris, Security Strategist at Carbon Black will show
you how they can use advanced threat hunting capabilities to
proactively track down exploited macros.
9
8/28/2018
8-28-18
Indicators vs Patterns
Static, Historic, & Isolated Dynamic, Contextual, & Behavioral
10
8/28/2018
1 2 3
11
8/28/2018
12
8/28/2018
Introducing
Cb LiveOps
13
8/28/2018
Cb LiveOps
EASY QUERY SAVE & RE-RUN
BUILDER QUERIES
Live Query
Query-based
security & operations
tool
Immediate access to
granular endpoint data
14
8/28/2018
Live Query
Query-based
security & operations
tool
Immediate access to
granular endpoint data
Live Response
Fastest way to
take action
Investigate and
remediate in real
time
Puts you in
complete control
15
8/28/2018
16