Hunting Malicious Office Macros
2022-08-13, 14:15–14:45 (US/Pacific), Talks (Virtual)

When reviewing threat intelligence reports it is common to see malicious Office macros of various types used as an initial access vector. Recently, Microsoft announced big changes to Office behavior in the context of malicious macros. However, organizations still struggle with detecting malicious macros which is often a prerequisite for implementing any type of hardening changes. The aim of this talk is to address this gap and provide guidance on how to detect malicious macro usage in environments and highlight the necessary steps to ensure systems are properly hardened against this threat.

The talk will cover the following areas:

  • Baselining Office macros behaviors
  • Contextualized / Risk-based alerting strategies
  • Data sets & Sysmon configurations will be provided
  • Coverage of new attack vectors such as mark of the web bypasses and VSTO files

Anton is a BSides Toronto speaker, C3X volunteer, and an OSCE, OSCP, CISSP, CSSP certificate holder. Anton enjoys the defensive aspects of cybersecurity and loves logs and queries.