Joseph Roosen Profile picture
May 5 9 tweets 3 min read
You may have noticed lately a lot of talk of MOTW (Mark of the Web). The reason why this is important is because of Microsoft's changes that are rolling out this year to set the default treatment of files containing macros(VBA/XLM4.0) from the Internet to being blocked. 🧵1/x
We all cheered the changes from Microsoft on the default treatment of macros first for Excel 4.0 macros and then later for VBA macros. XLM announcement: techcommunity.microsoft.com/t5/excel-blog/… VBA announcement: docs.microsoft.com/en-us/deployof… 2/x
As I have been saying for awhile, most threat actors realized they needed to get ahead of this and start working on alternatives or ways to bypass this new protection. As can be seen in the Microsoft links, most of these defaults roll out in July to the majority of installs. 3/x
This is where MOTW comes in because the enforcement of how these defaults will be applied relies upon MOTW being successfully established on a file that they are delivering. Therefore you are going to see all types of experiments to avoid their malware from being branded. 4/x
One of the most popular methods is simply zipping the file. Believe it or not a macro laden doc/xlsm in a zip file does NOT properly get the MOTW in most cases. The software being used to uncompress the file needs to realize the ZIP has the MOTW and thus carry it over. 5/x
This aspect was not considered in most archiving software & the majority of them will happily give you the macro to then be able to run as a local file without the MOTW being applied. Which ones do/dont? GREAT QUESTION! I decided to start looking recently to figure this out. 6/x
I was pleased to find out someone has already spent a lot of time on this and shared it with the community at large. Check out this great work from @nmantani to identify which identifies which archiving apps do maintain the MOTW. github.com/nmantani/archi… 7/x
This of course isnt the only consideration for MOTW to be aware of but it is one you should start understanding in your environment post haste. Any archive container type files(ARJ/GZ/IMG/ISO/LN K/RAR/VHDX... ETC) can and have been used to bypass MOTW. 8/x
The time is now to understand how MOTW can be bypassed in your environment & to watch community resources like @nmantani's log of apps that respect MOTW with ZIP files. Clearly actors like #Emotet are working hard on their future post direct macro exploration world. 🙃 9/9

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Joseph Roosen

Joseph Roosen Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @JRoosen

Jan 1
#Microsoft and #Exchange starting off 2022 with a 💣as of 00:00UTC with freezing transport of all emails flowing through it On-Prem due to failure converting the new date... 🤦‍♂️. Solution is to disable the AntiMalware Scanning temporarily via Disable-Antimalwarescanning.ps1. 1/x
This is very bad because of the time this is happening and how many people are off for the holidays. Essentially any server that has this issue will defer all mail until this is rectified. H/T to @miketheitguy for the solution: 2/x
This is also confirmed from Microsoft here: docs.microsoft.com/en-us/archive/…. It works for 2016 and I am sure 2019 also. Once the script is run and the transport service restarted, all deferred emails will reprocess and be sent immediately provided you have no other problems. 3/x
Read 9 tweets
Sep 9, 2021
MS Office ActiveX CVE-2021-40444 summary:
🎯No macros needed - normal detections & mitigations fail.
🎯No word from MS on patch ETA
🎯Can in some cases be executed in Explorer Preview mode. (RTF older O365 client?) - h/t -
1/x
🎯Defender defs of 1.349.22.0+ (9/2) should catch it if AV is used. MS Identifies as O97M/Donoff.SA (may be ways to mitigate detection)
🎯These are normal docx files & not anything special.
🎯Supposedly Protected mode and/or App Guard will prevent it.
2/x
🎯Potentially up to 1 month of history of general exploitation. h/t-
🎯You can find history of execution in the HKCU hive and payload/c2. h/t-
3/x
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(