Malicious Office Macros are used by threat actors in order to gain an initial foothold within enterprise networks; often followed by devastating ransomware deployments. This talk will cover what data sources are required to gain visibility into macro executions, how to baseline such executions in an environment, how to effectively filter out less risky macro executions and finally, how to hunt for malicious macro usage in environments. Queries, sample Sysmon configurations as well as data sets will be released as well.
Anton Ovrutsky, Adversarial Collaboration Engineer, Lares - https://twitter.com/antonlovesdnb
View upcoming Summits: http://www.sans.org/u/DuS
Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE
#ThreatHuntingSummit
