Block Macro-enabled Word documents

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Block Macro-enabled Word documents

L1 Bithead

I am trying to create a custom signature to block macro-enabled word documents. I can't use the "39154" signature for blocking, because it also blocks other office documents, such as .xlsx. I am in the testing phase, and I have created a custom signature to detect and alert on just word documents with macros enabled, but so far I have been unable to get the alert to actually trigger. I'm using the "file-office-content" context to find the below pattern matches. I found the strings in various macro-enabled word documents using a hex viewing tool.

One of these four patterns must match:

word/_rels/document.xml.rels

Microsoft.Office.Word

\x776F72642F5F72656C732F646F63756D656E742E786D6C2E72656C73\x

\x4D6963726F736F6674204F666669636520576F7264\x

AND

One of these patterns must match:

vba.*versioncompatible32

vba.*VersionCompatible32

VBA.*versioncompatible32

VBA.*VersionCompatible32

x\-vba\-macros

VbaProject\.bin

vbaproject\.bin

vbaProject\.bin

1 accepted solution

Accepted Solutions

L1 Bithead

I have an update to this custom signature issue. According to the PA custom signature documentation you can look at the document binaries and use regex or hex search strings to match traffic against strings in the binaries, but it looks like that won't work. I was able to get this alert to work by looking in packet captures and using the following pattern matches within the file-office-content context:

Match one of the following:

\x776F72642F5F72656C732F646F63756D656E742E786D6C2E72656C73\x

\x4D6963726F736F6674204F666669636520576F7264\x

\x540068006900730044006f00630075006d0065006e0074\x

AND

One of the following:

\x417474726962757400652056425f4e616d0065\x

\x5f005600420041005f00500052004f004a00450043005400\x

View solution in original post

4 REPLIES 4

L1 Bithead

I have an update to this custom signature issue. According to the PA custom signature documentation you can look at the document binaries and use regex or hex search strings to match traffic against strings in the binaries, but it looks like that won't work. I was able to get this alert to work by looking in packet captures and using the following pattern matches within the file-office-content context:

Match one of the following:

\x776F72642F5F72656C732F646F63756D656E742E786D6C2E72656C73\x

\x4D6963726F736F6674204F666669636520576F7264\x

\x540068006900730044006f00630075006d0065006e0074\x

AND

One of the following:

\x417474726962757400652056425f4e616d0065\x

\x5f005600420041005f00500052004f004a00450043005400\x

Hi,

 

do you have pcap of such document? It is the easiest way to see / collect strings you need.

 

At first, I'd go with only "one and one" string, without trying to match "OR" in the beginning. Once I have confirmed it works for one type of files, I'd expand it.

 

If it doesn't work for you like this (step-by-step approach), can you maybe upload one file here and I will try to see if I can help?


Best regards,
Luciano

I've got the alert working now, but I appreciate the feedback. I was looking in the binary of the document, rather than the pcap originally. I can't speak for other contexts, but it appears that pcap is the only reliable way to gather search stings for the "file-office-content" context. Palo Alto should consider rewriting their documentation to reflect that. 

Thanks for the feedback on the need to do some documentation enhancement.

 

Sometimes we assume that everyone thinks the way we do and it's good to get a reminder that we all come at these problems with different assumptions and perspectives baked into our viewfinder.

 

-Benjamin

 

  • 1 accepted solution
  • 6038 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!