You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The use of office startup folders as persistence mechanism is quite popular currently.
The malware just puts a DLL file with the file extension .wll into %appdata%\Roaming\Microsoft\Word\Startup\ and with the next start of word the DLL gets loaded by word.
This could be blocked by explicitly denying file writes for the 'power user'. (icacls .. )
I do not expect a lot of collateral damage since this feature is rarely used IMHO.
The use of office startup folders as persistence mechanism is quite popular currently.
The malware just puts a DLL file with the file extension .wll into %appdata%\Roaming\Microsoft\Word\Startup\ and with the next start of word the DLL gets loaded by word.
This could be blocked by explicitly denying file writes for the 'power user'. (icacls .. )
I do not expect a lot of collateral damage since this feature is rarely used IMHO.
more info:
https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
https://attack.mitre.org/wiki/Technique/T1137
The text was updated successfully, but these errors were encountered: