jymcheong
commented
3 years ago Writing binary DOC files will not generate any FileCreate event while testing, (but not for other binary formats like XLS & PPT) in a Win10 dev VM.
Closed jymcheong closed 3 years ago
jymcheong
commented
3 years ago Writing binary DOC files will not generate any FileCreate event while testing, (but not for other binary formats like XLS & PPT) in a Win10 dev VM.
jymcheong
commented
3 years ago Having tested the stripping & conversion of both XML & binary file formats, the complexity is not worth it.
For instance, when binary doc files are created, there is NO FileCreate event but the rest of the office file types are seeing Sysmon FileCreate.
ppcnvcom.exe is also missing in some Office installations thus we end up a gap.
Using trust setting configuration instead: https://github.com/jymcheong/OpenEDRclient/commit/525fa44b27a18ae092e814900e78e786e5c71261
This take advantage of the Office 2016 & beyond Block macros from running in Office files from the Internet restriction setting - https://www.microsoft.com/security/blog/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/
Currently only strips from XML formats.
https://stackoverflow.com/a/39780079
"C:\Program Files\Microsoft Office\Office15\wordconv.exe" -oice -nme <input file> <output file>Learnt that there are ppcnvcom.exe, excelcnv.exe, wordconv.exe conversion tools.
Newer Office (eg. Office16) does not have ppcnvcom.exe.
Things to Look-Out
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe