def set_keys(self):
baseOfficeKeyPath = r"Software\Microsoft\Office"
installedVersions = list()
try:
officeKey = OpenKey(HKEY_CURRENT_USER, baseOfficeKeyPath, 0,
KEY_READ)
for currentKey in range(0, QueryInfoKey(officeKey)[0]):
isVersion = True
officeVersion = EnumKey(officeKey, currentKey)
if "." in officeVersion:
for intCheck in officeVersion.split("."):
if not intCheck.isdigit():
isVersion = False
break
if isVersion:
installedVersions.append(officeVersion)
CloseKey(officeKey)
except WindowsError:
# Office isn't installed at all
return
for oVersion in installedVersions:
key = CreateKeyEx(
HKEY_CURRENT_USER,
r"{0}\{1}\Publisher\Security".format(baseOfficeKeyPath,
oVersion), 0,
KEY_SET_VALUE)
SetValueEx(key, "VBAWarnings", 0, REG_DWORD, 1)
SetValueEx(key, "AccessVBOM", 0, REG_DWORD, 1)
SetValueEx(key, "ExtensionHardening", 0, REG_DWORD, 0)
CloseKey(key)
def set_office_params(self):
baseOfficeKeyPath = r"Software\Microsoft\Office"
installedVersions = []
try:
with OpenKey(HKEY_CURRENT_USER, baseOfficeKeyPath, 0,
KEY_READ) as officeKey:
for currentKey in range(QueryInfoKey(officeKey)[0]):
officeVersion = EnumKey(officeKey, currentKey)
if "." in officeVersion:
isVersion = True
for intCheck in officeVersion.split("."):
if not intCheck.isdigit():
isVersion = False
break
if isVersion:
installedVersions.append(officeVersion)
except WindowsError:
# Office isn't installed at all
return
self._office_helper("Software\\Microsoft\\Office\\Common\\Security",
"DisableAllActiveX", REG_DWORD, 0)
self._office_helper("Software\\Microsoft\\Office\\Common\\Security",
"UFIControls", REG_DWORD, 1)
for oVersion in installedVersions:
for software in ("Word", "Excel", "PowerPoint", "Publisher",
"Outlook"):
productPath = rf"{baseOfficeKeyPath}\{oVersion}\{software}"
self._office_helper(f"{productPath}\\Common\\General",
"ShownOptIn", REG_DWORD, 1)
self._office_helper(f"{productPath}\\Security", "VBAWarnings",
REG_DWORD, 1)
self._office_helper(f"{productPath}\\Security", "AccessVBOM",
REG_DWORD, 1)
self._office_helper(f"{productPath}\\Security",
"DisableDDEServerLaunch", REG_DWORD, 0)
self._office_helper(f"{productPath}\\Security",
"MarkInternalAsUnsafe", REG_DWORD, 0)
self._office_helper(f"{productPath}\\Security\\ProtectedView",
"DisableAttachmentsInPV", REG_DWORD, 1)
self._office_helper(f"{productPath}\\Security\\ProtectedView",
"DisableInternetFilesInPV", REG_DWORD, 1)
self._office_helper(f"{productPath}\\Security\\ProtectedView",
"DisableUnsafeLocationsInPV", REG_DWORD, 1)
# self._office_helper(f"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Office\\{oVersion}\\{software}\\Security", "MarkInternalAsUnsafe", REG_DWORD, 0)
self._office_helper(f"{productPath}\\Security",
"ExtensionHardening", 0)
def set_office_mrus(self):
"""Adds randomized MRU's to Office software(s).
Occasionally used by macros to detect sandbox environments.
"""
baseOfficeKeyPath = r"Software\Microsoft\Office"
installedVersions = []
basePaths = [
"C:\\",
"C:\\Windows\\Logs\\",
"C:\\Windows\\Temp\\",
"C:\\Program Files\\",
]
extensions = {
"Word": ["doc", "docx", "docm", "rtf"],
"Excel": ["xls", "xlsx", "csv"],
"PowerPoint": ["ppt", "pptx"],
}
try:
with OpenKey(HKEY_CURRENT_USER, baseOfficeKeyPath, 0,
KEY_READ) as officeKey:
for currentKey in range(QueryInfoKey(officeKey)[0]):
officeVersion = EnumKey(officeKey, currentKey)
if "." in officeVersion:
isVersion = all(
intCheck.isdigit()
for intCheck in officeVersion.split("."))
if isVersion:
installedVersions.append(officeVersion)
except WindowsError:
# Office isn't installed at all
return
for oVersion, software in itertools.product(installedVersions,
extensions):
values = []
mruKeyPath = ""
productPath = rf"{baseOfficeKeyPath}\{oVersion}\{software}"
try:
with OpenKey(HKEY_CURRENT_USER, productPath, 0, KEY_READ):
pass
mruKeyPath = rf"{productPath}\File MRU"
with CreateKeyEx(HKEY_CURRENT_USER, mruKeyPath, 0,
KEY_READ) as mruKey:
displayValue = False
for mruKeyInfo in range(QueryInfoKey(mruKey)[1]):
currentValue = EnumValue(mruKey, mruKeyInfo)
if currentValue[0] == "Max Display":
displayValue = True
values.append(currentValue)
except WindowsError:
# An Office version was found in the registry but the
# software (Word/Excel/PowerPoint) was not installed.
values = "notinstalled"
if values != "notinstalled" and len(values) < 5:
with OpenKey(HKEY_CURRENT_USER, mruKeyPath, 0,
KEY_SET_VALUE) as mruKey:
if not displayValue:
SetValueEx(mruKey, "Max Display", 0, REG_DWORD, 25)
for i in range(1, randint(10, 30)):
rString = random_string(minimum=11,
charset="0123456789ABCDEF")
baseId = f"T01D1C{rString}" if i % 2 else f"T01D1D{rString}"
setVal = "[F00000000][{0}][O00000000]*{1}{2}.{3}".format(
baseId,
basePaths[randint(0,
len(basePaths) - 1)],
random_string(
minimum=3,
maximum=15,
charset="abcdefghijkLMNOPQURSTUVwxyz_0369"),
extensions[software][randint(
0,
len(extensions[software]) - 1)],
)
name = f"Item {i}"
SetValueEx(mruKey, name, 0, REG_SZ, setVal)