Skip to main content

Alert on XLM Macros

· One min read
Contextal Team
Contextal Team
Contextal Platform Creators

Excel 4.0 macros (also known as XLM macros) are frequently used for malicious purposes, and while Microsoft now by default limits their usage, they could still pose a threat in some environments.

Below we provide a simple scenario, which triggers the ALERT action for Office documents containing Excel 4.0 macrosheets.

info

Click on the download button below to get the scenario and then upload it using Contextal Console or the ctx command line tool (when using the latter, don't forget to reload remote scenarios after adding a new one!)

XLM-Macro.json
{
  "name": "XLM Macro",
  "min_ver": 1,
  "max_ver": null,
  "creator": "Contextal",
  "description": "Alert on Office documents containing Excel 4.0 macrosheets.",
  "local_query": "object_type==\"Office\" && @has_symbol(\"HAS_MACRO_SHEET\")",
  "context": null,
  "action": "ALERT"
}