L1 BIO 12.02.01 ISO A.12.2.1 CIS Office - Encrypted macros

PowerPoint: Scan Encrypted Macros For VBA Signatures

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Scan encrypted macros for VBA signatures - prevents malware hiding in password-protected macro-enabled PowerPoint files.

Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
6/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Microsoft PowerPoint

Encrypted macros = malware evasion: Attack technique: Malicious macro in PowerPoint β†’ encrypt VBA project with password β†’ bypasses antivirus (cannot scan encrypted content), Office default: Does NOT scan encrypted VBA projects (assumes password = legitimate), Malware: Ransomware/trojan hidden in encrypted macro β†’ user opens β†’ macro executes (unscanned). Scan encrypted: Policy enabled β†’ Office scans encrypted VBA AFTER decryption (when macro runs) β†’ detects malware.

PowerShell Modules Vereist
Primary API: Intune / GPO
Connection: Registry-based
Required Modules:

Implementatie

Scan encrypted macros: Policy: Scan encrypted macros in PowerPoint: Enabled, Scanning: Office decrypts VBA project β†’ scans for malicious signatures β†’ blocks if detected, User experience: Encrypted macros still prompt for password, Security: Malware detection even if encrypted.

Vereisten

  1. PowerPoint 2016+
  2. Intune of GPO

Implementatie

Intune Settings Catalog: PowerPoint\Security\Trust Center β†’ Scan encrypted macros in PowerPoint Open XML presentations: Enabled (Scan encrypted macros).

Compliance

CIS Office Benchmark, BIO 12.02, ISO 27001 A.12.2.1.

Monitoring

Gebruik PowerShell-script scan-encrypted-macros.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script scan-encrypted-macros.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Dwingt scanning van gecodeerde macros in PowerPoint Open XML presentaties .DESCRIPTION Dit script implementeert CIS control O365-PT-000005 voor het scannen van gecodeerde macros in PowerPoint Open XML presentaties in Microsoft PowerPoint. Dit beschermt tegen verborgen schadelijke macros in gecodeerde bestanden. .REQUIREMENTS - PowerShell 5.1 of hoger - Lokale administrator rechten voor registry wijzigingen - Microsoft PowerPoint geΓ―nstalleerd .PARAMETER Monitoring Controleert de huidige compliance status .PARAMETER Remediation Past de aanbevolen configuratie toe .PARAMETER Revert Herstelt de originele configuratie .PARAMETER WhatIf Toont wat er zou gebeuren zonder wijzigingen door te voeren .EXAMPLE .\scan-encrypted-macros.ps1 -Monitoring Controleert of gecodeerde macro scanning is ingeschakeld .EXAMPLE .\scan-encrypted-macros.ps1 -Remediation Schakelt gecodeerde macro scanning in .NOTES Registry pad: HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security Waarden: ScanEncryptedMacros = 1, VBAWarnings = 1 CIS Control: O365-PT-000005 DISA STIG: Microsoft Office 365 ProPlus v3r3 #> #Requires -Version 5.1 param( [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Globale variabelen $RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security" $ValueName1 = "ScanEncryptedMacros" $ValueName2 = "VBAWarnings" $ExpectedValue = 1 $ControlID = "O365-PT-000005" function Test-Compliance { try { if (-not (Test-Path $RegistryPath)) { return $false } $v1 = Get-ItemProperty -Path $RegistryPath -Name $ValueName1 -ErrorAction SilentlyContinue $v2 = Get-ItemProperty -Path $RegistryPath -Name $ValueName2 -ErrorAction SilentlyContinue return (($v1 -and $v1.$ValueName1 -eq $ExpectedValue) -or ($v2 -and $v2.$ValueName2 -ge $ExpectedValue)) } catch { return $false } } function Invoke-Monitoring { Write-Host "Monitoring ${ControlID}: Gecodeerde macro scanning inschakelen" -ForegroundColor Green try { if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry pad bestaat niet: $RegistryPath" -ForegroundColor Red return $false } $v1 = Get-ItemProperty -Path $RegistryPath -Name $ValueName1 -ErrorAction SilentlyContinue $v2 = Get-ItemProperty -Path $RegistryPath -Name $ValueName2 -ErrorAction SilentlyContinue $scanEnabled = (($v1 -and $v1.$ValueName1 -eq $ExpectedValue) -or ($v2 -and $v2.$ValueName2 -ge $ExpectedValue)) if ($scanEnabled) { Write-Host "βœ“ Control compliant: Gecodeerde macro scanning is ingeschakeld" -ForegroundColor Green return $true } else { Write-Host "βœ— Control non-compliant: Gecodeerde macro scanning is uitgeschakeld" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Fout bij controleren registry instellingen: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating ${ControlID}: Gecodeerde macro scanning inschakelen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarden instellen: ${ValueName1} = $ExpectedValue, ${ValueName2} = $ExpectedValue" -ForegroundColor Cyan return $true } if (-not (Test-Path $RegistryPath)) { Write-Host "Registry pad aanmaken: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } Set-ItemProperty -Path $RegistryPath -Name $ValueName1 -Value $ExpectedValue -Type DWord -Force Set-ItemProperty -Path $RegistryPath -Name $ValueName2 -Value $ExpectedValue -Type DWord -Force Write-Host "βœ“ Registry waarden succesvol ingesteld" -ForegroundColor Green Start-Sleep -Seconds 1 return Invoke-Monitoring } catch { Write-Host "βœ— Fout bij configureren registry instellingen: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting ${ControlID}: Gecodeerde macro scanning herstellen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarden verwijderen: ${ValueName1}, ${ValueName2}" -ForegroundColor Cyan return $true } if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $ValueName1 -ErrorAction SilentlyContinue Remove-ItemProperty -Path $RegistryPath -Name $ValueName2 -ErrorAction SilentlyContinue Write-Host "βœ“ Registry waarden verwijderd" -ForegroundColor Green } return $true } catch { Write-Host "βœ— Fout bij herstellen registry instellingen: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Hoofd uitvoering try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Gebruik: .\trust-vba-project-access-disabled.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow Write-Host " -Monitoring: Controleer huidige compliance status" -ForegroundColor White Write-Host " -Remediation: Pas aanbevolen configuratie toe" -ForegroundColor White Write-Host " -Revert: Herstel originele configuratie" -ForegroundColor White Write-Host " -WhatIf: Toon wat er zou gebeuren" -ForegroundColor White Write-Host "" Write-Host "Handmatige configuratie:" -ForegroundColor Cyan Write-Host "Group Policy: User Configuration > Administrative Templates > Microsoft PowerPoint 2016" -ForegroundColor White Write-Host "> PowerPoint Options > Security > Trust Center > Macro Settings" -ForegroundColor White Write-Host "> Scan encrypted macros in PowerPoint Open XML presentations: Enabled: Scan encrypted macros" -ForegroundColor White } } catch { Write-Host "βœ— Onverwachte fout: $($_.Exception.Message)" -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Medium: Medium: Encrypted macros = malware evasion (AV bypass).

Management Samenvatting

Scan encrypted PowerPoint macros. Malware detection even if password-protected. Implementatie: 1-2 uur.