L1 BIO 12.02.01 CIS Office - versleuteld Macros

Word: Scan Versleutelde Macros In Open XML Documents

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Scan versleutelde macros ingeschakeld zorgt dat Word decrypts macro code voordat execution zodat antivirus malware kan detecteren - zonder scan kunnen versleuteld macros AV bypassen.

Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
6/10
Implementatie
1u (tech: 0.5u)
Van toepassing op:
βœ“ Microsoft Word

versleuteld macros is AV blind spot: VBA project versleuteling (password-protected), Antivirus kan niet scan versleuteld code, Malware obfuscation. Scan: Word decrypts voor AV β†’ malware detected voordat execution.

Implementatie

Registry: ScanEncryptedMacros is 1. Word decrypts VBA projects voor AV scanning (AMSI integration). versleuteld macros scanned voordat execution.

Vereisten

  1. Office 2016+
  2. Antivirus met AMSI (Defender, third-party)

Implementatie

Intune Settings Catalog: Word\Security β†’ Scan versleutelde macros in Word Open XML documents: ingeschakeld (default).

Compliance en Auditing

CIS Office Benchmark, BIO 12.02 (Malware detectie).

Monitoring

Gebruik PowerShell-script scan-encrypted-macros.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script scan-encrypted-macros.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Dwingt scanning van gecodeerde macros in Word .DESCRIPTION CIS O365-WD-000002 .NOTES Registry: HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security, ScanEncryptedMacros = 1, VBAWarnings = 1 #> #Requires -Version 5.1 param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf) $RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security"; $ValueName1 = "ScanEncryptedMacros"; $ValueName2 = "VBAWarnings"; $ExpectedValue = 1; $ControlID = "O365-WD-000002" function Test-Compliance { try { if (-not(Test-Path $RegistryPath)) { return $false }; $v1 = Get-ItemProperty -Path $RegistryPath -Name $ValueName1 -ErrorAction SilentlyContinue; $v2 = Get-ItemProperty -Path $RegistryPath -Name $ValueName2 -ErrorAction SilentlyContinue; return(($v1 -and $v1.$ValueName1 -eq $ExpectedValue) -or ($v2 -and $v2.$ValueName2 -ge $ExpectedValue)) }catch { return $false } } function Invoke-Monitoring { Write-Host "Monitoring ${ControlID}" -ForegroundColor Green; try { if (-not(Test-Path $RegistryPath)) { Write-Host "βœ— Non-compliant" -ForegroundColor Red; return $false }; $v1 = Get-ItemProperty -Path $RegistryPath -Name $ValueName1 -ErrorAction SilentlyContinue; $v2 = Get-ItemProperty -Path $RegistryPath -Name $ValueName2 -ErrorAction SilentlyContinue; if (($v1 -and $v1.$ValueName1 -eq $ExpectedValue) -or ($v2 -and $v2.$ValueName2 -ge $ExpectedValue)) { Write-Host "βœ“ Compliant" -ForegroundColor Green; return $true }else { Write-Host "βœ— Non-compliant" -ForegroundColor Red; return $false } }catch { Write-Host "βœ— Fout" -ForegroundColor Red; return $false } } function Invoke-Remediation { Write-Host "Remediating ${ControlID}" -ForegroundColor Yellow; try { if ($WhatIf) { Write-Host "WhatIf" -ForegroundColor Cyan; return $true }; if (-not(Test-Path $RegistryPath)) { New-Item -Path $RegistryPath -Force | Out-Null }; Set-ItemProperty -Path $RegistryPath -Name $ValueName1 -Value $ExpectedValue -Type DWord -Force; Set-ItemProperty -Path $RegistryPath -Name $ValueName2 -Value $ExpectedValue -Type DWord -Force; Write-Host "βœ“ Ingesteld" -ForegroundColor Green; Start-Sleep -Seconds 1; return Invoke-Monitoring }catch { Write-Host "βœ— Fout" -ForegroundColor Red; return $false } } function Invoke-Revert { Write-Host "Reverting ${ControlID}" -ForegroundColor Yellow; try { if ($WhatIf) { Write-Host "WhatIf" -ForegroundColor Cyan; return $true }; if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $ValueName1 -ErrorAction SilentlyContinue; Remove-ItemProperty -Path $RegistryPath -Name $ValueName2 -ErrorAction SilentlyContinue; Write-Host "βœ“ Verwijderd" -ForegroundColor Green }; return $true }catch { Write-Host "βœ— Fout" -ForegroundColor Red; return $false } } try { if ($Monitoring) { exit $(if (Invoke-Monitoring) { 0 }else { 1 }) }elseif ($Remediation) { exit $(if (Invoke-Remediation) { 0 }else { 1 }) }elseif ($Revert) { exit $(if (Invoke-Revert) { 0 }else { 1 }) }else { Write-Host "Gebruik: .\scan-encrypted-macros.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow } }catch { Write-Host "βœ— Fout" -ForegroundColor Red; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Medium: Medium: versleuteld macros bypass AV. Malware obfuscation via VBA versleuteling.

Management Samenvatting

Scan versleutelde macros. Word decrypts voor AV. AMSI integration. Implementatie: 30 min.