Powershell scripts execute in Powerpoint without macros

Issue

Microsoft’s powerful native scripting language, Powershell, is able to execute inside a Powerpoint presentation without using macros.  This presents an issue for many organizations that rely on blocking macros or documents with macros to minimize the risk of compromise via Microsoft Office documents.

Impact

InGuardians RedTeam operators used this very technique to compromise one of our toughest clients just last week.  This is a very real threat posing risk to the information security of your organization.  Determine which controls and audit measures best fit your security posture and move swiftly to lock down this threat vector.

Recommendations

InGuardians recommends first determining if systems need PowerShell.  If needed, ensure PowerShell is up to date.  Older versions of PowerShell do not have many of the security feature set that version 5 has. Take the necessary steps (outlined here:https://adsecurity.org/?p=2604) to detect PowerShell being used offensively on your systems.

Additional Resources

Excellent technical write-up on Powershell Security: https://adsecurity.org/?p=2921

Recent article on this threat: https://thehackernews.com/2017/06/microsoft-powerpoint-malware.html