1. Home
  2. ATT&CK Techniques
  3. T1221 Template Injection

T1221 Template Injection Mappings

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)

Properties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.

Adversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded.(Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.(Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.(Citation: MalwareBytes Template Injection OCT 2017)

Adversaries may also modify the <code>*\template</code> control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.(Citation: Proofpoint RTF Injection)(Citation: Ciberseguridad Decoding malicious RTF files)

This technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.(Citation: Anomali Template Injection MAR 2018)(Citation: Talos Template Injection July 2017)(Citation: ryhanson phishery SEPT 2016)

View in MITRE ATT&CK®

Known Exploited Vulnerabilities Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2022-22954 VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability exploitation_technique T1221 Template Injection
Comments
This vulnerability is exploited via server-side template injection to achieve remote code execution. This access is then used to establish backdoors. Adversaries have been observed chaining this with CVE-2022-22960 in order to escalate privileges to root.
References
  1. https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/
  2. https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/
  3. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138b
  4. https://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html
CVE-2023-22527 Atlassian Confluence Data Center and Server Template Injection Vulnerability exploitation_technique T1221 Template Injection
Comments
CVE-2023-22527 is a template injection vulnerability that allows an unauthenticated adversary to achieve remote code execution. Adversaries have been observed exploiting this vulnerability for cryptomining purposes.
References
  1. https://www.trendmicro.com/en_us/research/24/h/cve-2023-22527-cryptomining.html
CVE-2024-23692 Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability exploitation_technique T1221 Template Injection
Comments
CVE-2024-23692 is a OS command injection vulnerability within the HTTP File Server (HFS) process for Rejetto. It has been reported to be exploited by threat actors to deploy cryptomining malware, install backdoors, Remote Access Trojans (RATs), and other malware like “GoThief” to exfiltrate sensitive data.
References
  1. https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/
  2. https://thehackernews.com/2024/07/ukrainian-institutions-targeted-using.html
  3. https://www.bleepingcomputer.com/news/security/hackers-attack-hfs-servers-to-drop-malware-and-monero-miners/
  4. https://socradar.io/critical-http-file-server-vulnerability-cve-2024-23692-actively-exploited-to-deploy-cryptomining-malware-rats-stealers/