Home
ATT&CK Techniques
T1137.001 Office Template Macros

T1137.001 Office Template Macros

Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)

Office Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019)

Word Normal.dotm location:<br> <code>C:\Users\<username>\AppData\Roaming\Microsoft\Templates\Normal.dotm</code>

Excel Personal.xlsb location:<br> <code>C:\Users\<username>\AppData\Roaming\Microsoft\Excel\XLSTART\PERSONAL.XLSB</code>

Adversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under <code>C:\Program Files (x86)\Microsoft Office\root\Office16\</code>, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019)

An adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
PR.PS-05.02	Mobile code prevention	Mitigates	T1137.001	Office Template Macros	Comments Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CM-06	Configuration Settings	mitigates	T1137.001	Office Template Macros
SC-18	Mobile Code	mitigates	T1137.001	Office Template Macros
SC-44	Detonation Chambers	mitigates	T1137.001	Office Template Macros
SI-08	Spam Protection	mitigates	T1137.001	Office Template Macros
RA-05	Vulnerability Monitoring and Scanning	mitigates	T1137.001	Office Template Macros
CM-08	System Component Inventory	mitigates	T1137.001	Office Template Macros
SI-03	Malicious Code Protection	mitigates	T1137.001	Office Template Macros
CM-02	Baseline Configuration	mitigates	T1137.001	Office Template Macros
SI-04	System Monitoring	mitigates	T1137.001	Office Template Macros
AC-06	Least Privilege	mitigates	T1137.001	Office Template Macros

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
action.hacking.variety.Abuse of functionality	Abuse of functionality.	related-to	T1137.001	Office Template Macros

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
cloud_ids	Cloud IDS	technique_scores	T1137.001	Office Template Macros	Comments Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office templates Although there are ways an attacker could deliver a malicious template, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks. References ['https://cloud.google.com/intrusion-detection-system' 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']
google_secops	Google Security Operations	technique_scores	T1137.001	Office Template Macros	Comments Google Security Ops is able to trigger an alert based off suspicious system processes, for example: detects Windows command line executable started from Microsoft's Word or Excel (e.g.., ".\\WINWORD\.EXE", ".\\EXCEL\.EXE"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/office_macro_starts_cmd.yaral References ['https://cloud.google.com/security/products/security-operations' 'https://cloud.google.com/chronicle/docs/secops/secops-overview' 'https://github.com/chronicle/detection-rules']