Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
Properties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.
Adversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded.(Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.(Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.(Citation: MalwareBytes Template Injection OCT 2017)
Adversaries may also modify the <code>*\template</code> control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.(Citation: Proofpoint RTF Injection)(Citation: Ciberseguridad Decoding malicious RTF files)
This technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.(Citation: Anomali Template Injection MAR 2018)(Citation: Talos Template Injection July 2017)(Citation: ryhanson phishery SEPT 2016)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1221 | Template Injection |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.IR-01.08 | End-user device access | Mitigates | T1221 | Template Injection |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
References
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1221 | Template Injection |
Comments
Antivirus/Antimalware software can be utilized to prevent documents from fetching and/or executing malicious payloads.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1221 | Template Injection |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1221 | Template Injection |
Comments
Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads that adversaries can steal in document templates.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1221 | Template Injection |
Comments
This diagnostic statement protects against Template Injection through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1221 | Template Injection |
Comments
This diagnostic statement protects against Template Injection through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1221 | Template Injection | |
| CM-06 | Configuration Settings | mitigates | T1221 | Template Injection | |
| SC-44 | Detonation Chambers | mitigates | T1221 | Template Injection | |
| SI-08 | Spam Protection | mitigates | T1221 | Template Injection | |
| SI-02 | Flaw Remediation | mitigates | T1221 | Template Injection | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1221 | Template Injection | |
| CM-08 | System Component Inventory | mitigates | T1221 | Template Injection | |
| SI-10 | Information Input Validation | mitigates | T1221 | Template Injection | |
| SI-03 | Malicious Code Protection | mitigates | T1221 | Template Injection | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1221 | Template Injection | |
| CM-02 | Baseline Configuration | mitigates | T1221 | Template Injection | |
| CM-07 | Least Functionality | mitigates | T1221 | Template Injection | |
| SI-04 | System Monitoring | mitigates | T1221 | Template Injection | |
| SC-07 | Boundary Protection | mitigates | T1221 | Template Injection |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Client-side attack | Client-side or browser attack (e.g., redirection, XSS, AitB) | related-to | T1221 | Template Injection |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_ids | Cloud IDS | technique_scores | T1221 | Template Injection |
Comments
Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office file templates (e.g., DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX).
Although there are ways an attacker could modify the known attack signature to avoid detection, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|