T1221 Template Injection Mappings

Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. (Citation: Microsoft Open XML July 2017)

Properties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.

Adversaries may abuse this technology to initially conceal malicious code to be executed via documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. (Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. (Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit. (Citation: MalwareBytes Template Injection OCT 2017)

This technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt. (Citation: Anomali Template Injection MAR 2018) (Citation: Talos Template Injection July 2017) (Citation: ryhanson phishery SEPT 2016)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CA-7 Continuous Monitoring Protects T1221 Template Injection
CM-2 Baseline Configuration Protects T1221 Template Injection
CM-6 Configuration Settings Protects T1221 Template Injection
CM-7 Least Functionality Protects T1221 Template Injection
CM-8 System Component Inventory Protects T1221 Template Injection
RA-5 Vulnerability Monitoring and Scanning Protects T1221 Template Injection
SC-44 Detonation Chambers Protects T1221 Template Injection
SC-7 Boundary Protection Protects T1221 Template Injection
SI-10 Information Input Validation Protects T1221 Template Injection
SI-2 Flaw Remediation Protects T1221 Template Injection
SI-3 Malicious Code Protection Protects T1221 Template Injection
SI-4 System Monitoring Protects T1221 Template Injection
SI-7 Software, Firmware, and Information Integrity Protects T1221 Template Injection
SI-8 Spam Protection Protects T1221 Template Injection
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, MitB) related-to T1221 Template Injection