Description
Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)
Office Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019)
Word Normal.dotm location:
C:\Users\<username>\AppData\Roaming\Microsoft\Templates\Normal.dotm
Excel Personal.xlsb location:
C:\Users\<username>\AppData\Roaming\Microsoft\Excel\XLSTART\PERSONAL.XLSB
Adversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under C:\Program Files (x86)\Microsoft Office\root\Office16\, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019)
An adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.
Platforms
Mitigations (2)
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)
Disable or Remove Feature or ProgramM1042
Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing.
Disable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office T
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used a Word Template, Normal.dotm, for persistence.(Citation: Reaqta MuddyWater November 2017) |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S9026 | ROAMINGHOUSE | Malware | [ROAMINGHOUSE](https://attack.mitre.org/software/S9026) has been loaded as a Word Template file when victims opened a decoy document placed in `%APPDA... |
| S0475 | BackConfig | Malware | [BackConfig](https://attack.mitre.org/software/S0475) has the ability to use hidden columns in Excel spreadsheets to store executable files or command... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) has the ability to use an Excel Workbook to execute additional code by enabling Office to tru... |
References
- Austin, J. (2017, June 6). Getting Started with VBA in Office. Retrieved July 3, 2017.
- Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62. Retrieved July 3, 2017.
- Microsoft. (n.d.). Change the Normal template (Normal.dotm). Retrieved July 3, 2017.
- Nelson, M. (2014, January 23). Maintaining Access with normal.dotm. Retrieved July 3, 2017.
- Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral Movement and Persistence. Retrieved February 5, 2019.
- Shukrun, S. (2019, June 2). Office Templates and GlobalDotName - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
- Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019.
Frequently Asked Questions
What is T1137.001 (Office Template Macros)?
T1137.001 is a MITRE ATT&CK technique named 'Office Template Macros'. It belongs to the Persistence tactic(s). Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customiz...
How can T1137.001 be detected?
Detection of T1137.001 (Office Template Macros) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1137.001?
There are 2 documented mitigations for T1137.001. Key mitigations include: Behavior Prevention on Endpoint, Disable or Remove Feature or Program.
Which threat groups use T1137.001?
Known threat groups using T1137.001 include: MuddyWater.