Description
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
Properties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.
Adversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded.(Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.(Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.(Citation: MalwareBytes Template Injection OCT 2017)
Adversaries may also modify the *\template control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.(Citation: Proofpoint RTF Injection)(Citation: Ciberseguridad Decoding malicious RTF files)
This technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.(Citation: Anomali Template Injection MAR 2018)(Citation: Talos Template Injection July 2017)(Citation: ryhanson phishery SEPT 2016)
Platforms
Mitigations (4)
Antivirus/AntimalwareM1049
Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.(Citation: Anomali Template Injection MAR 2018)
Network Intrusion PreventionM1031
Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.(Citation: Anomali Template Injection MAR 2018)
User TrainingM1017
Train users to identify social engineering techniques and spearphishing emails that could be used to deliver malicious documents.
Disable or Remove Feature or ProgramM1042
Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents (Citation: Microsoft Disable Macros), though this setting may not mitigate the Forced Authentication use for this technique.
Threat Groups (8)
| ID | Group | Context |
|---|---|---|
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has injected SMB URLs into malicious Word spearphishing attachments to initiate [Forced Authenticat... |
| G0142 | Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has used a weaponized Microsoft Word document with an embedded RTF exploit.(Citation: Uptycs Confuc... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) delivered malicious documents with the XLSX extension, typically used by OpenXML documents, bu... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious m... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used DOCX files to download malicious DOT document templates and has used RTF template in... |
| G0100 | Inception | [Inception](https://attack.mitre.org/groups/G0100) has used decoy documents to load malicious remote payloads via HTTP.(Citation: Unit 42 Inception No... |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has used remote template injection to retrieve malicious payloads from the C2.(Citation: ITOCHU LO... |
| G0079 | DarkHydrus | [DarkHydrus](https://attack.mitre.org/groups/G0079) used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word d... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S0631 | Chaes | Malware | [Chaes](https://attack.mitre.org/software/S0631) changed the template target of the settings.xml file embedded in the Word document and populated that... |
| S0670 | WarzoneRAT | Malware | [WarzoneRAT](https://attack.mitre.org/software/S0670) has been install via template injection through a malicious DLL embedded within a template RTF i... |
References
- Baird, S. et al.. (2017, July 7). Attack on Critical Infrastructure Leverages Template Injection. Retrieved July 21, 2018.
- Hanson, R. (2016, September 24). phishery. Retrieved July 21, 2018.
- Hawkins, J. (2018, July 18). Executing Macros From a DOCX With Remote Template Injection. Retrieved October 12, 2018.
- Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018.
- Microsoft. (2014, July 9). Introducing the Office (2007) Open XML File Formats. Retrieved July 20, 2018.
- Pedrero, R.. (2021, July). Decoding malicious RTF files. Retrieved November 16, 2021.
- Raggi, M. (2021, December 1). Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors . Retrieved December 9, 2021.
- Segura, J. (2017, October 13). Decoy Microsoft Word document delivers malware through a RAT. Retrieved July 21, 2018.
- Wiltse, B.. (2018, November 7). Template Injection Attacks - Bypassing Security Controls by Living off the Land. Retrieved April 10, 2019.
Frequently Asked Questions
What is T1221 (Template Injection)?
T1221 is a MITRE ATT&CK technique named 'Template Injection'. It belongs to the Stealth tactic(s). Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification define...
How can T1221 be detected?
Detection of T1221 (Template Injection) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1221?
There are 4 documented mitigations for T1221. Key mitigations include: Antivirus/Antimalware, Network Intrusion Prevention, User Training, Disable or Remove Feature or Program.
Which threat groups use T1221?
Known threat groups using T1221 include: Dragonfly, Confucius, Tropic Trooper, APT28, Gamaredon Group, Inception, MirrorFace, DarkHydrus.