T1137.001: Office Template Macros
Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts.
Office Visual Basic for Applications (VBA) macros can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded. Shared templates may also be stored and pulled from remote locations.
Word Normal.dotm location:
C:\Users<username>\AppData\Roaming\Microsoft\Templates\Normal.dotm
Excel Personal.xlsb location:
C:\Users<username>\AppData\Roaming\Microsoft\Excel\XLSTART\PERSONAL.XLSB
Adversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under C:\Program Files (x86)\Microsoft Office\root\Office16</code>, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.
An adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_persistence: PT-CR-2702: Outlook_Malicious_Actions: The most dangerous settings were changed in the Outlook client by editing registry keys. An attacker can change Outlook settings to execute arbitrary code, escalate privileges, or gain persistence in the system. mitre_attck_persistence: PT-CR-2666: Outlook_VbaProjectOTM_Replace: File VbaProject.OTM responsible for storing VBA macros was replaced. This may indicate an attacker's attempt to use malicious macros to gain persistence in the system, execute arbitrary code, or escalate privileges. mitre_attck_persistence: PT-CR-262: Office_Template_Modification: A default document template was changed. Microsoft Office applications contain templates that are used to customize styles. Basic templates are used every time a user starts an Office application.
Detection
| ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for newly constructed files that may abuse Microsoft Office templates to obtain persistence on a compromised system. |
|---|
| ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Modification | Description | Collect events related to Registry key modification for keys that could be used for Office-based persistence. |
|---|
| ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes that may abuse Microsoft Office templates to obtain persistence on a compromised system. |
|---|
| ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Creation | Description | Collect events related to Registry key creation for keys that could be used for Office-based persistence. |
|---|
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may abuse Microsoft Office templates to obtain persistence on a compromised system. |
|---|
| ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for changes made to files that may abuse Microsoft Office templates to obtain persistence on a compromised system. Modification to base templates, like Normal.dotm, should also be investigated since the base templates should likely not contain VBA macros. Changes to the Office macro security settings should also be investigated |
|---|
Mitigation
| ID | M1040 | Name | Behavior Prevention on Endpoint | Description | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. |
|---|
| ID | M1042 | Name | Disable or Remove Feature or Program | Description | Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing. Disable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. |
|---|