T1221: Template Injection
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.
Properties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.
Adversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.
Adversaries may also modify the *\template
control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.
This technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.
Positive Technologies products that cover the technique
Detection
PT NAD can detect exploitation of vulnerabilities which allow adversaries to create or modify references in user document templates to conceal malicious code or force authentication attempts.
Examples of PT NAD detection rules
- ATTACK [PTsecurity] Possible CVE-2022-30190 (Windows Support Diagnostic Tool) (sid 10007518)
- SUSPICIOUS [PTsecurity] Download DOC file with VBAScript (sid 10003724)
- ET INFO Doc Requesting Remote Template (.dotm) (sid 2031379)
- POLICY [PTsecurity] SMB NTLM auth request to external net (sid 10005960)
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Connection Creation | Description | Monitor for newly constructed network connections that are sent or received by untrusted hosts. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Analyze process behavior to determine if an Office application is performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: PowerShell), or other suspicious actions that could relate to post-compromise behavior. |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
---|
Mitigation
ID | M1031 | Name | Network Intrusion Prevention | Description | Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads. |
---|
ID | M1049 | Name | Antivirus/Antimalware | Description | Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads. |
---|
ID | M1017 | Name | User Training | Description | Train users to identify social engineering techniques and spearphishing emails that could be used to deliver malicious documents. |
---|
ID | M1042 | Name | Disable or Remove Feature or Program | Description | Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents , though this setting may not mitigate the Forced Authentication use for this technique. |
---|