T1137.001

Office Template Macros

Adversaries abuse Microsoft Office templates (Normal.dotm for Word, PERSONAL.XLSB for Excel) to obtain persistence. Malicious VBA macros inserted into base templates execute every time the Office application starts. Adversaries may also hijack the GlobalDotName registry key to point Word to an arbitrary template location, enabling stealth persistence that fires on every Word launch.

Microsoft Sentinel / Defender

kusto

// T1137.001 — Office Template Macros persistence detection
// Detect writes to Office template files and GlobalDotName registry modification
let OfficeMacroTemplates = dynamic([
  "Normal.dotm", "PERSONAL.XLSB", "NormalEmail.dotm"
]);
let TemplateStartupPaths = dynamic([
  "\\AppData\\Roaming\\Microsoft\\Templates\\",
  "\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\",
  "\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\",
  "\\Program Files (x86)\\Microsoft Office\\root\\"
]);
// Part 1: Detect writes to Office template files
let TemplateFileWrites = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FileName has_any (OfficeMacroTemplates) or FolderPath has_any (TemplateStartupPaths)
| where InitiatingProcessFileName !in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "MicrosoftEdgeUpdate.exe", "OfficeClickToRun.exe")
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType;
// Part 2: Detect GlobalDotName registry key modification
let GlobalDotNameReg = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_all ("Microsoft", "Word")
| where RegistryValueName =~ "GlobalDotName" or RegistryKey has "GlobalDotName"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
         InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType;
// Part 3: Detect Office apps spawning unexpected child processes (macro execution)
let OfficeMacroExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe")
| where FileName !in~ ("winword.exe", "excel.exe", "powerpnt.exe", "MSOSYNC.exe", "splwow64.exe", "WerFault.exe", "csc.exe", "vbc.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msiexec.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine;
union TemplateFileWrites, GlobalDotNameReg, OfficeMacroExec
| sort by Timestamp desc

high severity high confidence

Data Sources

File: File Creation File: File Modification Windows Registry: Registry Value Modification Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceRegistryEvents DeviceProcessEvents

False Positives

Legitimate IT automation tools (PDQ Deploy, SCCM) distributing updated Office templates to endpoints
User-created macros in Personal.xlsb for legitimate automation of repetitive Excel tasks
Office add-in installations that create or modify startup folder files as part of normal installation
Helpdesk/support personnel modifying Normal.dotm to deploy standardized corporate templates

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval source_type=case(
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=11, "template_write",
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=13, "registry_mod",
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=1, "process_create",
    true(), "other"
  )
| where source_type IN ("template_write", "registry_mod", "process_create")
| eval is_template_file=if(
    source_type="template_write" AND (
      match(TargetFilename, "(?i)(Normal\.dotm|PERSONAL\.XLSB|NormalEmail\.dotm)") OR
      match(TargetFilename, "(?i)(\\\\AppData\\\\Roaming\\\\Microsoft\\\\(Templates|Excel\\\\XLSTART|Word\\\\STARTUP))")
    ) AND NOT match(Image, "(?i)(winword|excel|powerpnt|outlook|OfficeClickToRun)\.exe"),
    1, 0)
| eval is_globaldotname=if(
    source_type="registry_mod" AND (
      match(TargetObject, "(?i)Microsoft\\\\Office.*Word.*GlobalDotName") OR
      match(Details, "(?i)GlobalDotName")
    ), 1, 0)
| eval is_office_child=if(
    source_type="process_create" AND
    match(ParentImage, "(?i)(winword|excel|powerpnt)\.exe") AND
    match(Image, "(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin)\.exe"),
    1, 0)
| eval detection_type=case(
    is_template_file=1, "Template File Modified by Non-Office Process",
    is_globaldotname=1, "GlobalDotName Registry Key Modified",
    is_office_child=1, "Office Application Spawned Suspicious Child Process",
    true(), "unknown"
  )
| where is_template_file=1 OR is_globaldotname=1 OR is_office_child=1
| eval host_user=host."|".coalesce(User, SubjectUserName, "-")
| table _time, host, User, detection_type, Image, CommandLine, TargetFilename, TargetObject, Details, ParentImage, ParentCommandLine
| sort - _time

high severity high confidence

Data Sources

File: File Creation Windows Registry: Registry Value Modification Process: Process Creation Sysmon Event ID 1, 11, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate IT automation tools distributing updated corporate Office templates
User macros in Personal.xlsb for Excel task automation
Office add-in installations writing to startup directories
VBA IDE activity during macro development by developers or power users

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  any where (
    (
      event.category == "file" and event.action in ("creation", "modification") and
      (
        file.name in~ ("Normal.dotm", "PERSONAL.XLSB", "NormalEmail.dotm") or
        file.path like~ "*\\AppData\\Roaming\\Microsoft\\Templates\\*" or
        file.path like~ "*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" or
        file.path like~ "*\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*" or
        file.path like~ "*\\Program Files (x86)\\Microsoft Office\\root\\*"
      ) and
      not process.name in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "MicrosoftEdgeUpdate.exe", "OfficeClickToRun.exe")
    ) or
    (
      event.category == "registry" and event.action in ("modification", "creation") and
      (
        registry.path like~ "*Microsoft*Word*GlobalDotName*" or
        registry.value like~ "*GlobalDotName*"
      )
    )
  )
] by process.entity_id

// Supplemental: Office spawning suspicious child
sequence by host.name with maxspan=1m
[
  process where event.type == "start" and
    process.parent.name in~ ("winword.exe", "excel.exe", "powerpnt.exe") and
    process.name in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msiexec.exe")
]

high severity high confidence

Data Sources

Elastic Endpoint Security Windows Event Logs Sysmon via Filebeat/Winlogbeat

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.registry-* logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate Office add-in installers or macro-enabled template deployment tools writing to XLSTART or Templates directories during managed software deployment
IT administrators using scripts to deploy standardized Word/Excel templates across the organization, which may trigger the non-Office process writing to template paths
Antivirus or DLP software scanning and touching Office template files as part of scheduled scans may appear as unexpected file modifications

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "HOST"(devicehostname) AS hostname,
  QIDNAME(qid) AS event_name,
  "SourceFilePath" AS source_file,
  "TargetFilePath" AS target_file,
  "ProcessFilePath" AS process_path,
  "CommandLine" AS command_line,
  "RegistryKey" AS registry_key,
  "RegistryValue" AS registry_value,
  category,
  eventdirection
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 52, 407)
  AND starttime > DATEADD('hour', -24, NOW())
  AND (
    -- Template file write by non-Office process (Sysmon Event 11)
    (
      QIDNAME(qid) LIKE '%File Created%'
      AND (
        LOWER("TargetFilePath") LIKE '%normal.dotm%'
        OR LOWER("TargetFilePath") LIKE '%personal.xlsb%'
        OR LOWER("TargetFilePath") LIKE '%normalemail.dotm%'
        OR LOWER("TargetFilePath") LIKE '%appdata%roaming%microsoft%templates%'
        OR LOWER("TargetFilePath") LIKE '%appdata%roaming%microsoft%excel%xlstart%'
        OR LOWER("TargetFilePath") LIKE '%appdata%roaming%microsoft%word%startup%'
      )
      AND NOT (
        LOWER("ProcessFilePath") LIKE '%winword.exe'
        OR LOWER("ProcessFilePath") LIKE '%excel.exe'
        OR LOWER("ProcessFilePath") LIKE '%powerpnt.exe'
        OR LOWER("ProcessFilePath") LIKE '%outlook.exe'
        OR LOWER("ProcessFilePath") LIKE '%officeclicktorun.exe'
      )
    )
    OR
    -- GlobalDotName registry modification (Sysmon Event 13)
    (
      QIDNAME(qid) LIKE '%Registry Value Set%'
      AND (
        LOWER("RegistryKey") LIKE '%microsoft%word%'
        AND (
          LOWER("RegistryValue") LIKE '%globaldotname%'
          OR LOWER("RegistryKey") LIKE '%globaldotname%'
        )
      )
    )
    OR
    -- Office spawning suspicious child process (Sysmon Event 1 / WinEvent 4688)
    (
      QIDNAME(qid) LIKE '%Process Create%'
      AND (
        LOWER("ParentProcessFilePath") LIKE '%winword.exe'
        OR LOWER("ParentProcessFilePath") LIKE '%excel.exe'
        OR LOWER("ParentProcessFilePath") LIKE '%powerpnt.exe'
      )
      AND (
        LOWER("ProcessFilePath") LIKE '%cmd.exe'
        OR LOWER("ProcessFilePath") LIKE '%powershell.exe'
        OR LOWER("ProcessFilePath") LIKE '%wscript.exe'
        OR LOWER("ProcessFilePath") LIKE '%cscript.exe'
        OR LOWER("ProcessFilePath") LIKE '%mshta.exe'
        OR LOWER("ProcessFilePath") LIKE '%rundll32.exe'
        OR LOWER("ProcessFilePath") LIKE '%regsvr32.exe'
        OR LOWER("ProcessFilePath") LIKE '%certutil.exe'
        OR LOWER("ProcessFilePath") LIKE '%bitsadmin.exe'
      )
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Sysmon (via QRadar DSM) Windows Security Event Log

Required Tables

events

False Positives

Enterprise software deployment tools (SCCM, Intune) pushing Office template updates to managed endpoints may trigger the template file write detection
Macro-enabled Excel Personal Macro Workbook (PERSONAL.XLSB) being legitimately created when a user first records a macro in Excel
Legitimate use of cmd.exe or PowerShell launched from Office via DDE or legitimate automation scripts configured by the organization for business processes

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| where EventCode in ("1", "11", "13", "4688")
| parse field=_raw "<EventID>*</EventID>" as parsed_event_id nodrop
| parse field=_raw "TargetFilename>*</TargetFilename" as target_filename nodrop
| parse field=_raw "Image>*</Image" as image nodrop
| parse field=_raw "ParentImage>*</ParentImage" as parent_image nodrop
| parse field=_raw "CommandLine>*</CommandLine" as command_line nodrop
| parse field=_raw "TargetObject>*</TargetObject" as registry_target_object nodrop
| parse field=_raw "Details>*</Details" as registry_details nodrop
// Classify event type
| eval detection_type = if(
    EventCode in ("11") AND (
      matches(target_filename, "(?i)(Normal\.dotm|PERSONAL\.XLSB|NormalEmail\.dotm)")
      OR matches(target_filename, "(?i)AppData\\Roaming\\Microsoft\\(Templates|Excel\\XLSTART|Word\\STARTUP)")
    ) AND NOT matches(image, "(?i)(winword|excel|powerpnt|outlook|OfficeClickToRun)\.exe"),
    "Template File Modified by Non-Office Process",
  if(
    EventCode in ("13") AND matches(registry_target_object, "(?i)Microsoft.*Word.*GlobalDotName"),
    "GlobalDotName Registry Key Modified",
  if(
    EventCode in ("1", "4688") AND (
      matches(parent_image, "(?i)(winword|excel|powerpnt)\.exe")
    ) AND matches(image, "(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin)\.exe"),
    "Office Application Spawned Suspicious Child Process",
  null()
  )))
| where !isNull(detection_type)
| fields _messageTime, _sourceHost, detection_type, image, parent_image, command_line, target_filename, registry_target_object, registry_details
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise Windows Sysmon (via Sumo Logic Collector) Windows Security Event Log

Required Tables

windows/sysmon windows/security

False Positives

Software packaging tools writing Office templates to XLSTART during application installs, commonly seen during Microsoft 365 updates or add-in deployments
End-user macro development: saving a macro to Personal Macro Workbook in Excel legitimately creates PERSONAL.XLSB in the XLSTART directory
Organizational automation scripts legitimately launched from Excel via the Workbook_Open event as part of business-approved macro workflows

Google Chronicle / SecOps

yaral

rule t1137_001_office_template_macros {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1137.001 Office Template Macro persistence: writes to Office template files by non-Office processes, GlobalDotName registry modification, or Office spawning suspicious child processes."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1137.001"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      // Branch 1: Template file write by non-Office process
      (
        $e.metadata.event_type = "FILE_MODIFICATION" or
        $e.metadata.event_type = "FILE_CREATION"
      ) and
      (
        re.regex($e.target.file.full_path, `(?i)(Normal\.dotm|PERSONAL\.XLSB|NormalEmail\.dotm)`) or
        re.regex($e.target.file.full_path, `(?i)AppData\\Roaming\\Microsoft\\(Templates|Excel\\XLSTART|Word\\STARTUP)`)
      ) and
      not re.regex($e.principal.process.file.full_path, `(?i)(winword|excel|powerpnt|outlook|OfficeClickToRun)\.exe`)
    )
    or
    (
      // Branch 2: GlobalDotName registry key modification
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION" or
        $e.metadata.event_type = "REGISTRY_CREATION"
      ) and
      re.regex($e.target.registry.registry_key, `(?i)Microsoft.*Word.*GlobalDotName`)
    )
    or
    (
      // Branch 3: Office spawning suspicious child process
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.principal.process.file.full_path, `(?i)(winword|excel|powerpnt)\.exe`) and
      re.regex($e.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec)\.exe`)
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if($e.metadata.event_type = "REGISTRY_MODIFICATION" and re.regex($e.target.registry.registry_key, `(?i)GlobalDotName`), 85,
      if($e.metadata.event_type = "PROCESS_LAUNCH" and re.regex($e.target.process.file.full_path, `(?i)(powershell|mshta|regsvr32)\.exe`), 90,
      70))
    )
    $hostname = $e.principal.hostname
    $user = $e.principal.user.userid
    $process_name = $e.target.process.file.full_path
    $parent_process = $e.principal.process.file.full_path
    $file_path = $e.target.file.full_path
    $registry_key = $e.target.registry.registry_key

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Event Logs (via Chronicle forwarder) Microsoft Defender for Endpoint (via Chronicle integration) Sysmon (via Chronicle forwarder)

Required Tables

UDM Events - FILE_MODIFICATION UDM Events - FILE_CREATION UDM Events - REGISTRY_MODIFICATION UDM Events - PROCESS_LAUNCH

False Positives

Legitimate macro-enabled template deployment by enterprise IT using scripting tools that write to the Office Templates directory as part of standardized configuration management
Security software or backup agents accessing and modifying Office template files as part of scheduled scanning or versioning operations
Office Online or SharePoint sync clients legitimately modifying local Office template caches, appearing as non-standard Office processes writing to template paths

CrowdStrike LogScale (CQL)

cql

// Branch 1: Template file write by non-Office process
#event_simpleName = "FileOpenInfo" OR #event_simpleName = "FileCreate" OR #event_simpleName = "FileWrite"
| TargetFileName = /(?i)(Normal\.dotm|PERSONAL\.XLSB|NormalEmail\.dotm)/
  OR TargetFileName = /(?i)AppData\\Roaming\\Microsoft\\(Templates|Excel\\XLSTART|Word\\STARTUP)/
| ImageFileName != /(?i)(winword|excel|powerpnt|outlook|OfficeClickToRun)\.exe/
| eval detection_type = "Template File Modified by Non-Office Process"
| table([ _time, ComputerName, UserName, ImageFileName, TargetFileName, CommandHistory, detection_type ])

// Branch 2: GlobalDotName registry key modification
| union {
  #event_simpleName = "RegSetValue"
  | (TargetObject = /(?i)Microsoft.*Word.*GlobalDotName/ OR ValueData = /(?i)GlobalDotName/)
  | eval detection_type = "GlobalDotName Registry Key Modified"
  | table([ _time, ComputerName, UserName, ImageFileName, TargetObject, ValueData, detection_type ])
}

// Branch 3: Office spawning suspicious child process
| union {
  #event_simpleName = "ProcessRollup2" OR #event_simpleName = "SyntheticProcessRollup2"
  | ParentBaseFileName = /(?i)(winword|excel|powerpnt)\.exe/
  | ImageFileName = /(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec)\.exe/
  | eval detection_type = "Office Application Spawned Suspicious Child Process"
  | table([ _time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, detection_type ])
}

| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon Sensor (FileCreate, RegSetValue, ProcessRollup2 events)

Required Tables

FileCreate FileWrite FileOpenInfo RegSetValue ProcessRollup2 SyntheticProcessRollup2

False Positives

Falcon sensor may generate FileCreate events for Normal.dotm when Word itself saves a modified template with a brief delay in process attribution, causing transient false positives during Office updates
RPA (Robotic Process Automation) tools such as UiPath or Automation Anywhere that automate Office workflows may legitimately spawn cmd.exe or PowerShell as child processes of Word or Excel
PowerShell-based Office automation scripts approved for finance or HR workflows that run on schedule and legitimately have Excel.exe as their parent process

Last updated: 2026-04-19 Research depth: deep

References (7)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1137.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.002Office Test T1137.003Outlook Forms T1137.004Outlook Home Page T1137.005Outlook Rules T1137.006Add-ins

Office Template Macros

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections