Detect Office Template Macros in Google Chronicle
Adversaries abuse Microsoft Office templates (Normal.dotm for Word, PERSONAL.XLSB for Excel) to obtain persistence. Malicious VBA macros inserted into base templates execute every time the Office application starts. Adversaries may also hijack the GlobalDotName registry key to point Word to an arbitrary template location, enabling stealth persistence that fires on every Word launch.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1137 Office Application Startup
- Sub-technique
- T1137.001 Office Template Macros
- Canonical reference
- https://attack.mitre.org/techniques/T1137/001/
YARA-L Detection Query
rule t1137_001_office_template_macros {
meta:
author = "Argus Detection Engineering"
description = "Detects T1137.001 Office Template Macro persistence: writes to Office template files by non-Office processes, GlobalDotName registry modification, or Office spawning suspicious child processes."
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "T1137.001"
severity = "HIGH"
priority = "HIGH"
events:
(
// Branch 1: Template file write by non-Office process
(
$e.metadata.event_type = "FILE_MODIFICATION" or
$e.metadata.event_type = "FILE_CREATION"
) and
(
re.regex($e.target.file.full_path, `(?i)(Normal\.dotm|PERSONAL\.XLSB|NormalEmail\.dotm)`) or
re.regex($e.target.file.full_path, `(?i)AppData\\Roaming\\Microsoft\\(Templates|Excel\\XLSTART|Word\\STARTUP)`)
) and
not re.regex($e.principal.process.file.full_path, `(?i)(winword|excel|powerpnt|outlook|OfficeClickToRun)\.exe`)
)
or
(
// Branch 2: GlobalDotName registry key modification
(
$e.metadata.event_type = "REGISTRY_MODIFICATION" or
$e.metadata.event_type = "REGISTRY_CREATION"
) and
re.regex($e.target.registry.registry_key, `(?i)Microsoft.*Word.*GlobalDotName`)
)
or
(
// Branch 3: Office spawning suspicious child process
$e.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($e.principal.process.file.full_path, `(?i)(winword|excel|powerpnt)\.exe`) and
re.regex($e.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec)\.exe`)
)
match:
$e.principal.hostname over 5m
outcome:
$risk_score = max(
if($e.metadata.event_type = "REGISTRY_MODIFICATION" and re.regex($e.target.registry.registry_key, `(?i)GlobalDotName`), 85,
if($e.metadata.event_type = "PROCESS_LAUNCH" and re.regex($e.target.process.file.full_path, `(?i)(powershell|mshta|regsvr32)\.exe`), 90,
70))
)
$hostname = $e.principal.hostname
$user = $e.principal.user.userid
$process_name = $e.target.process.file.full_path
$parent_process = $e.principal.process.file.full_path
$file_path = $e.target.file.full_path
$registry_key = $e.target.registry.registry_key
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1137.001 Office Template Macro persistence across three behavioral branches using UDM event model: template file creation or modification by non-Office initiating processes, GlobalDotName registry key tampering to redirect Word template loading to attacker-controlled locations, and Office application processes spawning high-risk child process executables upon macro activation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate macro-enabled template deployment by enterprise IT using scripting tools that write to the Office Templates directory as part of standardized configuration management
- Security software or backup agents accessing and modifying Office template files as part of scheduled scanning or versioning operations
- Office Online or SharePoint sync clients legitimately modifying local Office template caches, appearing as non-standard Office processes writing to template paths
Other platforms for T1137.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Modify Normal.dotm via PowerShell (Simulated Template Backdoor)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename ending in Normal.dotm.bak, Image=powershell.exe. Security Event ID 4663 (if object access auditing enabled) on the template file.
- Test 2Set GlobalDotName Registry Key
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject containing 'Office\16.0\Word\Options\GlobalDotName' and Details='C:\Users\Public\evil.dotm'. Security Event ID 4657 (Registry value modified) if registry auditing is enabled.
- Test 3Drop File in Word STARTUP Folder
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename containing '\\Word\\STARTUP\\df00tech-test.dotm' and Image=powershell.exe.
References (7)
- https://attack.mitre.org/techniques/T1137/001/
- https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
- https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
- http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md
- https://docs.microsoft.com/en-us/office/vba/api/overview/library-reference/library-reference-object-model
- https://github.com/nicowillis/office-macro-analysis
Unlock Pro Content
Get the full detection package for T1137.001 including response playbook, investigation guide, and atomic red team tests.