T1137.001 Elastic Security · Elastic

Detect Office Template Macros in Elastic Security

Adversaries abuse Microsoft Office templates (Normal.dotm for Word, PERSONAL.XLSB for Excel) to obtain persistence. Malicious VBA macros inserted into base templates execute every time the Office application starts. Adversaries may also hijack the GlobalDotName registry key to point Word to an arbitrary template location, enabling stealth persistence that fires on every Word launch.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.001 Office Template Macros
Canonical reference
https://attack.mitre.org/techniques/T1137/001/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
[
  any where (
    (
      event.category == "file" and event.action in ("creation", "modification") and
      (
        file.name in~ ("Normal.dotm", "PERSONAL.XLSB", "NormalEmail.dotm") or
        file.path like~ "*\\AppData\\Roaming\\Microsoft\\Templates\\*" or
        file.path like~ "*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" or
        file.path like~ "*\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*" or
        file.path like~ "*\\Program Files (x86)\\Microsoft Office\\root\\*"
      ) and
      not process.name in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "MicrosoftEdgeUpdate.exe", "OfficeClickToRun.exe")
    ) or
    (
      event.category == "registry" and event.action in ("modification", "creation") and
      (
        registry.path like~ "*Microsoft*Word*GlobalDotName*" or
        registry.value like~ "*GlobalDotName*"
      )
    )
  )
] by process.entity_id

// Supplemental: Office spawning suspicious child
sequence by host.name with maxspan=1m
[
  process where event.type == "start" and
    process.parent.name in~ ("winword.exe", "excel.exe", "powerpnt.exe") and
    process.name in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msiexec.exe")
]
high severity high confidence

Detects T1137.001 Office Template Macro persistence via three behavioral signals: (1) writes to Office template files (Normal.dotm, PERSONAL.XLSB) by non-Office processes, (2) modification of the GlobalDotName registry key used to hijack Word template loading, and (3) Office applications spawning suspicious child processes indicative of macro execution.

Data Sources

Elastic Endpoint SecurityWindows Event LogsSysmon via Filebeat/Winlogbeat

Required Tables

logs-endpoint.events.file-*logs-endpoint.events.registry-*logs-endpoint.events.process-*winlogbeat-*

False Positives & Tuning

  • Legitimate Office add-in installers or macro-enabled template deployment tools writing to XLSTART or Templates directories during managed software deployment
  • IT administrators using scripts to deploy standardized Word/Excel templates across the organization, which may trigger the non-Office process writing to template paths
  • Antivirus or DLP software scanning and touching Office template files as part of scheduled scans may appear as unexpected file modifications
Download portable Sigma rule (.yml)

Other platforms for T1137.001

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Modify Normal.dotm via PowerShell (Simulated Template Backdoor)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename ending in Normal.dotm.bak, Image=powershell.exe. Security Event ID 4663 (if object access auditing enabled) on the template file.

  2. Test 2Set GlobalDotName Registry Key

    Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject containing 'Office\16.0\Word\Options\GlobalDotName' and Details='C:\Users\Public\evil.dotm'. Security Event ID 4657 (Registry value modified) if registry auditing is enabled.

  3. Test 3Drop File in Word STARTUP Folder

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename containing '\\Word\\STARTUP\\df00tech-test.dotm' and Image=powershell.exe.

Last updated: 2026-04-19 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1137.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.002Office TestT1137.003Outlook FormsT1137.004Outlook Home PageT1137.005Outlook RulesT1137.006Add-ins

Related Techniques

T1137Office Application StartupT1137.006Add-insT1059.005Visual BasicT1059.001PowerShellT1204.002Malicious FileT1566.001Spearphishing AttachmentT1547.001Registry Run Keys / Startup FolderT1105Ingress Tool Transfer

Same Tactic: Persistence

Popular Detections