T1137.001 CrowdStrike LogScale · LogScale

Detect Office Template Macros in CrowdStrike LogScale

Adversaries abuse Microsoft Office templates (Normal.dotm for Word, PERSONAL.XLSB for Excel) to obtain persistence. Malicious VBA macros inserted into base templates execute every time the Office application starts. Adversaries may also hijack the GlobalDotName registry key to point Word to an arbitrary template location, enabling stealth persistence that fires on every Word launch.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.001 Office Template Macros
Canonical reference
https://attack.mitre.org/techniques/T1137/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Branch 1: Template file write by non-Office process
#event_simpleName = "FileOpenInfo" OR #event_simpleName = "FileCreate" OR #event_simpleName = "FileWrite"
| TargetFileName = /(?i)(Normal\.dotm|PERSONAL\.XLSB|NormalEmail\.dotm)/
  OR TargetFileName = /(?i)AppData\\Roaming\\Microsoft\\(Templates|Excel\\XLSTART|Word\\STARTUP)/
| ImageFileName != /(?i)(winword|excel|powerpnt|outlook|OfficeClickToRun)\.exe/
| eval detection_type = "Template File Modified by Non-Office Process"
| table([ _time, ComputerName, UserName, ImageFileName, TargetFileName, CommandHistory, detection_type ])

// Branch 2: GlobalDotName registry key modification
| union {
  #event_simpleName = "RegSetValue"
  | (TargetObject = /(?i)Microsoft.*Word.*GlobalDotName/ OR ValueData = /(?i)GlobalDotName/)
  | eval detection_type = "GlobalDotName Registry Key Modified"
  | table([ _time, ComputerName, UserName, ImageFileName, TargetObject, ValueData, detection_type ])
}

// Branch 3: Office spawning suspicious child process
| union {
  #event_simpleName = "ProcessRollup2" OR #event_simpleName = "SyntheticProcessRollup2"
  | ParentBaseFileName = /(?i)(winword|excel|powerpnt)\.exe/
  | ImageFileName = /(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec)\.exe/
  | eval detection_type = "Office Application Spawned Suspicious Child Process"
  | table([ _time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, detection_type ])
}

| sort(field=_time, order=desc)
high severity high confidence

CrowdStrike LogScale (Falcon) query detecting T1137.001 Office Template Macro persistence using Falcon sensor telemetry across three detection branches: FileCreate/FileWrite events showing non-Office processes writing to Office template paths (Normal.dotm, PERSONAL.XLSB, XLSTART/STARTUP directories), RegSetValue events targeting the GlobalDotName registry key under the Word policy path, and ProcessRollup2 events showing Office parent processes launching high-risk child executables upon macro execution.

Data Sources

CrowdStrike Falcon Endpoint ProtectionFalcon Sensor (FileCreate, RegSetValue, ProcessRollup2 events)

Required Tables

FileCreateFileWriteFileOpenInfoRegSetValueProcessRollup2SyntheticProcessRollup2

False Positives & Tuning

  • Falcon sensor may generate FileCreate events for Normal.dotm when Word itself saves a modified template with a brief delay in process attribution, causing transient false positives during Office updates
  • RPA (Robotic Process Automation) tools such as UiPath or Automation Anywhere that automate Office workflows may legitimately spawn cmd.exe or PowerShell as child processes of Word or Excel
  • PowerShell-based Office automation scripts approved for finance or HR workflows that run on schedule and legitimately have Excel.exe as their parent process
Download portable Sigma rule (.yml)

Other platforms for T1137.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Modify Normal.dotm via PowerShell (Simulated Template Backdoor)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename ending in Normal.dotm.bak, Image=powershell.exe. Security Event ID 4663 (if object access auditing enabled) on the template file.

  2. Test 2Set GlobalDotName Registry Key

    Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject containing 'Office\16.0\Word\Options\GlobalDotName' and Details='C:\Users\Public\evil.dotm'. Security Event ID 4657 (Registry value modified) if registry auditing is enabled.

  3. Test 3Drop File in Word STARTUP Folder

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename containing '\\Word\\STARTUP\\df00tech-test.dotm' and Image=powershell.exe.

Last updated: 2026-04-19 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1137.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.002Office TestT1137.003Outlook FormsT1137.004Outlook Home PageT1137.005Outlook RulesT1137.006Add-ins

Related Techniques

T1137Office Application StartupT1137.006Add-insT1059.005Visual BasicT1059.001PowerShellT1204.002Malicious FileT1566.001Spearphishing AttachmentT1547.001Registry Run Keys / Startup FolderT1105Ingress Tool Transfer

Same Tactic: Persistence

Popular Detections