Which SIEM platforms have a T1137.001 detection rule?

df00tech provides T1137.001 (Office Template Macros) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Office Template Macros (T1137.001)?

Detecting Office Template Macros requires the following data sources: File: File Creation, File: File Modification, Windows Registry: Registry Value Modification, Process: Process Creation, Microsoft Defender for Endpoint.

What severity and confidence is the T1137.001 detection?

The T1137.001 detection is rated high severity with high confidence.

What are common false positives for T1137.001?

Common false positives for T1137.001 include: Legitimate IT automation tools (PDQ Deploy, SCCM) distributing updated Office templates to endpoints; User-created macros in Personal.xlsb for legitimate automation of repetitive Excel tasks; Office add-in installations that create or modify startup folder files as part of normal installation.

T1137.001 IBM QRadar · QRadar

Detect Office Template Macros in IBM QRadar

Adversaries abuse Microsoft Office templates (Normal.dotm for Word, PERSONAL.XLSB for Excel) to obtain persistence. Malicious VBA macros inserted into base templates execute every time the Office application starts. Adversaries may also hijack the GlobalDotName registry key to point Word to an arbitrary template location, enabling stealth persistence that fires on every Word launch.

MITRE ATT&CK

Tactic: Persistence
Technique: T1137 Office Application Startup
Sub-technique: T1137.001 Office Template Macros
Canonical reference: https://attack.mitre.org/techniques/T1137/001/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "HOST"(devicehostname) AS hostname,
  QIDNAME(qid) AS event_name,
  "SourceFilePath" AS source_file,
  "TargetFilePath" AS target_file,
  "ProcessFilePath" AS process_path,
  "CommandLine" AS command_line,
  "RegistryKey" AS registry_key,
  "RegistryValue" AS registry_value,
  category,
  eventdirection
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 52, 407)
  AND starttime > DATEADD('hour', -24, NOW())
  AND (
    -- Template file write by non-Office process (Sysmon Event 11)
    (
      QIDNAME(qid) LIKE '%File Created%'
      AND (
        LOWER("TargetFilePath") LIKE '%normal.dotm%'
        OR LOWER("TargetFilePath") LIKE '%personal.xlsb%'
        OR LOWER("TargetFilePath") LIKE '%normalemail.dotm%'
        OR LOWER("TargetFilePath") LIKE '%appdata%roaming%microsoft%templates%'
        OR LOWER("TargetFilePath") LIKE '%appdata%roaming%microsoft%excel%xlstart%'
        OR LOWER("TargetFilePath") LIKE '%appdata%roaming%microsoft%word%startup%'
      )
      AND NOT (
        LOWER("ProcessFilePath") LIKE '%winword.exe'
        OR LOWER("ProcessFilePath") LIKE '%excel.exe'
        OR LOWER("ProcessFilePath") LIKE '%powerpnt.exe'
        OR LOWER("ProcessFilePath") LIKE '%outlook.exe'
        OR LOWER("ProcessFilePath") LIKE '%officeclicktorun.exe'
      )
    )
    OR
    -- GlobalDotName registry modification (Sysmon Event 13)
    (
      QIDNAME(qid) LIKE '%Registry Value Set%'
      AND (
        LOWER("RegistryKey") LIKE '%microsoft%word%'
        AND (
          LOWER("RegistryValue") LIKE '%globaldotname%'
          OR LOWER("RegistryKey") LIKE '%globaldotname%'
        )
      )
    )
    OR
    -- Office spawning suspicious child process (Sysmon Event 1 / WinEvent 4688)
    (
      QIDNAME(qid) LIKE '%Process Create%'
      AND (
        LOWER("ParentProcessFilePath") LIKE '%winword.exe'
        OR LOWER("ParentProcessFilePath") LIKE '%excel.exe'
        OR LOWER("ParentProcessFilePath") LIKE '%powerpnt.exe'
      )
      AND (
        LOWER("ProcessFilePath") LIKE '%cmd.exe'
        OR LOWER("ProcessFilePath") LIKE '%powershell.exe'
        OR LOWER("ProcessFilePath") LIKE '%wscript.exe'
        OR LOWER("ProcessFilePath") LIKE '%cscript.exe'
        OR LOWER("ProcessFilePath") LIKE '%mshta.exe'
        OR LOWER("ProcessFilePath") LIKE '%rundll32.exe'
        OR LOWER("ProcessFilePath") LIKE '%regsvr32.exe'
        OR LOWER("ProcessFilePath") LIKE '%certutil.exe'
        OR LOWER("ProcessFilePath") LIKE '%bitsadmin.exe'
      )
    )
  )
ORDER BY starttime DESC

high severity medium confidence

QRadar AQL query detecting T1137.001 Office Template Macro persistence through three correlated behavioral signals sourced from Sysmon and Windows Security event logs: template file writes to known Office startup/template paths by non-Office processes, GlobalDotName registry key modification, and suspicious child process spawning from Office applications.

Data Sources

IBM QRadar SIEMWindows Sysmon (via QRadar DSM)Windows Security Event Log

Required Tables

events

False Positives & Tuning

Enterprise software deployment tools (SCCM, Intune) pushing Office template updates to managed endpoints may trigger the template file write detection
Macro-enabled Excel Personal Macro Workbook (PERSONAL.XLSB) being legitimately created when a user first records a macro in Excel
Legitimate use of cmd.exe or PowerShell launched from Office via DDE or legitimate automation scripts configured by the organization for business processes

Download portable Sigma rule (.yml)

Other platforms for T1137.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Modify Normal.dotm via PowerShell (Simulated Template Backdoor)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename ending in Normal.dotm.bak, Image=powershell.exe. Security Event ID 4663 (if object access auditing enabled) on the template file.
Test 2Set GlobalDotName Registry Key
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject containing 'Office\16.0\Word\Options\GlobalDotName' and Details='C:\Users\Public\evil.dotm'. Security Event ID 4657 (Registry value modified) if registry auditing is enabled.
Test 3Drop File in Word STARTUP Folder
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename containing '\\Word\\STARTUP\\df00tech-test.dotm' and Image=powershell.exe.

Last updated: 2026-04-19 Research depth: deep

References (7)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1137.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Office Template Macros in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1137.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Persistence

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1137.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Persistence

Popular Detections

Get new detections in your inbox