Detect Office Template Macros in Microsoft Sentinel
Adversaries abuse Microsoft Office templates (Normal.dotm for Word, PERSONAL.XLSB for Excel) to obtain persistence. Malicious VBA macros inserted into base templates execute every time the Office application starts. Adversaries may also hijack the GlobalDotName registry key to point Word to an arbitrary template location, enabling stealth persistence that fires on every Word launch.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1137 Office Application Startup
- Sub-technique
- T1137.001 Office Template Macros
- Canonical reference
- https://attack.mitre.org/techniques/T1137/001/
KQL Detection Query
// T1137.001 — Office Template Macros persistence detection
// Detect writes to Office template files and GlobalDotName registry modification
let OfficeMacroTemplates = dynamic([
"Normal.dotm", "PERSONAL.XLSB", "NormalEmail.dotm"
]);
let TemplateStartupPaths = dynamic([
"\\AppData\\Roaming\\Microsoft\\Templates\\",
"\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\",
"\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\",
"\\Program Files (x86)\\Microsoft Office\\root\\"
]);
// Part 1: Detect writes to Office template files
let TemplateFileWrites = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FileName has_any (OfficeMacroTemplates) or FolderPath has_any (TemplateStartupPaths)
| where InitiatingProcessFileName !in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "MicrosoftEdgeUpdate.exe", "OfficeClickToRun.exe")
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType;
// Part 2: Detect GlobalDotName registry key modification
let GlobalDotNameReg = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_all ("Microsoft", "Word")
| where RegistryValueName =~ "GlobalDotName" or RegistryKey has "GlobalDotName"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType;
// Part 3: Detect Office apps spawning unexpected child processes (macro execution)
let OfficeMacroExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe")
| where FileName !in~ ("winword.exe", "excel.exe", "powerpnt.exe", "MSOSYNC.exe", "splwow64.exe", "WerFault.exe", "csc.exe", "vbc.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msiexec.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine;
union TemplateFileWrites, GlobalDotNameReg, OfficeMacroExec
| sort by Timestamp descThree-part detection for Office Template Macro persistence. Part 1 monitors file creation/modification events for known Office template files (Normal.dotm, PERSONAL.XLSB) in startup folders, flagging writes from non-Office processes. Part 2 watches for GlobalDotName registry key creation or modification, which allows redirecting Word's template to an attacker-controlled path. Part 3 detects Office applications spawning suspicious child processes (cmd, PowerShell, wscript) which indicates macro execution from a template.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT automation tools (PDQ Deploy, SCCM) distributing updated Office templates to endpoints
- User-created macros in Personal.xlsb for legitimate automation of repetitive Excel tasks
- Office add-in installations that create or modify startup folder files as part of normal installation
- Helpdesk/support personnel modifying Normal.dotm to deploy standardized corporate templates
Other platforms for T1137.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Modify Normal.dotm via PowerShell (Simulated Template Backdoor)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename ending in Normal.dotm.bak, Image=powershell.exe. Security Event ID 4663 (if object access auditing enabled) on the template file.
- Test 2Set GlobalDotName Registry Key
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject containing 'Office\16.0\Word\Options\GlobalDotName' and Details='C:\Users\Public\evil.dotm'. Security Event ID 4657 (Registry value modified) if registry auditing is enabled.
- Test 3Drop File in Word STARTUP Folder
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename containing '\\Word\\STARTUP\\df00tech-test.dotm' and Image=powershell.exe.
References (7)
- https://attack.mitre.org/techniques/T1137/001/
- https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
- https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
- http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md
- https://docs.microsoft.com/en-us/office/vba/api/overview/library-reference/library-reference-object-model
- https://github.com/nicowillis/office-macro-analysis
Unlock Pro Content
Get the full detection package for T1137.001 including response playbook, investigation guide, and atomic red team tests.