T1137.001 Splunk · SPL

Detect Office Template Macros in Splunk

Adversaries abuse Microsoft Office templates (Normal.dotm for Word, PERSONAL.XLSB for Excel) to obtain persistence. Malicious VBA macros inserted into base templates execute every time the Office application starts. Adversaries may also hijack the GlobalDotName registry key to point Word to an arbitrary template location, enabling stealth persistence that fires on every Word launch.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.001 Office Template Macros
Canonical reference
https://attack.mitre.org/techniques/T1137/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval source_type=case(
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=11, "template_write",
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=13, "registry_mod",
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=1, "process_create",
    true(), "other"
  )
| where source_type IN ("template_write", "registry_mod", "process_create")
| eval is_template_file=if(
    source_type="template_write" AND (
      match(TargetFilename, "(?i)(Normal\.dotm|PERSONAL\.XLSB|NormalEmail\.dotm)") OR
      match(TargetFilename, "(?i)(\\\\AppData\\\\Roaming\\\\Microsoft\\\\(Templates|Excel\\\\XLSTART|Word\\\\STARTUP))")
    ) AND NOT match(Image, "(?i)(winword|excel|powerpnt|outlook|OfficeClickToRun)\.exe"),
    1, 0)
| eval is_globaldotname=if(
    source_type="registry_mod" AND (
      match(TargetObject, "(?i)Microsoft\\\\Office.*Word.*GlobalDotName") OR
      match(Details, "(?i)GlobalDotName")
    ), 1, 0)
| eval is_office_child=if(
    source_type="process_create" AND
    match(ParentImage, "(?i)(winword|excel|powerpnt)\.exe") AND
    match(Image, "(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin)\.exe"),
    1, 0)
| eval detection_type=case(
    is_template_file=1, "Template File Modified by Non-Office Process",
    is_globaldotname=1, "GlobalDotName Registry Key Modified",
    is_office_child=1, "Office Application Spawned Suspicious Child Process",
    true(), "unknown"
  )
| where is_template_file=1 OR is_globaldotname=1 OR is_office_child=1
| eval host_user=host."|".coalesce(User, SubjectUserName, "-")
| table _time, host, User, detection_type, Image, CommandLine, TargetFilename, TargetObject, Details, ParentImage, ParentCommandLine
| sort - _time
high severity high confidence

Detects Office Template Macro persistence using Sysmon events. EventCode 11 (File Create) monitors writes to Normal.dotm, PERSONAL.XLSB, or Office startup directories from non-Office processes. EventCode 13 (Registry Value Set) catches GlobalDotName key modification in Office/Word registry paths. EventCode 1 (Process Create) catches Office applications spawning shell interpreters (cmd, PowerShell, wscript) which indicates macro execution at startup.

Data Sources

File: File CreationWindows Registry: Registry Value ModificationProcess: Process CreationSysmon Event ID 1, 11, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate IT automation tools distributing updated corporate Office templates
  • User macros in Personal.xlsb for Excel task automation
  • Office add-in installations writing to startup directories
  • VBA IDE activity during macro development by developers or power users
Download portable Sigma rule (.yml)

Other platforms for T1137.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Modify Normal.dotm via PowerShell (Simulated Template Backdoor)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename ending in Normal.dotm.bak, Image=powershell.exe. Security Event ID 4663 (if object access auditing enabled) on the template file.

  2. Test 2Set GlobalDotName Registry Key

    Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject containing 'Office\16.0\Word\Options\GlobalDotName' and Details='C:\Users\Public\evil.dotm'. Security Event ID 4657 (Registry value modified) if registry auditing is enabled.

  3. Test 3Drop File in Word STARTUP Folder

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename containing '\\Word\\STARTUP\\df00tech-test.dotm' and Image=powershell.exe.

Last updated: 2026-04-19 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1137.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.002Office TestT1137.003Outlook FormsT1137.004Outlook Home PageT1137.005Outlook RulesT1137.006Add-ins

Related Techniques

T1137Office Application StartupT1137.006Add-insT1059.005Visual BasicT1059.001PowerShellT1204.002Malicious FileT1566.001Spearphishing AttachmentT1547.001Registry Run Keys / Startup FolderT1105Ingress Tool Transfer

Same Tactic: Persistence

Popular Detections