T1137.001 Sumo Logic CSE · Sumo

Detect Office Template Macros in Sumo Logic CSE

Adversaries abuse Microsoft Office templates (Normal.dotm for Word, PERSONAL.XLSB for Excel) to obtain persistence. Malicious VBA macros inserted into base templates execute every time the Office application starts. Adversaries may also hijack the GlobalDotName registry key to point Word to an arbitrary template location, enabling stealth persistence that fires on every Word launch.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.001 Office Template Macros
Canonical reference
https://attack.mitre.org/techniques/T1137/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| where EventCode in ("1", "11", "13", "4688")
| parse field=_raw "<EventID>*</EventID>" as parsed_event_id nodrop
| parse field=_raw "TargetFilename>*</TargetFilename" as target_filename nodrop
| parse field=_raw "Image>*</Image" as image nodrop
| parse field=_raw "ParentImage>*</ParentImage" as parent_image nodrop
| parse field=_raw "CommandLine>*</CommandLine" as command_line nodrop
| parse field=_raw "TargetObject>*</TargetObject" as registry_target_object nodrop
| parse field=_raw "Details>*</Details" as registry_details nodrop
// Classify event type
| eval detection_type = if(
    EventCode in ("11") AND (
      matches(target_filename, "(?i)(Normal\.dotm|PERSONAL\.XLSB|NormalEmail\.dotm)")
      OR matches(target_filename, "(?i)AppData\\Roaming\\Microsoft\\(Templates|Excel\\XLSTART|Word\\STARTUP)")
    ) AND NOT matches(image, "(?i)(winword|excel|powerpnt|outlook|OfficeClickToRun)\.exe"),
    "Template File Modified by Non-Office Process",
  if(
    EventCode in ("13") AND matches(registry_target_object, "(?i)Microsoft.*Word.*GlobalDotName"),
    "GlobalDotName Registry Key Modified",
  if(
    EventCode in ("1", "4688") AND (
      matches(parent_image, "(?i)(winword|excel|powerpnt)\.exe")
    ) AND matches(image, "(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin)\.exe"),
    "Office Application Spawned Suspicious Child Process",
  null()
  )))
| where !isNull(detection_type)
| fields _messageTime, _sourceHost, detection_type, image, parent_image, command_line, target_filename, registry_target_object, registry_details
| sort by _messageTime desc
high severity high confidence

Sumo Logic query detecting T1137.001 Office Template Macro persistence by classifying Sysmon and Windows Security events into three detection categories: non-Office processes writing to Office template paths, GlobalDotName registry modifications pointing Word to attacker-controlled templates, and Office processes spawning suspicious child processes upon macro execution.

Data Sources

Sumo Logic Cloud SIEM EnterpriseWindows Sysmon (via Sumo Logic Collector)Windows Security Event Log

Required Tables

windows/sysmonwindows/security

False Positives & Tuning

  • Software packaging tools writing Office templates to XLSTART during application installs, commonly seen during Microsoft 365 updates or add-in deployments
  • End-user macro development: saving a macro to Personal Macro Workbook in Excel legitimately creates PERSONAL.XLSB in the XLSTART directory
  • Organizational automation scripts legitimately launched from Excel via the Workbook_Open event as part of business-approved macro workflows
Download portable Sigma rule (.yml)

Other platforms for T1137.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Modify Normal.dotm via PowerShell (Simulated Template Backdoor)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename ending in Normal.dotm.bak, Image=powershell.exe. Security Event ID 4663 (if object access auditing enabled) on the template file.

  2. Test 2Set GlobalDotName Registry Key

    Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject containing 'Office\16.0\Word\Options\GlobalDotName' and Details='C:\Users\Public\evil.dotm'. Security Event ID 4657 (Registry value modified) if registry auditing is enabled.

  3. Test 3Drop File in Word STARTUP Folder

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename containing '\\Word\\STARTUP\\df00tech-test.dotm' and Image=powershell.exe.

Last updated: 2026-04-19 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1137.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.002Office TestT1137.003Outlook FormsT1137.004Outlook Home PageT1137.005Outlook RulesT1137.006Add-ins

Related Techniques

T1137Office Application StartupT1137.006Add-insT1059.005Visual BasicT1059.001PowerShellT1204.002Malicious FileT1566.001Spearphishing AttachmentT1547.001Registry Run Keys / Startup FolderT1105Ingress Tool Transfer

Same Tactic: Persistence

Popular Detections