title: Office Template Macros (T1137.001)
id: df00tech-t1137-001
status: experimental
description: "Adversaries abuse Microsoft Office templates (Normal.dotm for Word, PERSONAL.XLSB for Excel) to obtain persistence. Malicious VBA macros inserted into base templates execute every time the Office application starts. Adversaries may also hijack the GlobalDotName registry key to point Word to an arbitrary template location, enabling stealth persistence that fires on every Word launch."
references:
  - https://attack.mitre.org/techniques/T1137/001/
  - https://df00tech.com/detections/T1137.001
author: df00tech
date: 2026/04/19
tags:
  - attack.t1137.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate IT automation tools (PDQ Deploy, SCCM) distributing updated Office templates to endpoints"
  - User-created macros in Personal.xlsb for legitimate automation of repetitive Excel tasks
  - Office add-in installations that create or modify startup folder files as part of normal installation
  - Helpdesk/support personnel modifying Normal.dotm to deploy standardized corporate templates
level: high