# T1221 Template Injection

-----------------------------------------------------------------------

## Technique Description

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)

Properties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.

Adversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded.(Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.(Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.(Citation: MalwareBytes Template Injection OCT 2017)

Adversaries may also modify the <code>*\template</code> control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.(Citation: Proofpoint RTF Injection)(Citation: Ciberseguridad Decoding malicious RTF files)

This technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.(Citation: Anomali Template Injection MAR 2018)(Citation: Talos Template Injection July 2017)(Citation: ryhanson phishery SEPT 2016)

## Technique Detection

Analyze process behavior to determine if user document applications (such as Office) are performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: [PowerShell](https://attack.mitre.org/techniques/T1059/001)), or other suspicious actions that could relate to post-compromise behavior.

Monitor .rtf files for strings indicating the <code>&#42;\template</code> control word has been modified to retrieve a URL resource, such as <code>&#42;\template http</code> or <code>&#42;\template \u-</code>.

-----------------------------------------------------------------------

### Tactics:

  *   Defense-Evasion

### Platforms:

  * Windows

### Adversary Required Permissions:

  * User

### Defenses Bypassed:

  * Static File Analysis

### Data Sources:

  * **Process:** Process Creation

  * **Network Traffic:** Network Traffic Content

  * **Network Traffic:** Network Connection Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has used a weaponized Microsoft Word document with an embedded RTF exploit.(Citation: Uptycs Confucius APT Jan 2021)| 
| Frankenstein | [Frankenstein](https://attack.mitre.org/groups/G0101) has used trojanized documents that retrieve remote templates from an adversary-controlled website.(Citation: Talos Frankenstein June 2019)| 
| Inception | [Inception](https://attack.mitre.org/groups/G0100) has used decoy documents to load malicious remote payloads via HTTP.(Citation: Unit 42 Inception November 2018)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document.(Citation: Unit 42 Tropic Trooper Nov 2016)| 
| DarkHydrus | [DarkHydrus](https://attack.mitre.org/groups/G0079) used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable [Forced Authentication](https://attack.mitre.org/techniques/T1187).(Citation: Unit 42 Phishery Aug 2018)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used DOCX files to download malicious DOT document templates and has used RTF template injection to download malicious payloads.(Citation: Proofpoint RTF Injection) [Gamaredon Group](https://attack.mitre.org/groups/G0047) can also inject malicious macros or remote templates into documents already present on compromised systems.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)(Citation: Secureworks IRON TILDEN Profile)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has injected SMB URLs into malicious Word spearphishing attachments to initiate [Forced Authentication](https://attack.mitre.org/techniques/T1187).(Citation: US-CERT TA18-074A)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used DOCX files to retrieve a malicious document template/DOTM file.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro. (Citation: Unit42 Sofacy Dec 2018)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1221)

  * [Microsoft Open Xml July 2017](https://docs.microsoft.com/previous-versions/office/developer/office-2007/aa338205(v=office.12)), Microsoft. (2014, July 9). Introducing the Office (2007) Open XML File Formats. Retrieved July 20, 2018.

  * [Sans Brian Wiltse Template Injection](https://www.sans.org/reading-room/whitepapers/testing/template-injection-attacks-bypassing-security-controls-living-land-38780), Wiltse, B.. (2018, November 7). Template Injection Attacks - Bypassing Security Controls by Living off the Land. Retrieved April 10, 2019.

  * [Redxorblue Remote Template Injection](http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html), Hawkins, J. (2018, July 18). Executing Macros From a DOCX With Remote Template Injection. Retrieved October 12, 2018.

  * [Malwarebytes Template Injection Oct 2017](https://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/), Segura, J. (2017, October 13). Decoy Microsoft Word document delivers malware through a RAT. Retrieved July 21, 2018.

  * [Proofpoint Rtf Injection](https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread), Raggi, M. (2021, December 1). Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors . Retrieved December 9, 2021.

  * [Ciberseguridad Decoding Malicious Rtf Files](https://ciberseguridad.blog/decodificando-ficheros-rtf-maliciosos/), Pedrero, R.. (2021, July). Decoding malicious RTF files. Retrieved November 16, 2021.

  * [Anomali Template Injection Mar 2018](https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104), Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018.

  * [Talos Template Injection July 2017](https://blog.talosintelligence.com/2017/07/template-injection.html), Baird, S. et al.. (2017, July 7). Attack on Critical Infrastructure Leverages Template Injection. Retrieved July 21, 2018.

  * [Ryhanson Phishery Sept 2016](https://github.com/ryhanson/phishery), Hanson, R. (2016, September 24). phishery. Retrieved July 21, 2018.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Information Here

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|
- APT 28 used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro.
- DarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication
- Dragonfly 2.0 has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication.
- Frankenstein has used trojanized documents that retrieve remote templates from an adversary-controlled website.
- Gamaredon Group has used DOCX files to download malicious DOT document templates. Gamaredon Group can also inject malicious macros or remote templates into documents already present on compromised systems.
- Inception has used decoy documents to load malicious remote payloads via HTTP.
- Tropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document.

#### APT 28 
- has been know to use .docx files as decoy documents to avoid initial detection from email gateways and intrusion detection systems to only execute after they have been received and opened by the user. 

## Detection Blindspots

- These analytics are currently only identifying "standard" template injection attacks. Bypasses have already been documented in detail such as https://blog.f-secure.com/dechaining-macros-and-evading-edr/ . They have also proven it is very difficult to detect if the local "Normal.dtm" template has been modified to contain a malicious payload.

- A few evasions are listed below to describe the challenge of identifying malicious macro execution.

    - Identify Embedded payload in Macro (Large Macro Size) (Bypass: Build macro as cradle to remotely download shellcode and inject)
    - Identify network connections from Office Applications (Bypass: Redirect network connections through Internet Explorer COM object )
    - Identify new process creation from Office Applications (Bypass: Launch legitimate process using CreateProcessA from Explorer)
        - Emulate legitimate usage of LOLBIN such as rundll32 to execute payload 
    - Identify weird or strange additional files dropped (Bypass: Use a common temporary file path used by WinWord to blend into environment)
        - C:\Users\<user>\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{AE7BBF2F-B65D-4BF4-9FAD-A779AEC41A02}.tmp
        - C:\Users\<user>\AppData\Local\Temp\CVR497F.tmp
        - C:\Users\<user>\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000016.db

## Analytical References

  * [Dear John Sofacy Campaign (paloalto)](https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/)
  * [Decory MS Document Delivers Malware 2017 (malwarebytes)](https://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/)
  * [Cred Harvesting and Malicious File Delivery MS Office Template Injection (anomali)](https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104)
  * [Playing Defense Against Gamaredon (elastic)](https://www.elastic.co/blog/playing-defense-against-gamaredon-group)
  * [Operation North Start (mcafee)](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/)
  * [EQL Lib (readthedocs)](https://eqllib.readthedocs.io/en/latest/analytics/bba65411-cf61-4d7c-a9a8-a2021684e9ca.html)
  * [Inject Macros from a Remote DOTM Template (ired)](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/inject-macros-from-a-remote-dotm-template-docx-with-macros)
  * [Detecting Persistence Techniques (redcanary)](https://redcanary.com/blog/detecting-persistence-techniques/)
  * [Template Injection Attacks - Bypassing Security Controls (sans)](https://www.sans.org/reading-room/whitepapers/testing/template-injection-attacks-bypassing-security-controls-living-land-38780)
  * https://docs.microsoft.com/en-us/previous-versions/office/developer/office-2007/aa338205(v=office.12)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Understanding Visual Basic and its capabilities within the context of Marcos can help build better detections. While process creation/lineage can help identify simplistic attacks like WinWord spawning cmd.exe it will not help against advanced adversaries. Usage of Event Tracing
- Analyze process behavior to determine if an Office application is performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: PowerShell), or other suspicious actions that could relate to post-compromise behavior.
- Successful external connections to URL shortened domains should be investigated if observed. 
- Be on alert while reading email, in particular when it comes with an urgent label, or uses poor grammar.
- Files and emails will be targeted to the specific network or entity the adversary is trying to gain access to. 
- File/domain extensions should be modified to the traffic being observed.

#### Analytic 1

  * **Information:** DNS Traffic from Office Applications

  * **Source:** Sysmon, Windows Audits

  * **Tool:** Kibana

  * **Notes:** Look for all processes related to "Microsoft Office" (winword.exe, excel.exe, powerpnt.exe) and sort all DNS requests from those PIDs that are not going to Microsoft "owned" domains (.microsoft.com, .skype.com)

  * **Query EQL:** 
  ```
      sequence by unique_pid 
          [process where process_name in ("winword.exe", "excel.exe", "powerpnt.exe")]
          [dns where not wildcard(query_name , "*.microsoft.com", "*.skype.com")]
  ```

#### Analytic 2

  * **Information:** Dynamic DNS enables adversaries to rapidly provision very large numbers of records that map back to their infrastructure, creating a confusion layer between victims and adversaries. Gamaredon Group exclusively used Dynamic DNS locations for remotely hosted templates, rotating domains consistently, and leveraging separate infrastructure for hosting stagers and templates. This detection is targeted at dynamic DNS requests from Office Applications.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 

  * **Query EQL:** 
```
    sequence 
        [process where process_name in ("winword.exe", "excel.exe", "powerpnt.exe")] by unique_pid
        [dns where not wildcard(query_name , "*.microsoft.com", "*.skype.com")] by unique_pid
        [network where true] by unique_pid
        [process where subtype.create] by unique_ppid
```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Successful external connections to URL shortened domains should be investigated if observed. 
- Be on alert while reading email, in particular when it comes with an urgent label, or uses poor grammar.
- Files and emails will be targeted to the specific network or entity the adversary is trying to gain access to. 
- File/domain extensions should be modified to the traffic being observed.

#### Analytic 1

  * **Information:** Identify outbound connections to possible SMB servers outside the network. 

  * **Source:** PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** This could possibly identify forced authentication and capturing of credentials.

  * **Query Arkime:** ```protocols == smb && ip.dst != [10/8, 172.16/12, 192.168/16]```
  
  * **Query Kibana:** ```protocol: smb AND NOT dstIp: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)```

#### Analytic 2

  * **Information:** Identify successful "GET" request made for specific URLs ending in a file types.

  * **Source:** PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** Coordination with host could assist in identifying the specific user agent who made the http request at the time, such as an office application. Use the "user-agent" after you have identified a specific http application type to assess if the user agent in question has any relation to other possible malicious activity or request seen across the network. 
      - Other fields of interest:
          - `http.bodymagic`
          - `http.user-agent` 
          - `http.statuscode`

  * **Query Arkime:** ```http.method == "GET" && http.uri == [*.zip, *.rar, *.exe, *.lnk, *.docx, *.doc, *.pdf] && http.status == 200```
  
  * **Query Kibana:** ```http.method: GET AND http.uri: (*.zip or *. rar or *.exe or *.lnk or *.docx or *.doc or *.pdf) AND http.status: 200```

