Template Injection (T1221)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Template Injection

Associated Tactics

  • Defense Evasion

Defense Evasion (TA0005)

The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

View on ATT&CK

Procedure Examples

Description Source(s)
Microsoft. (2014, July 9). Introducing the Office (2007) Open XML File Formats. Retrieved July 20, 2018. Microsoft Open XML July 2017
Wiltse, B.. (2018, November 7). Template Injection Attacks - Bypassing Security Controls by Living off the Land. Retrieved April 10, 2019. SANS Brian Wiltse Template Injection
Hawkins, J. (2018, July 18). Executing Macros From a DOCX With Remote Template Injection. Retrieved October 12, 2018. Redxorblue Remote Template Injection
Segura, J. (2017, October 13). Decoy Microsoft Word document delivers malware through a RAT. Retrieved July 21, 2018. MalwareBytes Template Injection OCT 2017
Raggi, M. (2021, December 1). Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors . Retrieved December 9, 2021. Proofpoint RTF Injection
Pedrero, R.. (2021, July). Decoding malicious RTF files. Retrieved November 16, 2021. Ciberseguridad Decoding malicious RTF files
Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018. Anomali Template Injection MAR 2018
Baird, S. et al.. (2017, July 7). Attack on Critical Infrastructure Leverages Template Injection. Retrieved July 21, 2018. Talos Template Injection July 2017
Hanson, R. (2016, September 24). phishery. Retrieved July 21, 2018. ryhanson phishery SEPT 2016