Esc
Office Template Macros - T1137.001

(ATT&CK® Technique)
Definition

Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1137001["Office Template Macros"] --> |may-modify| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1137001 OffensiveTechniqueNode;
        class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
        click T1137001 href "/offensive-technique/attack/T1137.001/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1137001["Office Template Macros"] --> |may-add| ExecutableScript["Executable Script"]; class T1137001 OffensiveTechniqueNode;
        class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";
        click T1137001 href "/offensive-technique/attack/T1137.001/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; T1137001["Office Template Macros"] --> |may-modify| ExecutableScript["Executable Script"]; class T1137001 OffensiveTechniqueNode;
        class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";
        click T1137001 href "/offensive-technique/attack/T1137.001/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";                                       EmulatedFileAnalysis["Emulated File Analysis"] -->
          | analyzes | ExecutableScript["Executable Script"];

          EmulatedFileAnalysis["Emulated File Analysis"] -.->
            | may-detect | T1137001["Office Template Macros"] ;
          class EmulatedFileAnalysis DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis";  DynamicAnalysis["Dynamic Analysis"] -->
          | analyzes | ExecutableScript["Executable Script"];

          DynamicAnalysis["Dynamic Analysis"] -.->
            | may-detect | T1137001["Office Template Macros"] ;
          class DynamicAnalysis DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click DynamicAnalysis href "/technique/d3f:DynamicAnalysis";                                                  FileEviction["File Eviction"] -->
          | deletes | ExecutableScript["Executable Script"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1137001["Office Template Macros"] ;
          class FileEviction DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";                                FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | ExecutableScript["Executable Script"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1137001["Office Template Macros"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";                            DecoyFile["Decoy File"] -->
          | spoofs | ExecutableScript["Executable Script"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1137001["Office Template Macros"] ;
          class DecoyFile DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";                            FileEncryption["File Encryption"] -->
          | encrypts | ExecutableScript["Executable Script"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1137001["Office Template Macros"] ;
          class FileEncryption DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";                            ExecutableDenylisting["Executable Denylisting"] -->
          | blocks | ExecutableScript["Executable Script"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | may-isolate | T1137001["Office Template Macros"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting";  ExecutableAllowlisting["Executable Allowlisting"] -->
          | blocks | ExecutableScript["Executable Script"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | may-isolate | T1137001["Office Template Macros"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting";                                                      RestoreFile["Restore File"] -->
          | restores | ExecutableScript["Executable Script"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1137001["Office Template Macros"] ;
          class RestoreFile DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";  RestoreConfiguration["Restore Configuration"] -->
          | restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"];

          RestoreConfiguration["Restore Configuration"] -.->
            | may-restore | T1137001["Office Template Macros"] ;
          class RestoreConfiguration DefensiveTechniqueNode;
          class SystemConfigurationDatabaseRecord ArtifactNode;
          click RestoreConfiguration href "/technique/d3f:RestoreConfiguration";                                        LocalFilePermissions["Local File Permissions"] -->
          | restricts | ExecutableScript["Executable Script"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1137001["Office Template Macros"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";                            FileAnalysis["File Analysis"] -->
          | analyzes | ExecutableScript["Executable Script"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1137001["Office Template Macros"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";                                          RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | ExecutableScript["Executable Script"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1137001["Office Template Macros"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";
json