DET0519 Detect Persistence via Office Template Macro Injection or Registry Hijack

Item	Value
ID	DET0519
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1137.001 (Office Template Macros)

Analytics

Windows

AN1436

Adversaries inject VBA macros into Office templates such as Normal.dotm or Personal.xlsb or redirect Office template load path via registry key (GlobalDotName) to gain persistence. Template macros trigger execution of malicious code on application startup.

Log Sources

Data Component	Name	Channel
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
File Metadata (DC0059)	WinEventLog:Sysmon	EventCode=15
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Windows Registry Key Modification (DC0063)	WinEventLog:Sysmon	EventCode=13, 14
Command Execution (DC0064)	WinEventLog:Microsoft-Office-Alerts	Office application warning or alert on macro execution from template

Mutable Elements

Field	Description
TemplatePath	Path to Normal.dotm, Personal.xlsb, or Excel/Word startup templates may vary by Office version and user
RegistryPath	GlobalDotName or equivalent registry keys may differ across Office versions or deployments
TimeWindow	Office process creation and macro execution timing after system or user login
UserContext	May be scoped to high-value users or those with access to sensitive templates

Office Suite

AN1437

Malicious VBA macros embedded in base templates like Normal.dotm or Personal.xlsb are automatically loaded and executed at startup. Template path may be hijacked to load a remote or attacker-controlled template via GlobalDotName registry setting.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	m365:unified	Set-Mailbox, Set-MailboxPolicy, Set-TrustedLocation

Mutable Elements

Field	Description
TemplateSource	Macros may be embedded in local user templates or retrieved from shared network paths
MacroSecurityLevel	Macro execution policy (disabled, warn, enabled) varies by tenant or user configuration