Skip to content

DET0566 Template Injection Detection - Windows

Item Value
ID DET0566
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1221 (Template Injection)

Analytics

Windows

AN1564

Detection of Office or document viewer processes (e.g., winword.exe) initiating network connections to remote templates or executing scripts due to manipulated template references (e.g., embedded in .docx, .rtf, or .dotm files), followed by suspicious child process creation (e.g., PowerShell).

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Mutable Elements
Field Description
TemplateURLPatterns Can be tuned to flag known bad domains or external resources in template fields.
ParentProcess May be environment-specific; typically Word, Excel, PowerPoint.
TimeWindow Correlation window for process + network activity.
ChildProcessAnomalyThreshold Trigger when document-spawned child process deviates from expected profile.