Common Information
| Type | Value |
|---|---|
| Value |
Template Injection - T1221 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017) Properties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded. Adversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded.(Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.(Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.(Citation: MalwareBytes Template Injection OCT 2017) Adversaries may also modify the <code>*\template</code> control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.(Citation: Proofpoint RTF Injection)(Citation: Ciberseguridad Decoding malicious RTF files) This technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.(Citation: Anomali Template Injection MAR 2018)(Citation: Talos Template Injection July 2017)(Citation: ryhanson phishery SEPT 2016) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-11-16 | 2 | injection-attacks | ||
| Details | Website | 2024-11-16 | 0 | Source — BTLO Writeup | ||
| Details | Website | 2024-11-14 | 13 | TryHackMe | Whiterose Write-up | ||
| Details | Website | 2024-11-11 | 1 | Server-Side Template Injection in an Unknown Language with a Documented Exploit — SSTI… | ||
| Details | Website | 2024-11-09 | 18 | BugBounty — Mastering the Basics (along with Resources)[Part-3] | ||
| Details | Website | 2024-11-04 | 1004 | US-CERT Vulnerability Summary for the Week of October 28, 2024 - RedPacket Security | ||
| Details | Website | 2024-11-04 | 8 | 每日安全动态推送(24/11/8) | CTF导航 | ||
| Details | Website | 2024-11-03 | 19 | Whiterose CTF Writeup — TryHackMe | ||
| Details | Website | 2024-11-03 | 2 | Whiterose — THM CTF Writeup | ||
| Details | Website | 2024-10-30 | 9 | Weaponize Your Word - Malicious Template Injection | JUMPSEC LABS | ||
| Details | Website | 2024-10-30 | 28 | Attacker Abuses Victim Resources to Reap Rewards from Titan Network | ||
| Details | Website | 2024-10-29 | 10 | 주간 탐지 룰(YARA, Snort) 정보 - 2024년 10월 5주차 - ASEC | ||
| Details | Website | 2024-10-29 | 10 | Weekly Detection Rule (YARA and Snort) Information - Week 5, October 2024 - ASEC | ||
| Details | Website | 2024-10-28 | 1185 | US-CERT Vulnerability Summary for the Week of October 21, 2024 - RedPacket Security | ||
| Details | Website | 2024-10-26 | 18 | AIO Web App Pentesting Checklist | ||
| Details | Website | 2024-10-18 | 6 | Hack The Box — Web Challenge: Labyrinth Linguist | ||
| Details | Website | 2024-10-17 | 8 | SideWinder APT Strikes Middle East and Africa With Stealthy Multi-Stage Attack | ||
| Details | Website | 2024-10-17 | 8 | SideWinder APT Strikes Middle East and Africa With Stealthy Multi-Stage Attack - RedPacket Security | ||
| Details | Website | 2024-10-17 | 100 | Flying in the clouds: APT31 renews its attacks on Russian companies through cloud storage | ||
| Details | Website | 2024-10-15 | 275 | SideWinder APT’s post-exploitation framework analysis | ||
| Details | Website | 2024-10-13 | 0 | Mastering Web Security with PortSwigger Labs: A Complete Guide for Aspiring Bug Bounty Hunters | ||
| Details | Website | 2024-10-10 | 0 | Hack The Box (HTB) Starting Point — Tier 1 (Responder) | ||
| Details | Website | 2024-10-10 | 0 | Russia-linked GoldenJackal hits air-gapped systems • The Register | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting | ||
| Details | Website | 2024-10-08 | 32 | 주간 탐지 룰(YARA, Snort) 정보 - 2024년 10월 2주차 - ASEC | ||
| Details | Website | 2024-10-08 | 26 | Weekly Detection Rule (YARA and Snort) Information - Week 2, October 2024 - ASEC |