Comment on page
🔍
Office Templates and GlobalDotName - A Stealthy Office Persistence Technique
A few weeks back, I was researching various adversarial techniques, when a couple of minutes into the research of T1137 (Office Application Startup), there appeared to be a yet-to-be-documented capability that can be leveraged by adversaries using this technique.
I also noticed there isn't a lot of in-depth information about some of the techniques presented in T1137, such a the "Normal Template" technique, even though plenty of well known threat actors like "MuddyWater" leverage this technique, so I decided to shed some light about it and some of Word's inner workingarming a template file ws.
When researching adversarial techniques, I start by examining the MITRE ATT&CK Post-Exploitation matrix to check the technique's existence, and gather additional information if exists on the web.