Remote Template Injection
Microsoft Word has the option of creating new documents from a template. Office has some templates pre-installed, you can make custom templates, and even download new ones. Remote Template Injection is a technique where an attacker sends a benign document to a victim, which downloads and loads a malicious template. This template may hold a macro, leading to code execution.
Open Word on the Attacker Desktop, create a new blank document and insert your desired macro. Save this to C:\Payloads
as a Word 97-2003 Template (*.dot) file. This is now our "malicious remote template". Use Cobalt Strike to host this file at http://nickelviper.com/template.dot.
Next, create a new document from the blank template located in C:\Users\Attacker\Documents\Custom Office Templates
. Add any content you want, then save it to C:\Payloads
as a new .docx. Browse to the directory in explorer, right-click and select 7-Zip > Open archive. Navigate to _word > _rels, r_ight-click on settings.xml.rels
and select Edit.
This is just a small XML file. Scroll right until you see the Target entry.
\
It's currently pointing to the template on our local disk from which the document was created. Simply modify this so it points to the template URL instead.
\
Save those changes and email the document to Bob. Once the file is opened, you'll see a warning about macros again but allowing them to run will execute the macro in the hosted template, given us a Beacon.
\
\
John Woodman created a python tool that can automate this process so that we don't have to modify the XML manually.
Last updated