Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0029: Analytic 0029

Detects macros or VBA triggers set to execute on document open or close events, often correlating with embedded payloads or C2 traffic shortly after execution.

EnterpriseAN0029AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Analytic 0029 matters because Office documents can be configured to run macros or VBA automatically when a file is opened or closed. For business leaders, the decision point is whether the organization can prove it would see suspicious Office macro activity and the follow-on signals MITRE highlights, such as embedded payload behavior or command-and-control traffic shortly after execution.

Executive priority

Prioritize this as an Office Suite monitoring and control-validation issue. It supports decisions about macro policy, managed detection coverage, incident response readiness, and audit evidence for high-risk document handling. Leaders should ask whether SOC teams can correlate Office macro execution with near-term process, file, and network activity rather than treating document events in isolation.

Technical view

Validate visibility around Office documents that contain macros or VBA triggers tied to document open or close events. Because no official detection logic is provided, detection engineering should focus on correlation: Office document activity followed shortly by payload-like behavior or outbound network traffic. Tune carefully for legitimate business macros, especially in departments that rely on automated Office workflows.

Likely telemetry

  • Office Suite document and macro/VBA execution evidence
  • Document open and close event context where available
  • Endpoint process creation and child-process activity associated with Office applications
  • File creation or modification events consistent with embedded payload extraction or staging
  • Network connection telemetry shortly after Office macro execution

Detection direction

  • Confirm whether Office macro or VBA auto-execution triggers are observable in current telemetry.
  • Correlate macro-triggered document activity with rapid follow-on endpoint or network behavior rather than alerting only on macro presence.
  • Baseline legitimate macro-heavy business processes to reduce false positives.
  • Review blind spots where Office telemetry, endpoint process telemetry, or network telemetry are not joined in the SOC workflow.
  • Because ATT&CK provides no analytic logic here, require local testing with representative Office documents and approved macro use cases.

Mitigation priorities

  • Review and enforce macro governance for Office Suite use, especially automatic execution on document open or close.
  • Limit macro execution to trusted, business-justified sources and workflows where feasible.
  • Ensure endpoint and network monitoring can preserve evidence needed for incident response after suspicious document execution.
  • Document approved macro exceptions for compliance and audit readiness.
  • Use incident response playbooks that treat suspicious Office macro execution as a potential precursor to payload execution or command-and-control activity.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique, and has no tactics or relationship context. Its value is primarily as a coverage validation prompt: can the organization observe and correlate Office macro/VBA auto-execution with subsequent payload or network behavior?

The official object provides a short description only and no detection logic, data source list, relationships, or supported tactics. Local Office configuration, macro usage patterns, endpoint telemetry, and network visibility are required to determine practical coverage.

Official MITRE ATT&CK definition

Analytic 0029

Detects macros or VBA triggers set to execute on document open or close events, often correlating with embedded payloads or C2 traffic shortly after execution.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
23be3b04ad6c94a8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 23be3b04ad6c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0029
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use