Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1436: Analytic 1436

Adversaries inject VBA macros into Office templates such as Normal.dotm or Personal.xlsb or redirect Office template load path via registry key (GlobalDotName) to gain persistence. Template macros trigger execution of malicious code on application startup.

EnterpriseAN1436AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic describes a Windows persistence pattern where malicious VBA macros are placed in Office templates or Office is redirected to load a template from a controlled path. The business issue is not just “macros”: if template startup behavior is trusted and unmonitored, code can run each time a user opens Word or Excel, creating a durable foothold that may survive normal user activity and evade teams focused only on email attachment execution.

Executive priority

Treat this as a control-validation item for endpoint hardening, Office macro governance, and incident response readiness. Leaders should ask whether the organization can prove where Office templates are stored, whether template path changes are monitored, and whether SOC teams can investigate suspicious macro execution at application startup. This is especially relevant for audit evidence around endpoint configuration management and for prioritizing controls that reduce persistence opportunities on Windows workstations.

Technical view

For Windows environments using Microsoft Office, validate visibility into changes to Office template files such as Normal.dotm and Personal.xlsb, as well as registry changes involving Office template load paths such as GlobalDotName. Because no official detection logic is supplied, detection engineering should focus on establishing a baseline for legitimate template modifications and alerting on unusual template writes, unexpected macro-bearing template changes, and Office startup followed by suspicious child process or script execution. IR teams should include Office template locations and related registry settings in persistence triage checklists.

Likely telemetry

  • Windows endpoint file creation and modification events for Office template locations
  • Registry modification telemetry for Office template load path settings, including GlobalDotName
  • Office process execution telemetry, especially Word or Excel startup behavior
  • Process lineage showing Office applications launching scripts, command interpreters, or other unusual child processes
  • Endpoint detection and response records for macro execution or Office automation activity

Detection direction

  • Baseline normal changes to Normal.dotm, Personal.xlsb, and other approved Office template files before alerting broadly, because legitimate Office customization can create noise.
  • Monitor for registry changes that redirect Office template loading, especially when made by unexpected users or processes.
  • Correlate template or registry changes with later Office application startup and suspicious child process activity to improve confidence.
  • Review blind spots where macro telemetry is unavailable, Office template directories are excluded from endpoint monitoring, or registry auditing is not enabled.
  • Because no ATT&CK relationships or official detection logic are supplied, avoid assuming coverage from generic macro detections alone; validate this specific persistence path.

Mitigation priorities

  • Establish and document approved Office macro and template policies for Windows endpoints.
  • Restrict unauthorized modification of shared or user Office template locations where operationally feasible.
  • Monitor and control registry settings that influence Office template loading paths.
  • Use endpoint hardening and least-privilege practices to reduce the ability of untrusted code or users to modify persistence-relevant template locations.
  • Include Office template and registry persistence checks in incident response playbooks and compliance evidence collection.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Windows and describes VBA macro injection into Office templates or redirection of Office template load paths for persistence. No tactics, relationships, aliases, labels, or official detection text were supplied, so this take emphasizes validation areas rather than a specific detection rule.

This assessment is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, actor attribution, prevalence, guaranteed detection coverage, or relevance to non-Windows platforms. Local Office configuration, endpoint logging, macro policy, and registry telemetry determine whether this behavior can be reliably detected.

Official MITRE ATT&CK definition

Analytic 1436

Adversaries inject VBA macros into Office templates such as Normal.dotm or Personal.xlsb or redirect Office template load path via registry key (GlobalDotName) to gain persistence. Template macros trigger execution of malicious code on application startup.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
62e8d801080065fc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 62e8d8010800…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1436
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use