Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1564: Analytic 1564

Detection of Office or document viewer processes (e.g., winword.exe) initiating network connections to remote templates or executing scripts due to manipulated template references (e.g., embedded in .docx, .rtf, or .dotm files), followed by suspicious child process creation (e.g., PowerShell).

EnterpriseAN1564AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting Windows Office or document-viewer activity that reaches out to remote template locations or triggers script execution, then spawns suspicious child processes such as PowerShell. For leaders, the value is not the document format itself; it is whether the organization can recognize when trusted productivity tools become the starting point for abnormal network and process activity.

Executive priority

Prioritize this as a validation point for endpoint visibility and SOC readiness on Windows workstations. It helps answer whether security teams can connect document-opening activity, outbound network access, and follow-on process creation into one incident decision. This is relevant to business continuity because productivity applications are widely used and often allowed through normal controls, making weak telemetry or fragmented alerting a material blind spot.

Technical view

Validate coverage for Windows Office or document viewer processes such as winword.exe initiating network connections to remote template references in documents such as .docx, .rtf, or .dotm, followed by suspicious child process creation such as PowerShell. Because the official ATT&CK object does not provide a separate detection query or tactic mapping, detection engineering should focus on correlation logic across parent process, network destination, command/script execution, and document context rather than treating any single event as conclusive.

Likely telemetry

  • Endpoint process creation events with parent-child relationships
  • Command-line and script execution telemetry, especially PowerShell child processes
  • Network connection telemetry from Office or document viewer processes
  • File/document context where available, including document type such as .docx, .rtf, or .dotm
  • Alert enrichment showing process image names, user, host, destination, and timing

Detection direction

  • Correlate Office or document viewer network connections to remote template locations with near-time suspicious child process creation.
  • Tune for known business workflows that legitimately use remote templates or document automation to reduce false positives.
  • Validate that endpoint telemetry preserves parent process lineage from document viewer to script interpreter or other child process.
  • Review whether network controls and logs can identify outbound connections initiated directly by Office/document viewer processes, not only browser traffic.
  • Treat PowerShell spawned from document viewers as high-priority triage context, while confirming command details and user activity before escalation.

Mitigation priorities

  • Ensure Windows endpoint monitoring captures process creation, parent-child lineage, command line, and network activity for Office/document viewer processes.
  • Restrict or govern document template and macro-enabled workflows according to business need, with exceptions documented and reviewed.
  • Harden script execution controls and logging so child process activity from document viewers is visible and reviewable.
  • Use SOC playbooks that combine host, user, document, network destination, and script context for triage.
  • Maintain audit evidence showing that document-driven process and network behaviors are monitored where these applications are in use.
Analyst notes and limits

This take is based on ATT&CK analytic AN1564 and its supplied description. The object is a detection analytic for Windows and has no supplied tactic mapping, relationship context, aliases, labels, or standalone official detection logic. Local baselining is important because some organizations may legitimately use remote templates or document automation.

The supplied ATT&CK fields do not support claims about active exploitation, threat actor attribution, prevalence, specific malware, guaranteed detection, or non-Windows platforms. The official detection field is not provided, so implementation details must be developed and validated against local telemetry and business workflows.

Official MITRE ATT&CK definition

Analytic 1564

Detection of Office or document viewer processes (e.g., winword.exe) initiating network connections to remote templates or executing scripts due to manipulated template references (e.g., embedded in .docx, .rtf, or .dotm files), followed by suspicious child process creation (e.g., PowerShell).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1389125b05d2bc0b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1389125b05d2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1564
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use