Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0519: Detect Persistence via Office Template Macro Injection or Registry Hijack

This detection strategy matters because it is tied to persistence through Microsoft Office template macros, including cases where Office template behavior...

EnterpriseDET0519Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because it is tied to persistence through Microsoft Office template macros, including cases where Office template behavior or related registry configuration may allow code to run when Office applications start. For leaders, the practical question is whether endpoint, Office, and registry monitoring can show when user productivity tooling is being converted into a persistence point after compromise.

Executive priority

Prioritize this as a resilience and incident-readiness check for Windows and Office environments referenced by the related ATT&CK technique. Persistence in commonly used business applications can complicate containment, user restoration, and audit confidence. Security leaders should ask whether SOC and IR teams can prove visibility into Office template changes, macro activity, and relevant registry modifications before an incident requires rapid scoping.

Technical view

The supplied detection strategy has no official MITRE detection text or platform list, but it detects ATT&CK technique T1137.001, Office Template Macros, which is associated with persistence on Office Suite and Windows. Detection engineering should validate whether monitoring exists for suspicious changes to Office base templates, macro-enabled template content, Office application startup behavior, and registry changes that affect Office template or macro execution. IR teams should treat confirmed template or registry persistence as a host-level persistence finding requiring user, file, process, and registry timeline review.

Likely telemetry

  • Endpoint file creation and modification events for Microsoft Office template locations
  • Registry modification telemetry relevant to Office configuration and startup behavior
  • Office application process execution and child-process telemetry
  • Macro execution or Office security event telemetry where available
  • EDR file/process/registry timelines for affected Windows hosts

Detection direction

  • Confirm that telemetry covers the Office Suite and Windows context identified by the related technique, even though the detection-strategy object itself does not specify platforms.
  • Baseline legitimate Office template updates and administrative customization to reduce false positives.
  • Correlate template or registry changes with Office process starts, macro execution indicators, and unusual child processes rather than relying on a single event type.
  • Tune for persistence behavior: repeated execution after Office launch, changes to base templates, and registry modifications that alter Office startup or macro behavior.
  • Account for blind spots where endpoint tools do not collect file-content changes, macro telemetry, or detailed registry events.

Mitigation priorities

  • Start with visibility: ensure endpoint logging captures file, process, and registry activity around Office usage on Windows systems.
  • Harden Office macro and template handling according to organizational policy, especially for users and systems with elevated business risk.
  • Restrict unauthorized changes to shared or base Office templates where operationally feasible.
  • Include Office template and registry persistence checks in incident response playbooks and endpoint triage procedures.
  • Use compliance evidence to demonstrate that macro governance, endpoint monitoring, and persistence hunting are tested rather than assumed.
Analyst notes and limits

This Glexia take is based on a sparse ATT&CK detection-strategy object. The decision value comes primarily from the stated relationship to T1137.001, Office Template Macros, and the supplied object name referencing Office template macro injection or registry hijack. Local validation is required to determine exact template paths, registry keys, macro policy controls, and telemetry availability.

MITRE supplied no official description, official detection logic, tactics, or platforms for the detection-strategy object itself. The related technique provides the supported persistence, Office Suite, and Windows context. No claim is made that this strategy guarantees detection or that any specific adversary is using it.

Official MITRE ATT&CK definition

Detect Persistence via Office Template Macro Injection or Registry Hijack

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1137.001 Office Template Macros Sub-technique This object detects Office Template Macros.
Relationship explorer

All related ATT&CK context

detects · Technique T1137.001: Office Template Macros Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
daeea2ad7f3d8b9c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle daeea2ad7f3d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0519
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use