{
	"id": "e928ea42-6055-4fe3-aa58-0024880fbdcf",
	"created_at": "2026-04-06T00:09:58.507497Z",
	"updated_at": "2026-04-10T03:20:49.628903Z",
	"deleted_at": null,
	"sha1_hash": "3abd8934680f4cae7dbe0517b31c3863547eefb0",
	"title": "Template Injection Attacks - Bypassing Security Controls by Living off the Land",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 31175,
	"plain_text": "Template Injection Attacks - Bypassing Security Controls by\r\nLiving off the Land\r\nBy Created by:Brian Wiltse\r\nArchived: 2026-04-05 15:41:49 UTC\r\nAs adversary tactics continue to adapt and embrace the concept of living off the land by using legitimate company\r\nsoftware instead of a virus or other malwareRut15, their tactics techniques and procedures (TTPs) often leverage\r\nprograms and features in target environments that are normal and expected. The adversaries leverage these\r\nfeatures in a way that enables them to bypass security controls to complete their objective. In May of 2017, a\r\nsuspected APT group began to leverage one such feature in Microsoft Office, utilizing a Template Injection attack\r\nto harvest credentials, or gain access to end users computers at a US power plant operator, Wolf Creek Nuclear\r\nOperating Corp. In this Gold Paper, we will review in detail what the Template Injection attacks may have looked\r\nlike against this target, and assess their ability to bypass security controls.\r\nSource: https://www.sans.org/reading-room/whitepapers/testing/template-injection-attacks-bypassing-security-controls-living-land-38780\r\nhttps://www.sans.org/reading-room/whitepapers/testing/template-injection-attacks-bypassing-security-controls-living-land-38780\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.sans.org/reading-room/whitepapers/testing/template-injection-attacks-bypassing-security-controls-living-land-38780"
	],
	"report_names": [
		"template-injection-attacks-bypassing-security-controls-living-land-38780"
	],
	"threat_actors": [],
	"ts_created_at": 1775434198,
	"ts_updated_at": 1775791249,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3abd8934680f4cae7dbe0517b31c3863547eefb0.pdf",
		"text": "https://archive.orkl.eu/3abd8934680f4cae7dbe0517b31c3863547eefb0.txt",
		"img": "https://archive.orkl.eu/3abd8934680f4cae7dbe0517b31c3863547eefb0.jpg"
	}
}