{ "id": "7491c77c-61de-42c3-a838-c9fd9775e493", "created_at": "2026-04-06T00:12:03.226776Z", "updated_at": "2026-04-10T03:34:22.658906Z", "deleted_at": null, "sha1_hash": "5886d61bc63aff5834a03f06b6b7c5bac8b5aa8b", "title": "Office Templates and GlobalDotName - A Stealthy Office Persistence Technique | 0xShukruN", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 118379, "plain_text": "Office Templates and GlobalDotName - A Stealthy Office\r\nPersistence Technique | 0xShukruN\r\nPublished: 2022-10-12 · Archived: 2026-04-02 10:45:00 UTC\r\n1. Blogs\r\n🔍Office Templates and GlobalDotName - A Stealthy Office Persistence Technique\r\nA few weeks back, I was researching various adversarial techniques, when a couple of minutes into the research of\r\nT1137 (Office Application Startup), there appeared to be a\r\nyet-to-be-documented capability that can be leveraged by adversaries using this technique.\r\nI also noticed there isn't a lot of in-depth information about some of the techniques presented in T1137\r\n, such a the \"Normal Template\" technique, even though\r\nplenty of well known threat actors like \"MuddyWater \"\r\nleverage this technique, so I decided to shed some light about it and some of Word's inner workingarming a\r\ntemplate file ws.\r\nhttps://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique\r\nPage 1 of 8\n\nWhen researching adversarial techniques, I start by examining the MITRE ATT\u0026CK Post-Exploitation matrix\r\n to check the technique's existence, and gather additional\r\ninformation if exists on the web.\r\nSo at one point, I decided to research T1137 a.k.a \"Office\r\nApplication Startup\".\r\nT1137 documented multiple implementations for achieving\r\npersistence in Microsoft Office application startup such as \"Office Test\" key, Add-ins, Templates, Rules \u0026 Home\r\npages(Outlook), etc.\r\nBut today we're here to talk about Office Templates; Office Templates will eventually allow us to execute code on\r\neach application startup, even on macro-free documents! (docx, pptx, etc).\r\nHow Does this Technique Work?\r\nIt's relatively simple, every office application uses some form of a template, so if we will take Microsoft's Office\r\nWord for example, When executed, it loads its \"Normal Template\r\n\" that contains default styles and customizations that\r\ndetermine the basic look of a document, and even active content such as macro.\r\nhttps://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique\r\nPage 2 of 8\n\nBy replacing the \"Normal Template\" of Word with an armed version of our own that contains VBA for example,\r\nwe can achieve persistent code execution on the machine since the template will load each time a document is\r\nopened.\r\nLater in this article, I will demonstrate how to arm your template, and how to make this technique even stealthier\r\nby using a custom template. We can define a custom template by using Word's UI or by editing the registry value\r\n\"GlobalDotName\" which we will learn about shortly.\r\nOne extremely cool thing about this technique is that the armed template VBA code will be executed even when\r\nmacro-free documents are executed! (.docx,pptx, etc)\r\nAll Microsoft Office applications use templates, but for the sake of this article, we'll focus on Microsoft's Office\r\nWord. Word's default template file is named Normal.dot / Normal.dotm; it's also been referred to as \"Normal\r\nTemplate\".\r\nThe \"Normal Template\" is a file that contains default styles and customizations that determine the basic look of a\r\ndocument, and even active content such as macros.\r\nIn older versions of Word, Microsoft used a binary format (Word 2003 and below), and in Word 2007, Microsoft\r\nchanged its format to an XML based format, hence the different extensions .dot/.dotx/.dotm.\r\nThe .dotm extension signifies that the \"Normal Template\" is a macro-enabled template which will come in handy\r\nlater in this article ;).\r\nThe \"Normal Template\" is similar to other template files, aside from it being the default built-in template of Word,\r\nand some features which are not available in ordinary non-default templates.\r\nWord cannot open documents without a template, nor can it create new ones without it. Which is why Word has a\r\nbuilt-in \"Normal template\" that would be re-created if Word can't find a template to use, or if the current template\r\nis corrupted/malformatted.\r\nThe default \"Normal Template\" is most commonly found in the User Templates folder which is located at:\r\n%appdata%\\Microsoft\\Templates\\\r\nHowever, this is not the only place Word searches for the \"Normal Template\". I examined Word's activity when\r\nexecuted and I found two locations that Word searches for the templates, one is Word's program folder, the other is\r\nthe default location for the \"Normal Template\".\r\nhttps://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique\r\nPage 3 of 8\n\nI did some googling and found an amazingly in-depth article by Tony Jollans\r\n, Microsoft Word MVP, which mentioned another location\r\nthat Word is searching for which is actually a registry value that point to a network-shared template.\r\nBelow is the a list of the templates possible location and their corresponding search order.\r\n1.\r\n2.\r\n3. Workgroup Templates location\r\n4. GlobalDotName Registry key*\r\n*Will be detailed further down this article.\r\nWord searches for the \"Normal Template\" in Word's Program folder which differs on different operating systems\r\nversions as well as Microsoft Office versions, you may find it in the following locations:\r\nC:\\Program Files\\Microsoft Office\\Office\u003cversion number\u003e\r\nC:\\Program Files\\Microsoft Office\\root\\Office\u003cversion number\u003e\r\nYou can find out Word's Program path by its GUI or via the registry value (\"vv.0\" is placeholder for the version\r\nnumber):\r\nHKCU\\Software\\Microsoft\\Office\\vv.0\\Word\\Options\\PROGRAMDIR\r\nThe \"Normal Template\" is rarely located at Word's program location,still, you should be aware of this location.\r\nIf Word can't find the \"Normal Template\" at Word's Program location it will attempt to find it at the User Template\r\nLocation, and its default location is:\r\n%appdata%\\Microsoft\\Templates\\\r\nIf by any chance that location has been changed, you can discover the updated User Templates location by\r\nquerying the following registry value:\r\nHKCU\\Software\\Microsoft\\Office\\vv.0\\Common\\General\\UserTemplates\r\nWorkgroup Templates location\r\nhttps://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique\r\nPage 4 of 8\n\nFinally, there is the Workgroup template, this option is available for sharing templates over the network and\r\ndoesn't have any default value. If it configured, you can find the template's location in the following path:\r\nHKCU\\Software\\Microsoft\\Office\\vv.0\\Common\\General\\SharedTemplates\r\nWhen all else fails, and Word can not find its template, it generate a new one which is built-in to Word.\r\nSo far we've learned that:\r\nWord uses a default template called Normal.dot / Normal.dotm which can be found in a variety of locations\r\nand is loaded with each document's execution.\r\nThe template can contain VBA code which will be loaded when a document execute, even if it is a macro-free document.\r\nWhat if I don't want to call my malicious template Normal.dotm?\r\nWhat if i want to give it an arbitrary name?\r\nor an arbitrary extension?\r\nAnd how about placing it in a location of my choosing?\r\nGain stealthiness with GlobalDotName\r\nGlobalDotName is a registry value that when used, tells word the location of a custom \"Normal template\" of our\r\nchoosing and provide us with a huge amount of flexibility.\r\nThis value can be found at:\r\nHKCU\\software\\microsoft\\office\\vv.v\\word\\options\\GlobalDotName\r\nHow to set it up?\r\n1. Create the Value of \"GlobalDotName\" in the relevant key\r\n2. In the value's data input your path+filename+extension(optional)\r\nGlobalDotName Highlights:\r\nTakes priority over every other Normal template\r\nUse any location you want\r\nUse almost any name/extension you want, they don't have to mean anything, yes, even the extension can be\r\ntotal nonsense. DO NOT however choose any meaningful extension to Word aside from the macro-enabled\r\ntemplate(.dotm) which is not to be confused with the macro-enabled document(.docm)\r\nWell, you actually don't even have to choose an extension, it'll work anyway without it\r\nhttps://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique\r\nPage 5 of 8\n\nyou can use a relative paths\r\nyou can also use environment variables by using a REG_EXPAND_SZ Value\r\nArming a template file with VBA\r\n1. Open a new document in Word.\r\n2. Add the \"Developer\" tab, File -\u003e Options:\r\n3. Make sure to create your macro in the current document:\r\nThis macro will pop a message box\r\n4. Once you write your macro, save the document as Normal.dotm (since we are not using GlobalDotName here):\r\n5. Now before we implement the GlobalDotName Key and additional important steps(such as setting Trust for our\r\ntemplate), lets drop it in the User Template Folder and execute test.docx, which is a normal macro-free document.\r\nModified Normal Template\r\n6. And there we have it, a .docx document is opened and executes the macro from the template we just planted.\r\nBeginning with Word 2007 and above Microsoft introduced a concept of \"Trust\" to improve its security and\r\nprotect its users from unauthorized code running without their knowledge.\r\nTo be able to execute macro without the security warning popping out , you need to either disable the\r\n\"VBAWarning\" value in the registry, or you can add \"Trust\" to the relevant document by registering it in as\r\n\"Trusted Document\" or place it in a \"Trusted location\".\r\nLuckily, we can control all of these options by editing some registry keys \u0026 values. Here are the relevant keys \u0026\r\nvalues locations:\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\16.0\\Word\\Security\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\16.0\\Word\\Security\\VBAWarning\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\16.0\\Word\\Security\\Trusted Documents\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\16.0\\Word\\Security\\Trusted Locations\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\16.0\\Word\\Security\\Trusted Locations\\\r\n\u003ckey_name_of_location\u003e\\\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\16.0\\Word\\Security\\Trusted Locations\\\r\n\u003ckey_name_of_location\u003e\\Path\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\16.0\\Word\\Security\\Trusted Locations\\\r\n\u003ckey_name_of_location\u003e\\AllowSubFolders\r\nhttps://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique\r\nPage 6 of 8\n\nIn this case I will utilize the \"Trusted Locations\" key to set Trust for a certain location, which means the\r\n\"VBAWarning\" value and the \"Trusted Documents\" key are not needed for this proof of concept.\r\nSetting up the persistence\r\nOpen Word, create a new document, insert your macro to it and save it as a macro-enabled template file\r\n(.dotm) in the location you would point GlobalDotName to.\r\nChange the name \u0026 extension according to the rules we've established before and add the relevant path to\r\nthe GlobalDotName value.\r\nCreate a key nested within the \"Trusted Locations\" key, inside the new key, create a value named \"Path\"\r\nand place the path to the template file.\r\n(Optional) - A cool value that can make the directory you specified and all of its sub-directories trusted is\r\nthe \"AllowSubFolders\"; this value is binary so activating it requires creating a DWORD value with the\r\ndata equals to 1:\r\nIt is possible to to create the \"C:\\\" drive as a location and allow sub-folders therefor making the entire disk trusted,\r\nwhich means no macro alerts whatsoever.\r\nLet's execute a normal macro-free document from the desktop and see what happens\r\nSuccess :)\r\nYou must create the \"Trusted Location\" key and place the relevant path value to the template's location before any\r\ndocument is executed. Otherwise the document execution will result in an error and the deletion of the crafted\r\ntemplate. after the deletion, Word will re-create the \"Normal template\" from its defaults and place it in the location\r\nwhich GlobalDotName points to.\r\nThe usage of templates as means of persistence is leveraged by multiple threat actors and has been spotted in the\r\nwild before.\r\nHaving said that, I have yet to encounter the usage of the GlobalDotName which provides a somewhat stealthier\r\nimplementation of this technique.\r\nI highly recommend visiting the technique page on MITRE ATT\u0026CK\r\nwhich documents some of the threat actors that leverages\r\nthis technique in-addition to links for various reports that presents its usage.\r\nhttps://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique\r\nPage 7 of 8\n\nI want to extended my appreciation to Tony Jollans, Microsoft Word MVP, and an amazing researcher, which\r\npublishes tons of \"Word Internals\" material on his website,\r\nwordarticles.com . His articles helped me immensely during\r\nmy research.\r\nIf you discovered any mistakes or inaccuracies, please contact me :)\r\nThis site uses cookies to deliver its service and to analyze traffic. By browsing this site, you accept the privacy\r\npolicy.\r\nSource: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique\r\nhttps://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique" ], "report_names": [ "office-templates-and-globaldotname-a-stealthy-office-persistence-technique" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434323, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5886d61bc63aff5834a03f06b6b7c5bac8b5aa8b.pdf", "text": "https://archive.orkl.eu/5886d61bc63aff5834a03f06b6b7c5bac8b5aa8b.txt", "img": "https://archive.orkl.eu/5886d61bc63aff5834a03f06b6b7c5bac8b5aa8b.jpg" } }