• Home
  • Attack
  • Dataset
  • Contact Us
        • T1-24–01–S–N–CL
        • T2-24–01–S–N–CL
        • T3-24–01–S–N–CL
        • T4-24–01–S–E–M
        • T5-24–01–S–E–LM
        • T6-24–01–S–E–FH
        • T7-24–01–M–NE–CLM
        • T8-24–01–M–NE–CFHL
        • T9-24–01–M–NE–CLM
        • T1-24–02–S–N–CIKM
        • T2-24–02–S–N–CL
        • T3-24–02–S–N–CL
        • T4-24-02-S-E-M
        • T5-24-02-S-E-DL
        • T6-24-02-S-E-DEGN
        • T7-24-02-M-NE-CDEGLN
        • T8-24-02-M-NE-CDL
        • T9-24-02-M-NE-CLH
        • T1-25–01–S–N–CD
        • T2-25–01–S–N–CL
        • T3-25–01–S–N–CD
        • T4-25-01-S-E-FH
        • T5-25-01-S-E-CL
        • T6-25-01-S-E-CL
        • T7-25-01-M-NE-CDN
        • T8-25-01-M-NE-CLFH
        • T9-25-01-M-NE-CDFH
  • T5-25–01–S–E–CL

  • MS Office (DOCX) Extrend File Download

    The MS Office (DOCX) External File Download attack is a technique that abuses the external resource loading functionality of Microsoft Word documents.
    Attackers embed references to external resources inside a DOCX file so that, when a victim opens the document, Microsoft Word automatically attempts to connect to and retrieve content from an attacker-controlled server.
    During this process, sensitive information may be unintentionally exposed, including the victim’s IP address, internal network details, and, in certain environments, authentication data such as NTLM hashes.
    This technique is commonly used as an initial access and reconnaissance method in targeted attacks.

    Typical Attack Flow:

    1. The attacker creates or modifies a DOCX file to embed malicious external resource references.
    2. Relationship files (such as document.xml.rels) are manipulated to point to attacker-controlled URLs.
    3. Components such as remote templates, external images, or linked objects are configured to load content from external servers.
    4. When the victim opens the document, Microsoft Word automatically sends outbound requests to the attacker’s server.
    5. The attacker’s server captures network metadata and, in some environments, authentication attempts.

    •  


  • OS IP Software Log collection
    time    		 Program
    runtime
    Attacker Ubuntu 22.04 192.168.56.105 - 120 sec 140 sec
    Victim Windows 10 (1903) 192.168.56.104 -

  • Installation
  • python3 -m pip install -r requirements.txt

  • Usage
  • ※ The instability of POC may cause intermittent remote connection fail.

    python3 run.py

  • MITRE ATT&CK Framework
  • Attack Tactic
    Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion
    Credential Discovery Lateral Movement Collection Command and Control Exfiltration Impact

  • Logs
  • ./log/2025_01_T5_{time}.evtx # YYmmdd_HHMMSS


  • References
  • [1] Template injection attacks
    [2] virustotal

  • ※ Click on the attack name to see a description and scenario for the attack
    • 2025
    • T1-25–01–S–N–CD
    • T2-25–01–S–N–CL
    • T3-25–01–S–N–CD
    • T4-25–01–S–E–FH
    • T5-25–01–S–E–CL
    • T6-25–01–S–E–CL
    • T7-25–01–M–NE–CDN
    • T8-25–01–M–NE–CLFH
    • T9-25–01–M–NE–CDFH
  • Copyright(C) 2024, KAIST Cyber Security Reserch Center. All Rights Reserved.