SOC312 // Unauthorized Template Modification Detected // inksec.io

// soc investigation 2026-05-30

SOC312 Unauthorized Template Modification Detected

letsdefend High closed ✓ true positive

mitre/T1110-003 mitre/T1078 mitre/T1059-001 mitre/T1027 mitre/T1071-001 mitre/T1016 mitre/T1087 mitre/T1057 140-Ubuntu

analyst verdict TRUE POSITIVE

✓

🔍 What

Unauthorized modification of Normal.dotm (Word’s default global template) on host Jonah. The attacker gained initial access through a password spray attack, compromised the LetsDefend account, and used obfuscated PowerShell to embed a macro-based backdoor into the template. Extraction of the modified Normal.dotm revealed a vbaproject.bin containing a VBA macro with a hardcoded C2 callback URL matching the domain the attacker pinged during enumeration — confirming active C2 staging. Every subsequent Word document opened by the user would trigger the payload.

📅 When

Timestamp	Event
Aug 14, 2024, 01:19 PM	Password spray detected against multiple usernames
Aug 14, 2024, 01:27 PM	Successful login — account: LetsDefend
Aug 14, 2024, 01:31 PM	Normal.dotm modification alert triggered
Aug 14, 2024, 04:27–04:32 PM	Enumeration commands and obfuscated PS execution

🖥️ Where

Host: Jonah
IP: 172[.]16[.]17[.]110
Modified file: C:\Users\LetsDefend\AppData\Roaming\Microsoft\Templates\Normal[.]dotm
Process: C:\Program Files\Microsoft Office\Office16\WINWORD.EXE
Parent: explorer.exe

👤 Who

Attacker IP: 181[.]214[.]131[.]108 (password spray source)
Compromised account: LetsDefend
C2 domain: hxxp[://]hdev[.]ciaffa[.]net

❓ Why

The attacker modified Normal.dotm to establish persistent, fileless-style macro-based C2. Because Normal.dotm is loaded by Word on every launch, the embedded VBA payload provides reliable persistence without needing to drop additional executables — a low-noise, high-value persistence mechanism.

🧩 MITRE ATT&CK

Technique ID	Tactic	Technique
T1110.003	Credential Access	Password Spraying
T1078	Defense Evasion / Initial Access	Valid Accounts
T1059.001	Execution	PowerShell
T1027	Defense Evasion	Obfuscated Files or Information
T1137.001	Persistence	Office Template Macros
T1071.001	Command and Control	Web Protocols
T1016	Discovery	System Network Configuration Discovery
T1087	Discovery	Account Discovery
T1057	Discovery	Process Discovery

🚨 IOCs

Type	Value
IP	181[.]214[.]131[.]108
Host IP	172[.]16[.]17[.]110
Domain	hxxp[://]hdev[.]ciaffa[.]net
File	Normal[.]dotm
File	vbaproject[.]bin

🔬 Analysis Reports 🦠 ipabusedb https://www.abuseipdb.com/check/181.214.131.108?page=2