Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-10 | Concurrent Session Control | Protects | T1137 | Office Application Startup | |
| AC-17 | Remote Access | Protects | T1137 | Office Application Startup | |
| AC-06 | Least Privilege | Protects | T1137 | Office Application Startup | |
| CM-02 | Baseline Configuration | Protects | T1137 | Office Application Startup | |
| CM-06 | Configuration Settings | Protects | T1137 | Office Application Startup | |
| CM-08 | System Component Inventory | Protects | T1137 | Office Application Startup | |
| RA-05 | Vulnerability Monitoring and Scanning | Protects | T1137 | Office Application Startup | |
| SC-18 | Mobile Code | Protects | T1137 | Office Application Startup | |
| SC-44 | Detonation Chambers | Protects | T1137 | Office Application Startup | |
| SI-02 | Flaw Remediation | Protects | T1137 | Office Application Startup | |
| SI-03 | Malicious Code Protection | Protects | T1137 | Office Application Startup | |
| SI-04 | System Monitoring | Protects | T1137 | Office Application Startup | |
| SI-08 | Spam Protection | Protects | T1137 | Office Application Startup | |
| DEF-SecScore-E3 | Secure Score | Technique Scores | T1137 | Office Application Startup |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
| DEF-AIR-E5 | Automated Investigation and Response | Technique Scores | T1137 | Office Application Startup |
Comments
Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.
AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.
Required licenses
E5 or Microsoft Defender for Office 365 Plan 2 licenses.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1137.006 | Add-ins | 6 |
| T1137.005 | Outlook Rules | 7 |
| T1137.001 | Office Template Macros | 10 |
| T1137.003 | Outlook Forms | 7 |
| T1137.004 | Outlook Home Page | 7 |
| T1137.002 | Office Test | 10 |