Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.PS-06.06 | Vulnerability remediation | Mitigates | T1137 | Office Application Startup |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started.
References
|
PR.PS-01.01 | Configuration baselines | Mitigates | T1137 | Office Application Startup |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
PR.PS-01.02 | Least functionality | Mitigates | T1137 | Office Application Startup |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
PR.PS-02.01 | Patch identification and application | Mitigates | T1137 | Office Application Startup |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, Microsoft has released several patches to help address leveraging of Microsoft Office-based applications for persistence between startups.
References
|
PR.PS-01.03 | Configuration deviation | Mitigates | T1137 | Office Application Startup |
Comments
This diagnostic statement provides protection from Office Application Startup through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of Office software and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
PR.PS-05.02 | Mobile code prevention | Mitigates | T1137 | Office Application Startup |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CM-06 | Configuration Settings | mitigates | T1137 | Office Application Startup | |
AC-17 | Remote Access | mitigates | T1137 | Office Application Startup | |
SC-44 | Detonation Chambers | mitigates | T1137 | Office Application Startup | |
SI-08 | Spam Protection | mitigates | T1137 | Office Application Startup | |
SC-18 | Mobile Code | mitigates | T1137 | Office Application Startup | |
SI-02 | Flaw Remediation | mitigates | T1137 | Office Application Startup | |
RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1137 | Office Application Startup | |
CM-08 | System Component Inventory | mitigates | T1137 | Office Application Startup | |
SI-03 | Malicious Code Protection | mitigates | T1137 | Office Application Startup | |
CM-02 | Baseline Configuration | mitigates | T1137 | Office Application Startup | |
SI-04 | System Monitoring | mitigates | T1137 | Office Application Startup | |
AC-10 | Concurrent Session Control | mitigates | T1137 | Office Application Startup | |
AC-06 | Least Privilege | mitigates | T1137 | Office Application Startup |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1137 | Office Application Startup |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
microsoft_sentinel | Microsoft Sentinel | technique_scores | T1137 | Office Application Startup |
Comments
This control only provides minimal to partial coverage for a minority of this technique's
sub-techniques and does not address all of its procedures, resulting in an overall score
of Minimal.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1137 | Office Application Startup |
Comments
This control can detect peristence via office application startup.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
cloud_ids | Cloud IDS | technique_scores | T1137 | Office Application Startup |
Comments
Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office files (e.g., DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX).
Although there are ways an attacker could modify the signature and deliver a malicious office file, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
google_secops | Google Security Operations | technique_scores | T1137 | Office Application Startup |
Comments
Google Security Ops is able to trigger an alert based off suspicious system processes, for example: command line executable started from Microsoft's Office-based applications.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/office_starup_folder_persistance.yaral
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/office_applications_suspicious_process_activity.yaral
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
DEF-SSCO-E3 | Secure Score | Technique Scores | T1137 | Office Application Startup |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
DEF-AIR-E5 | Automated Investigation and Response | Technique Scores | T1137 | Office Application Startup |
Comments
Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.
AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.
Required licenses
E5 or Microsoft Defender for Office 365 Plan 2 licenses.
References
|
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1137.006 | Add-ins | 9 |
T1137.005 | Outlook Rules | 12 |
T1137.001 | Office Template Macros | 14 |
T1137.003 | Outlook Forms | 11 |
T1137.004 | Outlook Home Page | 11 |
T1137.002 | Office Test | 16 |