Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1137 | Office Application Startup | |
| AC-17 | Remote Access | mitigates | T1137 | Office Application Startup | |
| SC-44 | Detonation Chambers | mitigates | T1137 | Office Application Startup | |
| SI-08 | Spam Protection | mitigates | T1137 | Office Application Startup | |
| SC-18 | Mobile Code | mitigates | T1137 | Office Application Startup | |
| SI-02 | Flaw Remediation | mitigates | T1137 | Office Application Startup | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1137 | Office Application Startup | |
| CM-08 | System Component Inventory | mitigates | T1137 | Office Application Startup | |
| SI-03 | Malicious Code Protection | mitigates | T1137 | Office Application Startup | |
| CM-02 | Baseline Configuration | mitigates | T1137 | Office Application Startup | |
| SI-04 | System Monitoring | mitigates | T1137 | Office Application Startup | |
| AC-10 | Concurrent Session Control | mitigates | T1137 | Office Application Startup | |
| AC-06 | Least Privilege | mitigates | T1137 | Office Application Startup |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1137 | Office Application Startup |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_ids | Cloud IDS | technique_scores | T1137 | Office Application Startup |
Comments
Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office files (e.g., DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX).
Although there are ways an attacker could modify the signature and deliver a malicious office file, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
| google_secops | Google Security Operations | technique_scores | T1137 | Office Application Startup |
Comments
Google Security Ops is able to trigger an alert based off suspicious system processes, for example: command line executable started from Microsoft's Office-based applications.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/office_starup_folder_persistance.yaral
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/office_applications_suspicious_process_activity.yaral
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1137.006 | Add-ins | 7 |
| T1137.005 | Outlook Rules | 8 |
| T1137.001 | Office Template Macros | 13 |
| T1137.003 | Outlook Forms | 8 |
| T1137.004 | Outlook Home Page | 8 |
| T1137.002 | Office Test | 11 |