1. Home
  2. ATT&CK Techniques
  3. T1137 Office Application Startup

T1137 Office Application Startup Mappings

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.

A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)

View in MITRE ATT&CK®

VERIS Mappings

Loading, please wait
Capability ID
Capability Description
Mapping Type
ATT&CK ID
ATT&CK Name
Notes
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1137 Office Application Startup
Showing 1 to 1 of 1 rows

GCP Mappings

Loading, please wait
Capability ID
Capability Description
Mapping Type
ATT&CK ID
ATT&CK Name
Notes
cloud_ids Cloud IDS technique_scores T1137 Office Application Startup
Comments
Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office files (e.g., DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX). Although there are ways an attacker could modify the signature and deliver a malicious office file, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
  1. ['https://cloud.google.com/intrusion-detection-system'
  2. 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']
google_secops Google Security Operations technique_scores T1137 Office Application Startup
Comments
Google Security Ops is able to trigger an alert based off suspicious system processes, for example: command line executable started from Microsoft's Office-based applications. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/office_starup_folder_persistance.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/office_applications_suspicious_process_activity.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']
Showing 1 to 2 of 2 rows

ATT&CK Subtechniques

Loading, please wait
Technique ID
Technique Name
Number of Mappings
T1137.006 Add-ins 1
T1137.005 Outlook Rules 1
T1137.001 Office Template Macros 3
T1137.003 Outlook Forms 1
T1137.004 Outlook Home Page 1
T1137.002 Office Test 1
Showing 1 to 6 of 6 rows