1. Home
  2. ATT&CK Techniques
  3. T1137 Office Application Startup

T1137 Office Application Startup

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.

A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-06.06 Vulnerability remediation Mitigates T1137 Office Application Startup
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started.
References
    PR.PS-01.01 Configuration baselines Mitigates T1137 Office Application Startup
    Comments
    This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
    References
      PR.PS-01.02 Least functionality Mitigates T1137 Office Application Startup
      Comments
      This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
      References
        PR.PS-02.01 Patch identification and application Mitigates T1137 Office Application Startup
        Comments
        This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, Microsoft has released several patches to help address leveraging of Microsoft Office-based applications for persistence between startups.
        References
          PR.PS-01.03 Configuration deviation Mitigates T1137 Office Application Startup
          Comments
          This diagnostic statement provides protection from Office Application Startup through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of Office software and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
          References
            PR.PS-05.02 Mobile code prevention Mitigates T1137 Office Application Startup
            Comments
            Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
            References

              NIST 800-53 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              CM-06 Configuration Settings mitigates T1137 Office Application Startup
              AC-17 Remote Access mitigates T1137 Office Application Startup
              SC-44 Detonation Chambers mitigates T1137 Office Application Startup
              SI-08 Spam Protection mitigates T1137 Office Application Startup
              SC-18 Mobile Code mitigates T1137 Office Application Startup
              SI-02 Flaw Remediation mitigates T1137 Office Application Startup
              RA-05 Vulnerability Monitoring and Scanning mitigates T1137 Office Application Startup
              CM-08 System Component Inventory mitigates T1137 Office Application Startup
              SI-03 Malicious Code Protection mitigates T1137 Office Application Startup
              CM-02 Baseline Configuration mitigates T1137 Office Application Startup
              SI-04 System Monitoring mitigates T1137 Office Application Startup
              AC-10 Concurrent Session Control mitigates T1137 Office Application Startup
              AC-06 Least Privilege mitigates T1137 Office Application Startup

              VERIS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1137 Office Application Startup

              Azure Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring technique_scores T1137 Office Application Startup
              Comments
              This control can detect peristence via office application startup.
              References
              1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview

              GCP Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              cloud_ids Cloud IDS technique_scores T1137 Office Application Startup
              Comments
              Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office files (e.g., DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX). Although there are ways an attacker could modify the signature and deliver a malicious office file, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
              References
              1. ['https://cloud.google.com/intrusion-detection-system'
              2. 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']
              google_secops Google Security Operations technique_scores T1137 Office Application Startup
              Comments
              Google Security Ops is able to trigger an alert based off suspicious system processes, for example: command line executable started from Microsoft's Office-based applications. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/office_starup_folder_persistance.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/office_applications_suspicious_process_activity.yaral
              References
              1. ['https://cloud.google.com/security/products/security-operations'
              2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
              3. 'https://github.com/chronicle/detection-rules']

              ATT&CK Subtechniques

              Technique ID Technique Name Number of Mappings
              T1137.006 Add-ins 8
              T1137.005 Outlook Rules 11
              T1137.001 Office Template Macros 14
              T1137.003 Outlook Forms 11
              T1137.004 Outlook Home Page 11
              T1137.002 Office Test 16