T1137 Office Application Startup

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.

A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-06.06 Vulnerability remediation Mitigates T1137 Office Application Startup
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started.
References
    PR.PS-01.01 Configuration baselines Mitigates T1137 Office Application Startup
    Comments
    This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
    References
      PR.PS-01.02 Least functionality Mitigates T1137 Office Application Startup
      Comments
      This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
      References
        PR.PS-02.01 Patch identification and application Mitigates T1137 Office Application Startup
        Comments
        This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, Microsoft has released several patches to help address leveraging of Microsoft Office-based applications for persistence between startups.
        References
          PR.PS-01.03 Configuration deviation Mitigates T1137 Office Application Startup
          Comments
          This diagnostic statement provides protection from Office Application Startup through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of Office software and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
          References
            PR.PS-05.02 Mobile code prevention Mitigates T1137 Office Application Startup
            Comments
            Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
            References

              VERIS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1137 Office Application Startup

              Azure Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              microsoft_sentinel Microsoft Sentinel technique_scores T1137 Office Application Startup
              Comments
              This control only provides minimal to partial coverage for a minority of this technique's sub-techniques and does not address all of its procedures, resulting in an overall score of Minimal.
              References
              file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring technique_scores T1137 Office Application Startup
              Comments
              This control can detect peristence via office application startup.
              References

              GCP Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              cloud_ids Cloud IDS technique_scores T1137 Office Application Startup
              Comments
              Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office files (e.g., DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX). Although there are ways an attacker could modify the signature and deliver a malicious office file, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
              References
              google_secops Google Security Operations technique_scores T1137 Office Application Startup
              Comments
              Google Security Ops is able to trigger an alert based off suspicious system processes, for example: command line executable started from Microsoft's Office-based applications. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/office_starup_folder_persistance.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/office_applications_suspicious_process_activity.yaral
              References

              M365 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              DEF-SSCO-E3 Secure Score Technique Scores T1137 Office Application Startup
              Comments
              Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)
              References
              DEF-AIR-E5 Automated Investigation and Response Technique Scores T1137 Office Application Startup
              Comments
              Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses.
              References

              ATT&CK Subtechniques

              Technique ID Technique Name Number of Mappings
              T1137.006 Add-ins 9
              T1137.005 Outlook Rules 12
              T1137.001 Office Template Macros 14
              T1137.003 Outlook Forms 11
              T1137.004 Outlook Home Page 11
              T1137.002 Office Test 16