T1137 Office Application Startup Mappings

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.

A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-10 Concurrent Session Control Protects T1137 Office Application Startup
AC-17 Remote Access Protects T1137 Office Application Startup
CM-2 Baseline Configuration Protects T1137 Office Application Startup
CM-6 Configuration Settings Protects T1137 Office Application Startup
CM-8 System Component Inventory Protects T1137 Office Application Startup
RA-5 Vulnerability Monitoring and Scanning Protects T1137 Office Application Startup
SI-2 Flaw Remediation Protects T1137 Office Application Startup
SI-3 Malicious Code Protection Protects T1137 Office Application Startup
SI-4 System Monitoring Protects T1137 Office Application Startup
azure_sentinel Azure Sentinel technique_scores T1137 Office Application Startup
file_integrity_monitoring File Integrity Monitoring technique_scores T1137 Office Application Startup

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1137.006 Add-ins 1
T1137.001 Office Template Macros 6
T1137.002 Office Test 7
T1137.003 Outlook Forms 2
T1137.004 Outlook Home Page 2
T1137.005 Outlook Rules 3