Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-10 | Concurrent Session Control | Protects | T1137 | Office Application Startup | |
| AC-17 | Remote Access | Protects | T1137 | Office Application Startup | |
| CM-2 | Baseline Configuration | Protects | T1137 | Office Application Startup | |
| CM-6 | Configuration Settings | Protects | T1137 | Office Application Startup | |
| CM-8 | System Component Inventory | Protects | T1137 | Office Application Startup | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1137 | Office Application Startup | |
| SI-2 | Flaw Remediation | Protects | T1137 | Office Application Startup | |
| SI-3 | Malicious Code Protection | Protects | T1137 | Office Application Startup | |
| SI-4 | System Monitoring | Protects | T1137 | Office Application Startup | |
| action.hacking.variety.Abuse of functionality | Abuse of functionality | related-to | T1137 | Office Application Startup | |
| action.hacking.vector.Backdoor or C2 | Backdoor or command and control channel | related-to | T1137 | Office Application Startup |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1137.001 | Office Template Macros | 7 |
| T1137.002 | Office Test | 7 |
| T1137.003 | Outlook Forms | 3 |
| T1137.004 | Outlook Home Page | 3 |
| T1137.005 | Outlook Rules | 3 |