EXPLORE
Sign In
← Back to Explore
T1137

Office Application Startup

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins. A variety of features have been discovered in Outlook that can be abused to obtain persistence, such ...

WindowsOffice Suite
17
Detections
3
Sources
2
Threat Actors

BY SOURCE

8sigma6elastic3splunk_escu

PROCEDURES (12)

Registry3 detections

Auto-extracted: 3 detections for registry

Macro2 detections

Auto-extracted: 2 detections for macro

Macro2 detections

Auto-extracted: 2 detections for macro

Email2 detections

Auto-extracted: 2 detections for email

Office1 detections

Auto-extracted: 1 detections for office

Persist1 detections

Auto-extracted: 1 detections for persist

Office1 detections

Auto-extracted: 1 detections for office

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Office1 detections

Auto-extracted: 1 detections for office

Persist1 detections

Auto-extracted: 1 detections for persist

THREAT ACTORS (2)

APT32Gamaredon Group

DETECTIONS (17)

IE Change Domain Zone
sigmamedium
M365 Exchange Inbox Phishing Evasion Rule Created
elasticmedium
New Outlook Macro Created
sigmamedium
Office Test Registry Persistence
elasticlow
Outlook Home Page Registry Modification
elastichigh
Outlook Macro Execution Without Warning Setting Enabled
sigmahigh
Outlook Security Settings Updated - Registry
sigmamedium
Persistence via Microsoft Office AddIns
elastichigh
Persistence via Microsoft Outlook VBA
elasticmedium
Potential Persistence Via Microsoft Office Startup Folder
sigmahigh
Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
sigmahigh
Registry Modification to Hidden File Extension
sigmamedium
Suspicious Execution via Microsoft Office Add-Ins
elasticmedium
Suspicious Outlook Macro Created
sigmahigh
Windows Outlook LoadMacroProviderOnBoot Persistence
splunk_escu
Windows Outlook Macro Created by Suspicious Process
splunk_escu
Windows Outlook Macro Security Modified
splunk_escu