Office Application Startup (T1137)
Tactic: Persistence · Platforms: Windows, Office Suite
The interactive view maps 1 detection strategy, 4 mitigations, 2 threat groups to this technique, alongside D3FEND countermeasures and data-component coverage.
Overview
Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page. These persistence mechanisms can work within Outlook or be used through Office 365.
Sub-techniques
- Office Template Macros (T1137.001)
- Office Test (T1137.002)
- Outlook Forms (T1137.003)
- Outlook Home Page (T1137.004)
- Outlook Rules (T1137.005)
- Add-ins (T1137.006)