Skip to content

DET0398 Detect Office Startup-Based Persistence via Macros, Forms, and Registry Hooks

Item Value
ID DET0398
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1137 (Office Application Startup)

Analytics

Windows

AN1116

Office-based persistence via Office template macros, Outlook forms/rules/homepage, or registry-persistent scripts. Adversary modifies registry keys or Office application directories to load malicious scripts at startup.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
Application Log Content (DC0038) WinEventLog:Application Outlook rule creation, form load, or homepage redirection
Mutable Elements
Field Description
ParentProcessName Tune based on expected Office process tree (e.g., WINWORD.EXE spawning cmd.exe)
RegistryPath Specific keys related to Office startup such as Outlook Today, AddIns, or Template Macros
TimeWindow Window of process execution after user login or Outlook launch
UserContext Detect persistence within high-value user mailboxes (e.g., admin, finance, C-suite)

Office Suite

AN1117

Startup-based persistence mechanisms within Microsoft Office Suite like template macros and home page redirects being configured through internal automation or client-side settings.

Log Sources
Data Component Name Channel
User Account Modification (DC0010) m365:unified Set-Mailbox, Set-InboxRule, Set-MailboxFolderPermission
Application Log Content (DC0038) m365:mailboxaudit Outlook rule creation or custom form deployment
Mutable Elements
Field Description
RuleAction Identify rule actions that execute scripts, forward emails externally, or start external content
MailboxTarget Focus on users with sensitive roles or shared mailboxes
TimeWindow Detect persistence artifacts created shortly after credential access or login from an unusual location