Skip to content

T1137 Office Application Startup

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.

A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.1 These persistence mechanisms can work within Outlook or be used through Office 365.2

Item Value
ID T1137
Sub-techniques T1137.001, T1137.002, T1137.003, T1137.004, T1137.005, T1137.006
Tactics TA0003
Platforms Office 365, Windows
Permissions required Administrator, User
Version 1.3
Created 14 December 2017
Last Modified 15 October 2021

Procedure Examples

ID Name Description
G0050 APT32 APT32 have replaced Microsoft Outlook’s VbaProject.OTM file to install a backdoor macro for persistence.1213
G0047 Gamaredon Group Gamaredon Group has inserted malicious macros into existing documents, providing persistence when they are reopened. Gamaredon Group has loaded the group’s previously delivered VBA project by relaunching Microsoft Outlook with the /altvba option, once the Application.Startup event is received.14

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 9
M1042 Disable or Remove Feature or Program Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing.
M1054 Software Configuration For the Office Test method, create the Registry key used to execute it and set the permissions to “Read Control” to prevent easy access to the key without administrator permissions or requiring Privilege Escalation. 10
M1051 Update Software For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.7 Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.8

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0017 Command Command Execution
DS0022 File File Creation
DS0011 Module Module Load
DS0009 Process Process Creation
DS0024 Windows Registry Windows Registry Key Creation

References

  1. SensePost. (2016, August 18). Ruler: A tool to abuse Exchange services. Retrieved February 4, 2019. 

  2. Koeller, B.. (2018, February 21). Defending Against Rules and Forms Injection. Retrieved November 5, 2019. 

  3. Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral Movement and Persistence. Retrieved February 5, 2019. 

  4. Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019. 

  5. Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019. 

  6. SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019. 

  7. Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved February 4, 2019. 

  8. Stalmans, E. (2017, October 11). Outlook Home Page – Another Ruler Vector. Retrieved February 4, 2019. 

  9. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. 

  10. Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017. 

  11. Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved July 3, 2017. 

  12. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. 

  13. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  14. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.