T1137Techniquepersistenceagent-callable

T1137Office Application Startup

Platforms: Windows · Office 365

ATT&CK version: 14.1

What it is

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins. A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)

ATT&CK tactics· 1

Persistence

References

  1. https://attack.mitre.org/techniques/T1137
  2. https://github.com/sensepost/ruler
  3. https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
  4. https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
  5. https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
  6. https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
  7. https://github.com/sensepost/notruler
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.