T1137

Office Application Startup

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Multiple mechanisms exist for Office-based persistence, including Office Template Macros, add-ins, and Outlook-specific features such as rules, forms, and Home Page. These persistence mechanisms activate when an Office application is launched or when specific Office events occur (such as receiving email), providing reliable execution on compromised endpoints. Real-world threat actors including APT32 (OceanLotus) and Gamaredon Group have abused Office persistence mechanisms, with APT32 notably replacing Outlook's VbaProject.OTM file with backdoor macros. The technique spans Word, Excel, Outlook, PowerPoint, and Access, and functions both on-premises and in Office 365 cloud environments. Sub-techniques include Office Template Macros (T1137.001), Office Test registry key (T1137.002), Outlook Forms (T1137.003), Outlook Home Page (T1137.004), Outlook Rules (T1137.005), and Add-ins (T1137.006).

Microsoft Sentinel / Defender

kusto

let OfficeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "msaccess.exe", "onenote.exe"]);
let SuspiciousChildren = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "schtasks.exe", "net.exe", "net1.exe"]);
let OfficePersistenceExts = dynamic([".dotm", ".dotx", ".xlam", ".xla", ".xll", ".wll", ".ppam", ".ppa", ".dll"]);
// Signal 1: Office application spawning suspicious child processes (macro or add-in execution)
let OfficeChildProcess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (OfficeApps)
| where FileName in~ (SuspiciousChildren)
| extend Signal = "OfficeSpawnedSuspiciousProcess"
| project Timestamp, DeviceName, AccountName, Signal,
    ParentApp = InitiatingProcessFileName,
    ChildProcess = FileName,
    ProcessCommandLine,
    ParentCommandLine = InitiatingProcessCommandLine;
// Signal 2: Registry modifications to known Office persistence locations
let OfficeRegPersistence = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has "Office test"
    or (RegistryKey has "Microsoft" and RegistryKey has "Office" and RegistryValueName startswith "OPEN")
    or RegistryKey has "WebView"
    or (RegistryKey has "Outlook" and RegistryKey has "Forms")
    or (RegistryKey has "Addins" and RegistryKey has "Microsoft" and RegistryKey has "Office")
| extend Signal = "OfficeRegistryPersistenceModified"
| project Timestamp, DeviceName,
    AccountName = InitiatingProcessAccountName, Signal,
    ParentApp = InitiatingProcessFileName,
    ChildProcess = "",
    ProcessCommandLine = strcat(RegistryKey, " -> ", coalesce(RegistryValueData, "(empty)")),
    ParentCommandLine = InitiatingProcessCommandLine;
// Signal 3: Files dropped into Office startup or add-in directories
let OfficePersistenceFiles = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where ((FolderPath has "Microsoft" and FolderPath has "Word" and FolderPath has "STARTUP")
        or (FolderPath has "Microsoft" and FolderPath has "Excel" and FolderPath has "XLSTART")
        or (FolderPath has "Microsoft" and FolderPath has "AddIns"))
        and FileName has_any (OfficePersistenceExts)
    or FileName =~ "VbaProject.OTM"
| extend Signal = "OfficePersistenceFileDropped"
| project Timestamp, DeviceName,
    AccountName = InitiatingProcessAccountName, Signal,
    ParentApp = InitiatingProcessFileName,
    ChildProcess = FileName,
    ProcessCommandLine = strcat(FolderPath, FileName),
    ParentCommandLine = InitiatingProcessCommandLine;
// Union all persistence signals
union OfficeChildProcess, OfficeRegPersistence, OfficePersistenceFiles
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Modification File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents DeviceFileEvents

False Positives

Legitimate Office add-in installation by IT administrators deploying enterprise productivity tools such as Adobe Acrobat PDF add-in, Grammarly, or Microsoft Teams Meeting add-in — these create registry entries under Addins and may drop DLL files into AddIns directories
Software deployment solutions (SCCM, Intune, PDQ Deploy) installing or updating Office plugins and templates during endpoint provisioning — the initiating process will be a deployment agent rather than office apps
Developers or power users creating custom Word STARTUP templates (.dotm) or Excel XLSTART add-ins (.xlam) for personal or departmental productivity macros — verify with the user whether the macro file was intentionally created
Microsoft Office application updates that modify registry keys such as add-in registrations, WebView settings, or default template associations during patching
Security email gateway add-ins (Proofpoint, Mimecast, Barracuda) that register as Outlook COM add-ins and create standard Addins registry entries on installation

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (1, 11, 12, 13, 14)
| eval lower_image=lower(coalesce(Image, ""))
| eval lower_parent=lower(coalesce(ParentImage, ""))
| eval lower_target=lower(coalesce(TargetObject, TargetFilename, ""))
| eval lower_cmdline=lower(coalesce(CommandLine, ""))
| eval OfficeSpawn=if(
    EventCode=1
    AND match(lower_parent, "(winword|excel|powerpnt|outlook|msaccess|onenote)\\.exe")
    AND match(lower_image, "\\\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|schtasks|net|net1)\\.exe$"),
    1, 0)
| eval RegPersistence=if(
    EventCode IN (12, 13, 14)
    AND (match(lower_target, "office test")
         OR match(lower_target, "webview")
         OR (match(lower_target, "outlook") AND match(lower_target, "forms"))
         OR (match(lower_target, "addins") AND match(lower_target, "microsoft") AND match(lower_target, "office"))
         OR (match(lower_target, "microsoft.*office") AND match(TargetObject, "(?i)\\OPEN\d*$"))),
    1, 0)
| eval FilePersistence=if(
    EventCode=11
    AND (match(lower_target, "microsoft.word.startup")
         OR match(lower_target, "microsoft.excel.xlstart")
         OR match(lower_target, "microsoft.addins")
         OR match(lower_target, "vbaproject\\.otm"))
    AND match(lower_target, "\.(dotm|dotx|xlam|xla[^x]|xll|wll|ppam|ppa|\.dll|otm)$"),
    1, 0)
| where OfficeSpawn=1 OR RegPersistence=1 OR FilePersistence=1
| eval Signal=case(
    OfficeSpawn=1, "OfficeSpawnedSuspiciousProcess",
    RegPersistence=1, "OfficeRegistryPersistenceModified",
    FilePersistence=1, "OfficePersistenceFileDropped",
    true(), "Unknown")
| eval SuspicionScore=OfficeSpawn + RegPersistence + FilePersistence
| table _time, host, User, Signal, EventCode, Image, CommandLine, ParentImage, ParentCommandLine, TargetObject, TargetFilename, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Modification File: File Creation Sysmon Event IDs 1, 11, 12, 13, 14

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate Office add-in installation by IT administrators deploying enterprise tools — look for deployment agent parent processes (ccmexec.exe, msiexec.exe) rather than unexpected initiators
Software deployment solutions (SCCM, Intune) installing or updating Office plugins during endpoint provisioning
Developers creating custom Word/Excel add-ins for departmental productivity automation — verify with the file owner
Microsoft Office updates that modify add-in registry keys or install default templates
Security email gateway add-ins (Proofpoint, Mimecast) registering as Outlook COM add-ins on installation

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [any where
    // Signal 1: Office spawning suspicious child
    (
      event.category == "process" and event.type == "start"
      and process.parent.name in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "msaccess.exe", "onenote.exe")
      and process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "schtasks.exe", "net.exe", "net1.exe")
    )
    or
    // Signal 2: Registry persistence
    (
      event.category == "registry" and event.type in ("creation", "change")
      and (
        registry.path like~ "*Office test*"
        or registry.path like~ "*WebView*"
        or (registry.path like~ "*Outlook*" and registry.path like~ "*Forms*")
        or (registry.path like~ "*AddIns*" and registry.path like~ "*Microsoft*" and registry.path like~ "*Office*")
        or (registry.path like~ "*Microsoft*Office*" and registry.value_name regex~ "OPEN\d*")
      )
    )
    or
    // Signal 3: Persistence file dropped
    (
      event.category == "file" and event.type in ("creation", "change")
      and (
        (
          (file.path like~ "*Microsoft*Word*STARTUP*"
          or file.path like~ "*Microsoft*Excel*XLSTART*"
          or file.path like~ "*Microsoft*AddIns*")
          and (file.name like~ "*.dotm" or file.name like~ "*.dotx" or file.name like~ "*.xlam"
              or file.name like~ "*.xla" or file.name like~ "*.xll" or file.name like~ "*.wll"
              or file.name like~ "*.ppam" or file.name like~ "*.ppa" or file.name like~ "*.dll")
        )
        or file.name like~ "VbaProject.OTM"
      )
    )
  ]

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Legitimate macro-enabled templates deployed by IT via Group Policy or endpoint management tools may trigger file persistence signals when placed in STARTUP or XLSTART directories
Security software, PDF readers, or third-party Office integrations that legitimately register COM add-ins under Microsoft\Office\AddIns registry keys
Developers using MSBuild, PowerShell, or cmd.exe as part of Office automation or VSTO (Visual Studio Tools for Office) development workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "ProcessImage",
  "ParentProcessImage",
  "CommandLine",
  "TargetObject",
  "TargetFilename",
  CASE
    WHEN "EventID" = '1'
         AND LOWER("ParentProcessImage") MATCHES '.*(winword|excel|powerpnt|outlook|msaccess|onenote)\.exe'
         AND LOWER("ProcessImage") MATCHES '.*\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|schtasks|net1?)\.exe$'
      THEN 'OfficeSpawnedSuspiciousProcess'
    WHEN "EventID" IN ('12', '13', '14')
         AND (LOWER("TargetObject") IMATCHES '%office test%'
              OR LOWER("TargetObject") IMATCHES '%webview%'
              OR (LOWER("TargetObject") IMATCHES '%outlook%' AND LOWER("TargetObject") IMATCHES '%forms%')
              OR (LOWER("TargetObject") IMATCHES '%addins%' AND LOWER("TargetObject") IMATCHES '%microsoft%' AND LOWER("TargetObject") IMATCHES '%office%')
              OR (LOWER("TargetObject") IMATCHES '%microsoft%office%' AND "TargetObject" MATCHES '(?i).*\\OPEN\d*$'))
      THEN 'OfficeRegistryPersistenceModified'
    WHEN "EventID" = '11'
         AND ((LOWER("TargetFilename") IMATCHES '%microsoft%word%startup%'
               OR LOWER("TargetFilename") IMATCHES '%microsoft%excel%xlstart%'
               OR LOWER("TargetFilename") IMATCHES '%microsoft%addins%')
              AND LOWER("TargetFilename") MATCHES '.*(\.(dotm|dotx|xlam|xla[^x]|xll|wll|ppam|ppa|\.dll))$')
         OR LOWER("TargetFilename") IMATCHES '%vbaproject.otm%'
      THEN 'OfficePersistenceFileDropped'
    ELSE NULL
  END AS signal
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (16, 55)
  AND LAST 24 HOURS
  AND "EventID" IN ('1', '11', '12', '13', '14')
  AND signal IS NOT NULL
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Sysmon via Windows Event Log DSM Microsoft Windows Security Event Log DSM

Required Tables

events

False Positives

Enterprise software deployment tools (SCCM, Intune) that install Office templates or add-ins by placing files in STARTUP or XLSTART paths
Legitimate corporate Office add-ins registered in the AddIns registry key by IT-managed software (CRM integrations, DocuSign, Grammarly for Enterprise)
Development and testing environments where developers frequently spawn PowerShell or cmd.exe from Office applications to test macros or automation scripts

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon (EventCode=1 OR EventCode=11 OR EventCode=12 OR EventCode=13 OR EventCode=14)
| parse xml field=_raw "Event/EventData/Data[@Name='Image']" as Image nodrop
| parse xml field=_raw "Event/EventData/Data[@Name='ParentImage']" as ParentImage nodrop
| parse xml field=_raw "Event/EventData/Data[@Name='CommandLine']" as CommandLine nodrop
| parse xml field=_raw "Event/EventData/Data[@Name='ParentCommandLine']" as ParentCommandLine nodrop
| parse xml field=_raw "Event/EventData/Data[@Name='TargetObject']" as TargetObject nodrop
| parse xml field=_raw "Event/EventData/Data[@Name='TargetFilename']" as TargetFilename nodrop
| parse xml field=_raw "Event/EventData/Data[@Name='User']" as User nodrop
| parse xml field=_raw "Event/SystemData/Computer" as host nodrop
| eval lower_image = toLowerCase(Image)
| eval lower_parent = toLowerCase(ParentImage)
| eval lower_target = toLowerCase(if(!isNull(TargetObject), TargetObject, if(!isNull(TargetFilename), TargetFilename, "")))
| eval OfficeSpawn = if(
    EventCode="1"
    AND matches(lower_parent, ".*(winword|excel|powerpnt|outlook|msaccess|onenote)\.exe")
    AND matches(lower_image, ".*\\\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|schtasks|net1?)\.exe$"),
    1, 0)
| eval RegPersistence = if(
    EventCode in ("12","13","14")
    AND (
      matches(lower_target, ".*office test.*")
      OR matches(lower_target, ".*webview.*")
      OR (matches(lower_target, ".*outlook.*") AND matches(lower_target, ".*forms.*"))
      OR (matches(lower_target, ".*addins.*") AND matches(lower_target, ".*microsoft.*") AND matches(lower_target, ".*office.*"))
      OR (matches(lower_target, ".*microsoft.*office.*") AND matches(TargetObject, "(?i).*\\\\OPEN\\d*$"))
    ),
    1, 0)
| eval FilePersistence = if(
    EventCode="11"
    AND (
      (
        (matches(lower_target, ".*microsoft.*word.*startup.*")
         OR matches(lower_target, ".*microsoft.*excel.*xlstart.*")
         OR matches(lower_target, ".*microsoft.*addins.*"))
        AND matches(lower_target, ".*\.(dotm|dotx|xlam|xla[^x]|xll|wll|ppam|ppa|\.dll)$")
      )
      OR matches(lower_target, ".*vbaproject\.otm.*")
    ),
    1, 0)
| where OfficeSpawn=1 OR RegPersistence=1 OR FilePersistence=1
| eval Signal = if(OfficeSpawn=1, "OfficeSpawnedSuspiciousProcess",
    if(RegPersistence=1, "OfficeRegistryPersistenceModified",
    if(FilePersistence=1, "OfficePersistenceFileDropped", "Unknown")))
| fields _time, host, User, Signal, EventCode, Image, CommandLine, ParentImage, ParentCommandLine, TargetObject, TargetFilename
| sort by _time desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise Sysmon logs ingested via Sumo Logic Installed Collector Windows Event Logs (Sysmon operational channel)

Required Tables

_sourceCategory=windows/sysmon

False Positives

Automated Office template distribution via Group Policy or MDM solutions placing .dotm or .xlam files in the STARTUP/XLSTART directories as part of standard build images
Security awareness training tools or sandboxing solutions that hook into Office applications and may appear as suspicious child processes in parent-child process analysis
Legitimate productivity add-ins registered enterprise-wide (e.g., Salesforce for Outlook, Adobe Acrobat PDF Maker, or Microsoft Teams Meeting add-in) appearing in AddIns registry paths

Google Chronicle / SecOps

yaral

rule office_application_startup_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Office Application Startup persistence (T1137) via suspicious child processes, registry modifications, or file drops in Office startup directories"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1137"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1137/"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-18"

  events:
    // Signal 1: Office spawning suspicious child process
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.principal.process.file.full_path, `(?i)(winword|excel|powerpnt|outlook|msaccess|onenote)\.exe$`)
        or re.regex($e1.principal.process.file.base_name, `(?i)^(winword|excel|powerpnt|outlook|msaccess|onenote)\.exe$`)
      )
      and re.regex($e1.target.process.file.base_name, `(?i)^(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|schtasks|net1?)\.exe$`)
    )
    or
    // Signal 2: Registry modification to Office persistence locations
    (
      $e1.metadata.event_type = "REGISTRY_MODIFICATION"
      and (
        re.regex($e1.target.registry.registry_key, `(?i)office.test`)
        or re.regex($e1.target.registry.registry_key, `(?i)webview`)
        or (
          re.regex($e1.target.registry.registry_key, `(?i)outlook`)
          and re.regex($e1.target.registry.registry_key, `(?i)forms`)
        )
        or (
          re.regex($e1.target.registry.registry_key, `(?i)addins`)
          and re.regex($e1.target.registry.registry_key, `(?i)microsoft`)
          and re.regex($e1.target.registry.registry_key, `(?i)office`)
        )
        or (
          re.regex($e1.target.registry.registry_key, `(?i)microsoft.*office`)
          and re.regex($e1.target.registry.registry_value_name, `(?i)^OPEN\d*$`)
        )
      )
    )
    or
    // Signal 3: File drop in Office startup or add-in directories
    (
      $e1.metadata.event_type = "FILE_CREATION"
      and (
        (
          (
            re.regex($e1.target.file.full_path, `(?i)microsoft.*word.*startup`)
            or re.regex($e1.target.file.full_path, `(?i)microsoft.*excel.*xlstart`)
            or re.regex($e1.target.file.full_path, `(?i)microsoft.*addins`)
          )
          and re.regex($e1.target.file.full_path, `(?i)\.(dotm|dotx|xlam|xla[^x]|xll|wll|ppam|ppa|\.dll)$`)
        )
        or re.regex($e1.target.file.base_name, `(?i)^vbaproject\.otm$`)
      )
    )

  condition:
    $e1
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows endpoints with Chronicle forwarder or Sysmon ingestion

Required Tables

UDM events (PROCESS_LAUNCH, REGISTRY_MODIFICATION, FILE_CREATION)

False Positives

Corporate-managed Office add-ins distributed via Group Policy that write to STARTUP or XLSTART directories during automated software deployment windows
Third-party productivity integrations such as PDF converters, CRM plugins, or document management systems that legitimately modify Office AddIns registry keys during installation
Macro-enabled document templates (.dotm, .xlam) pushed to user machines by IT helpdesk as part of standardized Office configuration or brand compliance deployments

CrowdStrike LogScale (CQL)

cql

// Signal 1: Office application spawning suspicious child processes
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /^(winword|excel|powerpnt|outlook|msaccess|onenote)\.exe$/i
| ImageFileName = /\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|schtasks|net1?)\.exe$/i
| eval Signal="OfficeSpawnedSuspiciousProcess"
| table([@timestamp, ComputerName, UserName, Signal, ParentBaseFileName, FileName, CommandLine, ParentCommandLine])

// Signal 2: Office persistence registry modifications
// Run separately and union
#event_simpleName=RegGenericValueSet
| TargetObject = /(?i)(office.test|webview)/
  OR (TargetObject = /(?i)outlook/ AND TargetObject = /(?i)forms/)
  OR (TargetObject = /(?i)addins/ AND TargetObject = /(?i)microsoft/ AND TargetObject = /(?i)office/)
  OR (TargetObject = /(?i)microsoft.*office/ AND TargetObject = /(?i)\\OPEN\d*$/)
| eval Signal="OfficeRegistryPersistenceModified"
| table([@timestamp, ComputerName, UserName, Signal, TargetObject, RegStringValue])

// Signal 3: Office persistence file drops
// Run separately and union
#event_simpleName=PeFileWritten OR #event_simpleName=SuspiciousFileWrite
| TargetFileName = /(?i)(microsoft.*(word.*startup|excel.*xlstart|addins).*\.(dotm|dotx|xlam|xla[^x]|xll|wll|ppam|ppa|\.dll))|vbaproject\.otm/
| eval Signal="OfficePersistenceFileDropped"
| table([@timestamp, ComputerName, UserName, Signal, TargetFileName])

// Unified view — combine all signals with groupBy
// Primary hunt query using all three signals:
(#event_simpleName=ProcessRollup2
  | ParentBaseFileName = /^(winword|excel|powerpnt|outlook|msaccess|onenote)\.exe$/i
  | ImageFileName = /\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|schtasks|net1?)\.exe$/i
  | eval Signal="OfficeSpawnedSuspiciousProcess", ArtifactName=FileName)
OR
(#event_simpleName=RegGenericValueSet
  | TargetObject = /(?i)(office.test|webview)/
    OR (TargetObject = /(?i)outlook/ AND TargetObject = /(?i)forms/)
    OR (TargetObject = /(?i)addins/ AND TargetObject = /(?i)microsoft/ AND TargetObject = /(?i)office/)
    OR (TargetObject = /(?i)microsoft.*office/ AND TargetObject = /(?i)\\OPEN\d*$/)
  | eval Signal="OfficeRegistryPersistenceModified", ArtifactName=TargetObject)
OR
(#event_simpleName=PeFileWritten
  | TargetFileName = /(?i)(microsoft.*(word.*startup|excel.*xlstart|addins).*\.(dotm|dotx|xlam|xla[^x]|xll|wll|ppam|ppa|\.dll))|vbaproject\.otm/
  | eval Signal="OfficePersistenceFileDropped", ArtifactName=TargetFileName)
| groupBy([ComputerName, UserName, Signal], function=[count(as=EventCount), collect([ArtifactName], limit=10)])
| sort(EventCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon Data Replicator (FDR) CrowdStrike LogScale SIEM

Required Tables

ProcessRollup2 RegGenericValueSet PeFileWritten SuspiciousFileWrite

False Positives

Falcon sensor may generate ProcessRollup2 hits when legitimate IT automation scripts use Office COM interop from PowerShell or cmd.exe to perform document processing, mail merge, or report generation tasks
Enterprise software packages (e.g., SAP, Oracle) that register Office add-ins as part of their installation process will trigger RegGenericValueSet signals under the AddIns registry path
VbaProject.OTM writes triggered legitimately when users modify or create their own Outlook VBA macros through the VBA Editor (Alt+F11), which is common in organizations that allow user-managed macros

Last updated: 2026-04-18 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1137 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Office Application Startup

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (6)

Same Tactic: Persistence

Popular Detections