Which SIEM platforms have a T1137.003 detection rule?

df00tech provides T1137.003 (Outlook Forms) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Outlook Forms (T1137.003)?

Detecting Outlook Forms requires the following data sources: Process: Process Creation, Network Traffic: Network Connection Creation, Microsoft Defender for Endpoint.

What severity and confidence is the T1137.003 detection?

The T1137.003 detection is rated high severity with medium confidence.

What are common false positives for T1137.003?

Common false positives for T1137.003 include: Legitimate Outlook add-ins or plugins that spawn helper processes (e.g., CRM integrations, document management systems); IT helpdesk tools that connect to Exchange via Outlook for automation purposes; Security awareness training platforms that send test phishing emails (should not cause child processes in normal operation).

T1137.003 IBM QRadar · QRadar

Detect Outlook Forms in IBM QRadar

Adversaries abuse Microsoft Outlook custom forms to achieve persistence. Custom forms are stored in the user's mailbox and are loaded when Outlook starts. A malicious form containing VBScript or JScript executes when an adversary sends a specially crafted email to the victim. The Ruler tool automates this technique. Forms are stored in the mailbox itself, making them invisible to standard endpoint file monitoring and surviving OS reinstalls.

MITRE ATT&CK

Tactic: Persistence
Technique: T1137 Office Application Startup
Sub-technique: T1137.003 Outlook Forms
Canonical reference: https://attack.mitre.org/techniques/T1137/003/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  destinationip,
  destinationport,
  QIDNAME(qid) AS event_name,
  "ParentImage" AS parent_image,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  CASE
    WHEN LOWER("ParentImage") LIKE '%outlook.exe%'
      AND (LOWER("Image") LIKE '%cmd.exe%'
        OR LOWER("Image") LIKE '%powershell.exe%'
        OR LOWER("Image") LIKE '%wscript.exe%'
        OR LOWER("Image") LIKE '%cscript.exe%'
        OR LOWER("Image") LIKE '%mshta.exe%'
        OR LOWER("Image") LIKE '%rundll32.exe%'
        OR LOWER("Image") LIKE '%regsvr32.exe%'
        OR LOWER("Image") LIKE '%certutil.exe%'
        OR LOWER("Image") LIKE '%msiexec.exe%'
        OR LOWER("Image") LIKE '%wmic.exe%')
    THEN 'Outlook_Spawned_Shell'
    WHEN LOWER("Image") LIKE '%ruler.exe%'
      OR LOWER("CommandLine") LIKE '%--%forms%'
      OR LOWER("CommandLine") LIKE '%--%homepage%'
      OR LOWER("CommandLine") LIKE '%--%ruler%'
    THEN 'Ruler_Tool_Detected'
    WHEN LOWER("ParentImage") LIKE '%outlook.exe%'
      AND destinationport IN (80, 443, 445, 4444, 8080, 8443)
      AND destinationip NOT LIKE '10.%'
      AND destinationip NOT LIKE '192.168.%'
      AND destinationip NOT LIKE '172.16.%'
      AND destinationip NOT LIKE '127.%'
    THEN 'Outlook_External_Connection'
    ELSE NULL
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 366)
  AND starttime > NOW() - 86400000
  AND (
    (LOWER("ParentImage") LIKE '%outlook.exe%'
      AND (LOWER("Image") LIKE '%cmd.exe%'
        OR LOWER("Image") LIKE '%powershell.exe%'
        OR LOWER("Image") LIKE '%wscript.exe%'
        OR LOWER("Image") LIKE '%cscript.exe%'
        OR LOWER("Image") LIKE '%mshta.exe%'
        OR LOWER("Image") LIKE '%rundll32.exe%'
        OR LOWER("Image") LIKE '%regsvr32.exe%'
        OR LOWER("Image") LIKE '%certutil.exe%'
        OR LOWER("Image") LIKE '%msiexec.exe%'
        OR LOWER("Image") LIKE '%wmic.exe%'))
    OR (LOWER("Image") LIKE '%ruler.exe%'
        OR LOWER("CommandLine") LIKE '%--%forms%'
        OR LOWER("CommandLine") LIKE '%--%homepage%'
        OR LOWER("CommandLine") LIKE '%--%ruler%')
    OR (LOWER("ParentImage") LIKE '%outlook.exe%'
        AND destinationport IN (80, 443, 445, 4444, 8080, 8443)
        AND destinationip NOT LIKE '10.%'
        AND destinationip NOT LIKE '192.168.%'
        AND destinationip NOT LIKE '172.16.%'
        AND destinationip NOT LIKE '127.%')
  )
ORDER BY starttime DESC

high severity medium confidence

AQL query targeting QRadar events from Windows Sysmon and Security log sources (LOGSOURCETYPEID 12=WindowsAuthServer, 13=WindowsSecurityEventLog, 366=Sysmon) to detect Outlook Forms persistence indicators: Outlook spawning interpreter processes, Ruler tool execution, and Outlook making external network connections post-form trigger.

Data Sources

QRadar Windows Security Event Log DSMQRadar Microsoft Sysmon DSMQRadar Microsoft Windows DSM

Required Tables

events

False Positives & Tuning

Legitimate third-party Outlook add-ins (e.g., DocuSign, Salesforce, Zoom plugins) that launch helper executables as child processes of outlook.exe
Corporate email security scanners or CASB agents that intercept Outlook network traffic and appear as Outlook-originated connections to external IPs
Penetration testing tools and red team engagements using Ruler in authorized assessments without exclusion rules configured in QRadar

Download portable Sigma rule (.yml)

Other platforms for T1137.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Test Outlook Child Process Detection (Simulate Form Execution)
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'whoami'. Parent process will be powershell.exe in this simulation (not outlook.exe), but the pattern of Office app spawning cmd.exe is what the detection tests.
Test 2Ruler Tool Form Installation (Controlled Test)
Expected signal: If actually executed: Sysmon Event ID 1 with Image=ruler.exe, Sysmon Event ID 3 with network connection to Exchange EWS endpoint on port 443. Security Event ID 4624 for EWS authentication.
Test 3Check for Malicious Outlook Forms via PowerShell EWS
Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to Exchange server on port 443. Security Event ID 4624 for EWS authentication (Kerberos or NTLM).

Last updated: 2026-04-18 Research depth: deep

References (6)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1137.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Outlook Forms in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1137.003

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Persistence

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1137.003

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Persistence

Popular Detections

Get new detections in your inbox