T1137 Google Chronicle · YARA-L

Detect Office Application Startup in Google Chronicle

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Multiple mechanisms exist for Office-based persistence, including Office Template Macros, add-ins, and Outlook-specific features such as rules, forms, and Home Page. These persistence mechanisms activate when an Office application is launched or when specific Office events occur (such as receiving email), providing reliable execution on compromised endpoints. Real-world threat actors including APT32 (OceanLotus) and Gamaredon Group have abused Office persistence mechanisms, with APT32 notably replacing Outlook's VbaProject.OTM file with backdoor macros. The technique spans Word, Excel, Outlook, PowerPoint, and Access, and functions both on-premises and in Office 365 cloud environments. Sub-techniques include Office Template Macros (T1137.001), Office Test registry key (T1137.002), Outlook Forms (T1137.003), Outlook Home Page (T1137.004), Outlook Rules (T1137.005), and Add-ins (T1137.006).

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Canonical reference
https://attack.mitre.org/techniques/T1137/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule office_application_startup_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Office Application Startup persistence (T1137) via suspicious child processes, registry modifications, or file drops in Office startup directories"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1137"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1137/"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-18"

  events:
    // Signal 1: Office spawning suspicious child process
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.principal.process.file.full_path, `(?i)(winword|excel|powerpnt|outlook|msaccess|onenote)\.exe$`)
        or re.regex($e1.principal.process.file.base_name, `(?i)^(winword|excel|powerpnt|outlook|msaccess|onenote)\.exe$`)
      )
      and re.regex($e1.target.process.file.base_name, `(?i)^(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|schtasks|net1?)\.exe$`)
    )
    or
    // Signal 2: Registry modification to Office persistence locations
    (
      $e1.metadata.event_type = "REGISTRY_MODIFICATION"
      and (
        re.regex($e1.target.registry.registry_key, `(?i)office.test`)
        or re.regex($e1.target.registry.registry_key, `(?i)webview`)
        or (
          re.regex($e1.target.registry.registry_key, `(?i)outlook`)
          and re.regex($e1.target.registry.registry_key, `(?i)forms`)
        )
        or (
          re.regex($e1.target.registry.registry_key, `(?i)addins`)
          and re.regex($e1.target.registry.registry_key, `(?i)microsoft`)
          and re.regex($e1.target.registry.registry_key, `(?i)office`)
        )
        or (
          re.regex($e1.target.registry.registry_key, `(?i)microsoft.*office`)
          and re.regex($e1.target.registry.registry_value_name, `(?i)^OPEN\d*$`)
        )
      )
    )
    or
    // Signal 3: File drop in Office startup or add-in directories
    (
      $e1.metadata.event_type = "FILE_CREATION"
      and (
        (
          (
            re.regex($e1.target.file.full_path, `(?i)microsoft.*word.*startup`)
            or re.regex($e1.target.file.full_path, `(?i)microsoft.*excel.*xlstart`)
            or re.regex($e1.target.file.full_path, `(?i)microsoft.*addins`)
          )
          and re.regex($e1.target.file.full_path, `(?i)\.(dotm|dotx|xlam|xla[^x]|xll|wll|ppam|ppa|\.dll)$`)
        )
        or re.regex($e1.target.file.base_name, `(?i)^vbaproject\.otm$`)
      )
    )

  condition:
    $e1
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting Office Application Startup persistence (T1137) across three detection signals using UDM event model: PROCESS_LAUNCH events where Office applications spawn LOLBin child processes, REGISTRY_MODIFICATION events targeting Office persistence registry keys (Office Test, Outlook Forms, AddIns, OPEN keys), and FILE_CREATION events for files placed in Office STARTUP/XLSTART directories or VbaProject.OTM creation.

Data Sources

Google Chronicle SIEMChronicle Unified Data Model (UDM)Windows endpoints with Chronicle forwarder or Sysmon ingestion

Required Tables

UDM events (PROCESS_LAUNCH, REGISTRY_MODIFICATION, FILE_CREATION)

False Positives & Tuning

  • Corporate-managed Office add-ins distributed via Group Policy that write to STARTUP or XLSTART directories during automated software deployment windows
  • Third-party productivity integrations such as PDF converters, CRM plugins, or document management systems that legitimately modify Office AddIns registry keys during installation
  • Macro-enabled document templates (.dotm, .xlam) pushed to user machines by IT helpdesk as part of standardized Office configuration or brand compliance deployments
Download portable Sigma rule (.yml)

Other platforms for T1137

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Office Test Registry Key DLL Persistence (T1137.002)

    Expected signal: Sysmon Event ID 13 (RegistryValue Set): TargetObject = HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf, Details = C:\Windows\System32\calc.exe. Security Event ID 4657 (if object access auditing enabled) with ObjectName containing Office test. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Office test'.

  2. Test 2Word Startup Template Drop (T1137.001)

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename = C:\Users\<user>\AppData\Roaming\Microsoft\Word\STARTUP\df00tech-test.dotm. DeviceFileEvents: ActionType=FileCreated, FolderPath contains 'Word\STARTUP', FileName=df00tech-test.dotm.

  3. Test 3Outlook Home Page URL Persistence via Registry (T1137.004)

    Expected signal: Sysmon Event ID 13 (RegistryValue Set): TargetObject contains 'Outlook\WebView\Inbox', Details = https://example.com/payload.html. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey has 'WebView', RegistryValueName='URL', RegistryValueData contains the external URL.

  4. Test 4Excel XLSTART Add-in Drop (T1137.006)

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename = C:\Users\<user>\AppData\Roaming\Microsoft\Excel\XLSTART\df00tech-test.xlam. DeviceFileEvents: ActionType=FileCreated, FolderPath contains 'Excel\XLSTART', FileName=df00tech-test.xlam.

  5. Test 5Outlook VbaProject.OTM Macro Project Replacement (T1137 — APT32 technique)

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains 'VbaProject.OTM' in the Outlook AppData directory. InitiatingProcessImage = cmd.exe (not outlook.exe). DeviceFileEvents: ActionType=FileCreated, FileName contains 'VbaProject.OTM', InitiatingProcessFileName != 'outlook.exe'.

Last updated: 2026-04-18 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1137 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (6)

Related Techniques

T1137.001Office Template MacrosT1137.002Office TestT1137.003Outlook FormsT1137.004Outlook Home PageT1137.005Outlook RulesT1137.006Add-insT1059.005Visual BasicT1566.001Spearphishing AttachmentT1204.002Malicious FileT1105Ingress Tool TransferT1027Obfuscated Files or InformationT1053.005Scheduled TaskT1546.001Change Default File Association

Same Tactic: Persistence

Popular Detections