Which SIEM platforms have a T1137 detection rule?

df00tech provides T1137 (Office Application Startup) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Office Application Startup (T1137)?

Detecting Office Application Startup requires the following data sources: Process: Process Creation, Windows Registry: Windows Registry Key Modification, File: File Creation, Microsoft Defender for Endpoint.

What severity and confidence is the T1137 detection?

The T1137 detection is rated high severity with medium confidence.

What are common false positives for T1137?

Common false positives for T1137 include: Legitimate Office add-in installation by IT administrators deploying enterprise productivity tools such as Adobe Acrobat PDF add-in, Grammarly, or Microsoft Teams Meeting add-in — these create registry entries under Addins and may drop DLL files into AddIns directories; Software deployment solutions (SCCM, Intune, PDQ Deploy) installing or updating Office plugins and templates during endpoint provisioning — the initiating process will be a deployment agent rather than office apps; Developers or power users creating custom Word STARTUP templates (.dotm) or Excel XLSTART add-ins (.xlam) for personal or departmental productivity macros — verify with the user whether the macro file was intentionally created.

T1137 Elastic Security · Elastic

Detect Office Application Startup in Elastic Security

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Multiple mechanisms exist for Office-based persistence, including Office Template Macros, add-ins, and Outlook-specific features such as rules, forms, and Home Page. These persistence mechanisms activate when an Office application is launched or when specific Office events occur (such as receiving email), providing reliable execution on compromised endpoints. Real-world threat actors including APT32 (OceanLotus) and Gamaredon Group have abused Office persistence mechanisms, with APT32 notably replacing Outlook's VbaProject.OTM file with backdoor macros. The technique spans Word, Excel, Outlook, PowerPoint, and Access, and functions both on-premises and in Office 365 cloud environments. Sub-techniques include Office Template Macros (T1137.001), Office Test registry key (T1137.002), Outlook Forms (T1137.003), Outlook Home Page (T1137.004), Outlook Rules (T1137.005), and Add-ins (T1137.006).

MITRE ATT&CK

Tactic: Persistence
Technique: T1137 Office Application Startup
Canonical reference: https://attack.mitre.org/techniques/T1137/

Elastic Detection Query

Elastic Security (Elastic)

eql

sequence by host.id with maxspan=5m
  [any where
    // Signal 1: Office spawning suspicious child
    (
      event.category == "process" and event.type == "start"
      and process.parent.name in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "msaccess.exe", "onenote.exe")
      and process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "schtasks.exe", "net.exe", "net1.exe")
    )
    or
    // Signal 2: Registry persistence
    (
      event.category == "registry" and event.type in ("creation", "change")
      and (
        registry.path like~ "*Office test*"
        or registry.path like~ "*WebView*"
        or (registry.path like~ "*Outlook*" and registry.path like~ "*Forms*")
        or (registry.path like~ "*AddIns*" and registry.path like~ "*Microsoft*" and registry.path like~ "*Office*")
        or (registry.path like~ "*Microsoft*Office*" and registry.value_name regex~ "OPEN\d*")
      )
    )
    or
    // Signal 3: Persistence file dropped
    (
      event.category == "file" and event.type in ("creation", "change")
      and (
        (
          (file.path like~ "*Microsoft*Word*STARTUP*"
          or file.path like~ "*Microsoft*Excel*XLSTART*"
          or file.path like~ "*Microsoft*AddIns*")
          and (file.name like~ "*.dotm" or file.name like~ "*.dotx" or file.name like~ "*.xlam"
              or file.name like~ "*.xla" or file.name like~ "*.xll" or file.name like~ "*.wll"
              or file.name like~ "*.ppam" or file.name like~ "*.ppa" or file.name like~ "*.dll")
        )
        or file.name like~ "VbaProject.OTM"
      )
    )
  ]

high severity high confidence

Detects Office Application Startup persistence (T1137) across three signals: Office applications spawning suspicious child processes indicating macro or add-in execution, registry modifications to known Office persistence locations (Office Test key, Outlook Forms, Add-ins, OPEN keys), and files dropped into Office startup or add-in directories including VbaProject.OTM replacement.

Data Sources

Elastic Endpoint SecurityWinlogbeat with SysmonElastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.registry-*logs-endpoint.events.file-*winlogbeat-*

False Positives & Tuning

Legitimate macro-enabled templates deployed by IT via Group Policy or endpoint management tools may trigger file persistence signals when placed in STARTUP or XLSTART directories
Security software, PDF readers, or third-party Office integrations that legitimately register COM add-ins under Microsoft\Office\AddIns registry keys
Developers using MSBuild, PowerShell, or cmd.exe as part of Office automation or VSTO (Visual Studio Tools for Office) development workflows

Download portable Sigma rule (.yml)

Other platforms for T1137

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Office Test Registry Key DLL Persistence (T1137.002)
Expected signal: Sysmon Event ID 13 (RegistryValue Set): TargetObject = HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf, Details = C:\Windows\System32\calc.exe. Security Event ID 4657 (if object access auditing enabled) with ObjectName containing Office test. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Office test'.
Test 2Word Startup Template Drop (T1137.001)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename = C:\Users\<user>\AppData\Roaming\Microsoft\Word\STARTUP\df00tech-test.dotm. DeviceFileEvents: ActionType=FileCreated, FolderPath contains 'Word\STARTUP', FileName=df00tech-test.dotm.
Test 3Outlook Home Page URL Persistence via Registry (T1137.004)
Expected signal: Sysmon Event ID 13 (RegistryValue Set): TargetObject contains 'Outlook\WebView\Inbox', Details = https://example.com/payload.html. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey has 'WebView', RegistryValueName='URL', RegistryValueData contains the external URL.
Test 4Excel XLSTART Add-in Drop (T1137.006)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename = C:\Users\<user>\AppData\Roaming\Microsoft\Excel\XLSTART\df00tech-test.xlam. DeviceFileEvents: ActionType=FileCreated, FolderPath contains 'Excel\XLSTART', FileName=df00tech-test.xlam.
Test 5Outlook VbaProject.OTM Macro Project Replacement (T1137 — APT32 technique)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains 'VbaProject.OTM' in the Outlook AppData directory. InitiatingProcessImage = cmd.exe (not outlook.exe). DeviceFileEvents: ActionType=FileCreated, FileName contains 'VbaProject.OTM', InitiatingProcessFileName != 'outlook.exe'.

Last updated: 2026-04-18 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1137 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Office Application Startup in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1137

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (6)

Related Techniques

Same Tactic: Persistence

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1137

Testing Methodology

Unlock Pro Content

Related Detections

Sub-techniques (6)

Related Techniques

Same Tactic: Persistence

Popular Detections

Get new detections in your inbox