Detect Office Application Startup in CrowdStrike LogScale
Adversaries may leverage Microsoft Office-based applications for persistence between startups. Multiple mechanisms exist for Office-based persistence, including Office Template Macros, add-ins, and Outlook-specific features such as rules, forms, and Home Page. These persistence mechanisms activate when an Office application is launched or when specific Office events occur (such as receiving email), providing reliable execution on compromised endpoints. Real-world threat actors including APT32 (OceanLotus) and Gamaredon Group have abused Office persistence mechanisms, with APT32 notably replacing Outlook's VbaProject.OTM file with backdoor macros. The technique spans Word, Excel, Outlook, PowerPoint, and Access, and functions both on-premises and in Office 365 cloud environments. Sub-techniques include Office Template Macros (T1137.001), Office Test registry key (T1137.002), Outlook Forms (T1137.003), Outlook Home Page (T1137.004), Outlook Rules (T1137.005), and Add-ins (T1137.006).
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1137 Office Application Startup
- Canonical reference
- https://attack.mitre.org/techniques/T1137/
LogScale Detection Query
// Signal 1: Office application spawning suspicious child processes
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /^(winword|excel|powerpnt|outlook|msaccess|onenote)\.exe$/i
| ImageFileName = /\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|schtasks|net1?)\.exe$/i
| eval Signal="OfficeSpawnedSuspiciousProcess"
| table([@timestamp, ComputerName, UserName, Signal, ParentBaseFileName, FileName, CommandLine, ParentCommandLine])
// Signal 2: Office persistence registry modifications
// Run separately and union
#event_simpleName=RegGenericValueSet
| TargetObject = /(?i)(office.test|webview)/
OR (TargetObject = /(?i)outlook/ AND TargetObject = /(?i)forms/)
OR (TargetObject = /(?i)addins/ AND TargetObject = /(?i)microsoft/ AND TargetObject = /(?i)office/)
OR (TargetObject = /(?i)microsoft.*office/ AND TargetObject = /(?i)\\OPEN\d*$/)
| eval Signal="OfficeRegistryPersistenceModified"
| table([@timestamp, ComputerName, UserName, Signal, TargetObject, RegStringValue])
// Signal 3: Office persistence file drops
// Run separately and union
#event_simpleName=PeFileWritten OR #event_simpleName=SuspiciousFileWrite
| TargetFileName = /(?i)(microsoft.*(word.*startup|excel.*xlstart|addins).*\.(dotm|dotx|xlam|xla[^x]|xll|wll|ppam|ppa|\.dll))|vbaproject\.otm/
| eval Signal="OfficePersistenceFileDropped"
| table([@timestamp, ComputerName, UserName, Signal, TargetFileName])
// Unified view — combine all signals with groupBy
// Primary hunt query using all three signals:
(#event_simpleName=ProcessRollup2
| ParentBaseFileName = /^(winword|excel|powerpnt|outlook|msaccess|onenote)\.exe$/i
| ImageFileName = /\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|schtasks|net1?)\.exe$/i
| eval Signal="OfficeSpawnedSuspiciousProcess", ArtifactName=FileName)
OR
(#event_simpleName=RegGenericValueSet
| TargetObject = /(?i)(office.test|webview)/
OR (TargetObject = /(?i)outlook/ AND TargetObject = /(?i)forms/)
OR (TargetObject = /(?i)addins/ AND TargetObject = /(?i)microsoft/ AND TargetObject = /(?i)office/)
OR (TargetObject = /(?i)microsoft.*office/ AND TargetObject = /(?i)\\OPEN\d*$/)
| eval Signal="OfficeRegistryPersistenceModified", ArtifactName=TargetObject)
OR
(#event_simpleName=PeFileWritten
| TargetFileName = /(?i)(microsoft.*(word.*startup|excel.*xlstart|addins).*\.(dotm|dotx|xlam|xla[^x]|xll|wll|ppam|ppa|\.dll))|vbaproject\.otm/
| eval Signal="OfficePersistenceFileDropped", ArtifactName=TargetFileName)
| groupBy([ComputerName, UserName, Signal], function=[count(as=EventCount), collect([ArtifactName], limit=10)])
| sort(EventCount, order=desc)CrowdStrike LogScale (Falcon) query detecting Office Application Startup persistence (T1137) using Falcon telemetry events. Covers three signals: ProcessRollup2 events showing Office applications spawning LOLBin child processes (cmd, PowerShell, wscript, etc.), RegGenericValueSet events targeting Office persistence registry keys (Office Test, Outlook Forms, AddIns, OPEN*), and PeFileWritten/SuspiciousFileWrite events for files placed in Office startup directories or VbaProject.OTM modification.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor may generate ProcessRollup2 hits when legitimate IT automation scripts use Office COM interop from PowerShell or cmd.exe to perform document processing, mail merge, or report generation tasks
- Enterprise software packages (e.g., SAP, Oracle) that register Office add-ins as part of their installation process will trigger RegGenericValueSet signals under the AddIns registry path
- VbaProject.OTM writes triggered legitimately when users modify or create their own Outlook VBA macros through the VBA Editor (Alt+F11), which is common in organizations that allow user-managed macros
Other platforms for T1137
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Office Test Registry Key DLL Persistence (T1137.002)
Expected signal: Sysmon Event ID 13 (RegistryValue Set): TargetObject = HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf, Details = C:\Windows\System32\calc.exe. Security Event ID 4657 (if object access auditing enabled) with ObjectName containing Office test. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Office test'.
- Test 2Word Startup Template Drop (T1137.001)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename = C:\Users\<user>\AppData\Roaming\Microsoft\Word\STARTUP\df00tech-test.dotm. DeviceFileEvents: ActionType=FileCreated, FolderPath contains 'Word\STARTUP', FileName=df00tech-test.dotm.
- Test 3Outlook Home Page URL Persistence via Registry (T1137.004)
Expected signal: Sysmon Event ID 13 (RegistryValue Set): TargetObject contains 'Outlook\WebView\Inbox', Details = https://example.com/payload.html. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey has 'WebView', RegistryValueName='URL', RegistryValueData contains the external URL.
- Test 4Excel XLSTART Add-in Drop (T1137.006)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename = C:\Users\<user>\AppData\Roaming\Microsoft\Excel\XLSTART\df00tech-test.xlam. DeviceFileEvents: ActionType=FileCreated, FolderPath contains 'Excel\XLSTART', FileName=df00tech-test.xlam.
- Test 5Outlook VbaProject.OTM Macro Project Replacement (T1137 — APT32 technique)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains 'VbaProject.OTM' in the Outlook AppData directory. InitiatingProcessImage = cmd.exe (not outlook.exe). DeviceFileEvents: ActionType=FileCreated, FileName contains 'VbaProject.OTM', InitiatingProcessFileName != 'outlook.exe'.
References (13)
- https://attack.mitre.org/techniques/T1137/
- https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
- https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
- https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
- https://github.com/sensepost/ruler
- https://github.com/sensepost/notruler
- https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
- https://www.cybereason.com/blog/operation-cobalt-kitty-apt
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-spear-phishing-campaign.html
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
Unlock Pro Content
Get the full detection package for T1137 including response playbook, investigation guide, and atomic red team tests.