Which SIEM platforms have a T1137 detection rule?

df00tech provides T1137 (Office Application Startup) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Office Application Startup (T1137)?

Detecting Office Application Startup requires the following data sources: Process: Process Creation, Windows Registry: Windows Registry Key Modification, File: File Creation, Microsoft Defender for Endpoint.

What severity and confidence is the T1137 detection?

The T1137 detection is rated high severity with medium confidence.

What are common false positives for T1137?

Common false positives for T1137 include: Legitimate Office add-in installation by IT administrators deploying enterprise productivity tools such as Adobe Acrobat PDF add-in, Grammarly, or Microsoft Teams Meeting add-in — these create registry entries under Addins and may drop DLL files into AddIns directories; Software deployment solutions (SCCM, Intune, PDQ Deploy) installing or updating Office plugins and templates during endpoint provisioning — the initiating process will be a deployment agent rather than office apps; Developers or power users creating custom Word STARTUP templates (.dotm) or Excel XLSTART add-ins (.xlam) for personal or departmental productivity macros — verify with the user whether the macro file was intentionally created.

T1137 IBM QRadar · QRadar

Detect Office Application Startup in IBM QRadar

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Multiple mechanisms exist for Office-based persistence, including Office Template Macros, add-ins, and Outlook-specific features such as rules, forms, and Home Page. These persistence mechanisms activate when an Office application is launched or when specific Office events occur (such as receiving email), providing reliable execution on compromised endpoints. Real-world threat actors including APT32 (OceanLotus) and Gamaredon Group have abused Office persistence mechanisms, with APT32 notably replacing Outlook's VbaProject.OTM file with backdoor macros. The technique spans Word, Excel, Outlook, PowerPoint, and Access, and functions both on-premises and in Office 365 cloud environments. Sub-techniques include Office Template Macros (T1137.001), Office Test registry key (T1137.002), Outlook Forms (T1137.003), Outlook Home Page (T1137.004), Outlook Rules (T1137.005), and Add-ins (T1137.006).

MITRE ATT&CK

Tactic: Persistence
Technique: T1137 Office Application Startup
Canonical reference: https://attack.mitre.org/techniques/T1137/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "ProcessImage",
  "ParentProcessImage",
  "CommandLine",
  "TargetObject",
  "TargetFilename",
  CASE
    WHEN "EventID" = '1'
         AND LOWER("ParentProcessImage") MATCHES '.*(winword|excel|powerpnt|outlook|msaccess|onenote)\.exe'
         AND LOWER("ProcessImage") MATCHES '.*\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|schtasks|net1?)\.exe$'
      THEN 'OfficeSpawnedSuspiciousProcess'
    WHEN "EventID" IN ('12', '13', '14')
         AND (LOWER("TargetObject") IMATCHES '%office test%'
              OR LOWER("TargetObject") IMATCHES '%webview%'
              OR (LOWER("TargetObject") IMATCHES '%outlook%' AND LOWER("TargetObject") IMATCHES '%forms%')
              OR (LOWER("TargetObject") IMATCHES '%addins%' AND LOWER("TargetObject") IMATCHES '%microsoft%' AND LOWER("TargetObject") IMATCHES '%office%')
              OR (LOWER("TargetObject") IMATCHES '%microsoft%office%' AND "TargetObject" MATCHES '(?i).*\\OPEN\d*$'))
      THEN 'OfficeRegistryPersistenceModified'
    WHEN "EventID" = '11'
         AND ((LOWER("TargetFilename") IMATCHES '%microsoft%word%startup%'
               OR LOWER("TargetFilename") IMATCHES '%microsoft%excel%xlstart%'
               OR LOWER("TargetFilename") IMATCHES '%microsoft%addins%')
              AND LOWER("TargetFilename") MATCHES '.*(\.(dotm|dotx|xlam|xla[^x]|xll|wll|ppam|ppa|\.dll))$')
         OR LOWER("TargetFilename") IMATCHES '%vbaproject.otm%'
      THEN 'OfficePersistenceFileDropped'
    ELSE NULL
  END AS signal
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (16, 55)
  AND LAST 24 HOURS
  AND "EventID" IN ('1', '11', '12', '13', '14')
  AND signal IS NOT NULL
ORDER BY devicetime DESC

high severity medium confidence

AQL query for IBM QRadar detecting Office Application Startup persistence (T1137) from Sysmon events. Covers three signals: Office processes spawning LOLBins/interpreters (EventID 1), registry modifications to Office persistence locations (EventIDs 12/13/14), and suspicious file creation in Office startup directories (EventID 11). Queries Sysmon and Windows Security log sources.

Data Sources

IBM QRadar SIEMSysmon via Windows Event Log DSMMicrosoft Windows Security Event Log DSM

Required Tables

events

False Positives & Tuning

Enterprise software deployment tools (SCCM, Intune) that install Office templates or add-ins by placing files in STARTUP or XLSTART paths
Legitimate corporate Office add-ins registered in the AddIns registry key by IT-managed software (CRM integrations, DocuSign, Grammarly for Enterprise)
Development and testing environments where developers frequently spawn PowerShell or cmd.exe from Office applications to test macros or automation scripts

Download portable Sigma rule (.yml)

Other platforms for T1137

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Office Test Registry Key DLL Persistence (T1137.002)
Expected signal: Sysmon Event ID 13 (RegistryValue Set): TargetObject = HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf, Details = C:\Windows\System32\calc.exe. Security Event ID 4657 (if object access auditing enabled) with ObjectName containing Office test. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Office test'.
Test 2Word Startup Template Drop (T1137.001)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename = C:\Users\<user>\AppData\Roaming\Microsoft\Word\STARTUP\df00tech-test.dotm. DeviceFileEvents: ActionType=FileCreated, FolderPath contains 'Word\STARTUP', FileName=df00tech-test.dotm.
Test 3Outlook Home Page URL Persistence via Registry (T1137.004)
Expected signal: Sysmon Event ID 13 (RegistryValue Set): TargetObject contains 'Outlook\WebView\Inbox', Details = https://example.com/payload.html. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey has 'WebView', RegistryValueName='URL', RegistryValueData contains the external URL.
Test 4Excel XLSTART Add-in Drop (T1137.006)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename = C:\Users\<user>\AppData\Roaming\Microsoft\Excel\XLSTART\df00tech-test.xlam. DeviceFileEvents: ActionType=FileCreated, FolderPath contains 'Excel\XLSTART', FileName=df00tech-test.xlam.
Test 5Outlook VbaProject.OTM Macro Project Replacement (T1137 — APT32 technique)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains 'VbaProject.OTM' in the Outlook AppData directory. InitiatingProcessImage = cmd.exe (not outlook.exe). DeviceFileEvents: ActionType=FileCreated, FileName contains 'VbaProject.OTM', InitiatingProcessFileName != 'outlook.exe'.

Last updated: 2026-04-18 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1137 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Office Application Startup in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1137

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (6)

Related Techniques

Same Tactic: Persistence

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1137

Testing Methodology

Unlock Pro Content

Related Detections

Sub-techniques (6)

Related Techniques

Same Tactic: Persistence

Popular Detections

Get new detections in your inbox