Detect Office Application Startup in Splunk
Adversaries may leverage Microsoft Office-based applications for persistence between startups. Multiple mechanisms exist for Office-based persistence, including Office Template Macros, add-ins, and Outlook-specific features such as rules, forms, and Home Page. These persistence mechanisms activate when an Office application is launched or when specific Office events occur (such as receiving email), providing reliable execution on compromised endpoints. Real-world threat actors including APT32 (OceanLotus) and Gamaredon Group have abused Office persistence mechanisms, with APT32 notably replacing Outlook's VbaProject.OTM file with backdoor macros. The technique spans Word, Excel, Outlook, PowerPoint, and Access, and functions both on-premises and in Office 365 cloud environments. Sub-techniques include Office Template Macros (T1137.001), Office Test registry key (T1137.002), Outlook Forms (T1137.003), Outlook Home Page (T1137.004), Outlook Rules (T1137.005), and Add-ins (T1137.006).
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1137 Office Application Startup
- Canonical reference
- https://attack.mitre.org/techniques/T1137/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (1, 11, 12, 13, 14)
| eval lower_image=lower(coalesce(Image, ""))
| eval lower_parent=lower(coalesce(ParentImage, ""))
| eval lower_target=lower(coalesce(TargetObject, TargetFilename, ""))
| eval lower_cmdline=lower(coalesce(CommandLine, ""))
| eval OfficeSpawn=if(
EventCode=1
AND match(lower_parent, "(winword|excel|powerpnt|outlook|msaccess|onenote)\\.exe")
AND match(lower_image, "\\\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|schtasks|net|net1)\\.exe$"),
1, 0)
| eval RegPersistence=if(
EventCode IN (12, 13, 14)
AND (match(lower_target, "office test")
OR match(lower_target, "webview")
OR (match(lower_target, "outlook") AND match(lower_target, "forms"))
OR (match(lower_target, "addins") AND match(lower_target, "microsoft") AND match(lower_target, "office"))
OR (match(lower_target, "microsoft.*office") AND match(TargetObject, "(?i)\\OPEN\d*$"))),
1, 0)
| eval FilePersistence=if(
EventCode=11
AND (match(lower_target, "microsoft.word.startup")
OR match(lower_target, "microsoft.excel.xlstart")
OR match(lower_target, "microsoft.addins")
OR match(lower_target, "vbaproject\\.otm"))
AND match(lower_target, "\.(dotm|dotx|xlam|xla[^x]|xll|wll|ppam|ppa|\.dll|otm)$"),
1, 0)
| where OfficeSpawn=1 OR RegPersistence=1 OR FilePersistence=1
| eval Signal=case(
OfficeSpawn=1, "OfficeSpawnedSuspiciousProcess",
RegPersistence=1, "OfficeRegistryPersistenceModified",
FilePersistence=1, "OfficePersistenceFileDropped",
true(), "Unknown")
| eval SuspicionScore=OfficeSpawn + RegPersistence + FilePersistence
| table _time, host, User, Signal, EventCode, Image, CommandLine, ParentImage, ParentCommandLine, TargetObject, TargetFilename, SuspicionScore
| sort - _timeDetects Office Application Startup persistence using Sysmon event data. EventCode 1 (Process Create) catches Office processes spawning suspicious child executables indicative of macro or add-in payload execution. EventCodes 12/13/14 (Registry Create/Set/Delete) identify modifications to Office Test DLL key, Outlook WebView Home Page URL values, Outlook Forms registration, and COM add-in registry entries. EventCode 11 (File Create) detects drops into Word STARTUP, Excel XLSTART, or AddIns directories, and modification of VbaProject.OTM. A SuspicionScore field accumulates across concurrent signal types.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate Office add-in installation by IT administrators deploying enterprise tools — look for deployment agent parent processes (ccmexec.exe, msiexec.exe) rather than unexpected initiators
- Software deployment solutions (SCCM, Intune) installing or updating Office plugins during endpoint provisioning
- Developers creating custom Word/Excel add-ins for departmental productivity automation — verify with the file owner
- Microsoft Office updates that modify add-in registry keys or install default templates
- Security email gateway add-ins (Proofpoint, Mimecast) registering as Outlook COM add-ins on installation
Other platforms for T1137
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Office Test Registry Key DLL Persistence (T1137.002)
Expected signal: Sysmon Event ID 13 (RegistryValue Set): TargetObject = HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf, Details = C:\Windows\System32\calc.exe. Security Event ID 4657 (if object access auditing enabled) with ObjectName containing Office test. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Office test'.
- Test 2Word Startup Template Drop (T1137.001)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename = C:\Users\<user>\AppData\Roaming\Microsoft\Word\STARTUP\df00tech-test.dotm. DeviceFileEvents: ActionType=FileCreated, FolderPath contains 'Word\STARTUP', FileName=df00tech-test.dotm.
- Test 3Outlook Home Page URL Persistence via Registry (T1137.004)
Expected signal: Sysmon Event ID 13 (RegistryValue Set): TargetObject contains 'Outlook\WebView\Inbox', Details = https://example.com/payload.html. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey has 'WebView', RegistryValueName='URL', RegistryValueData contains the external URL.
- Test 4Excel XLSTART Add-in Drop (T1137.006)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename = C:\Users\<user>\AppData\Roaming\Microsoft\Excel\XLSTART\df00tech-test.xlam. DeviceFileEvents: ActionType=FileCreated, FolderPath contains 'Excel\XLSTART', FileName=df00tech-test.xlam.
- Test 5Outlook VbaProject.OTM Macro Project Replacement (T1137 — APT32 technique)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains 'VbaProject.OTM' in the Outlook AppData directory. InitiatingProcessImage = cmd.exe (not outlook.exe). DeviceFileEvents: ActionType=FileCreated, FileName contains 'VbaProject.OTM', InitiatingProcessFileName != 'outlook.exe'.
References (13)
- https://attack.mitre.org/techniques/T1137/
- https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
- https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
- https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
- https://github.com/sensepost/ruler
- https://github.com/sensepost/notruler
- https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
- https://www.cybereason.com/blog/operation-cobalt-kitty-apt
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-spear-phishing-campaign.html
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
Unlock Pro Content
Get the full detection package for T1137 including response playbook, investigation guide, and atomic red team tests.