Detect Office Application Startup in Sumo Logic CSE
Adversaries may leverage Microsoft Office-based applications for persistence between startups. Multiple mechanisms exist for Office-based persistence, including Office Template Macros, add-ins, and Outlook-specific features such as rules, forms, and Home Page. These persistence mechanisms activate when an Office application is launched or when specific Office events occur (such as receiving email), providing reliable execution on compromised endpoints. Real-world threat actors including APT32 (OceanLotus) and Gamaredon Group have abused Office persistence mechanisms, with APT32 notably replacing Outlook's VbaProject.OTM file with backdoor macros. The technique spans Word, Excel, Outlook, PowerPoint, and Access, and functions both on-premises and in Office 365 cloud environments. Sub-techniques include Office Template Macros (T1137.001), Office Test registry key (T1137.002), Outlook Forms (T1137.003), Outlook Home Page (T1137.004), Outlook Rules (T1137.005), and Add-ins (T1137.006).
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1137 Office Application Startup
- Canonical reference
- https://attack.mitre.org/techniques/T1137/
Sumo Detection Query
_sourceCategory=windows/sysmon (EventCode=1 OR EventCode=11 OR EventCode=12 OR EventCode=13 OR EventCode=14)
| parse xml field=_raw "Event/EventData/Data[@Name='Image']" as Image nodrop
| parse xml field=_raw "Event/EventData/Data[@Name='ParentImage']" as ParentImage nodrop
| parse xml field=_raw "Event/EventData/Data[@Name='CommandLine']" as CommandLine nodrop
| parse xml field=_raw "Event/EventData/Data[@Name='ParentCommandLine']" as ParentCommandLine nodrop
| parse xml field=_raw "Event/EventData/Data[@Name='TargetObject']" as TargetObject nodrop
| parse xml field=_raw "Event/EventData/Data[@Name='TargetFilename']" as TargetFilename nodrop
| parse xml field=_raw "Event/EventData/Data[@Name='User']" as User nodrop
| parse xml field=_raw "Event/SystemData/Computer" as host nodrop
| eval lower_image = toLowerCase(Image)
| eval lower_parent = toLowerCase(ParentImage)
| eval lower_target = toLowerCase(if(!isNull(TargetObject), TargetObject, if(!isNull(TargetFilename), TargetFilename, "")))
| eval OfficeSpawn = if(
EventCode="1"
AND matches(lower_parent, ".*(winword|excel|powerpnt|outlook|msaccess|onenote)\.exe")
AND matches(lower_image, ".*\\\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|schtasks|net1?)\.exe$"),
1, 0)
| eval RegPersistence = if(
EventCode in ("12","13","14")
AND (
matches(lower_target, ".*office test.*")
OR matches(lower_target, ".*webview.*")
OR (matches(lower_target, ".*outlook.*") AND matches(lower_target, ".*forms.*"))
OR (matches(lower_target, ".*addins.*") AND matches(lower_target, ".*microsoft.*") AND matches(lower_target, ".*office.*"))
OR (matches(lower_target, ".*microsoft.*office.*") AND matches(TargetObject, "(?i).*\\\\OPEN\\d*$"))
),
1, 0)
| eval FilePersistence = if(
EventCode="11"
AND (
(
(matches(lower_target, ".*microsoft.*word.*startup.*")
OR matches(lower_target, ".*microsoft.*excel.*xlstart.*")
OR matches(lower_target, ".*microsoft.*addins.*"))
AND matches(lower_target, ".*\.(dotm|dotx|xlam|xla[^x]|xll|wll|ppam|ppa|\.dll)$")
)
OR matches(lower_target, ".*vbaproject\.otm.*")
),
1, 0)
| where OfficeSpawn=1 OR RegPersistence=1 OR FilePersistence=1
| eval Signal = if(OfficeSpawn=1, "OfficeSpawnedSuspiciousProcess",
if(RegPersistence=1, "OfficeRegistryPersistenceModified",
if(FilePersistence=1, "OfficePersistenceFileDropped", "Unknown")))
| fields _time, host, User, Signal, EventCode, Image, CommandLine, ParentImage, ParentCommandLine, TargetObject, TargetFilename
| sort by _time descSumo Logic CSE query detecting Office Application Startup persistence (T1137) from Sysmon XML event logs. Parses Sysmon EventCodes 1, 11, 12, 13, and 14 to identify Office processes spawning suspicious interpreters, registry modifications to Office persistence keys, and file drops into Office startup directories or VbaProject.OTM tampering.
Data Sources
Required Tables
False Positives & Tuning
- Automated Office template distribution via Group Policy or MDM solutions placing .dotm or .xlam files in the STARTUP/XLSTART directories as part of standard build images
- Security awareness training tools or sandboxing solutions that hook into Office applications and may appear as suspicious child processes in parent-child process analysis
- Legitimate productivity add-ins registered enterprise-wide (e.g., Salesforce for Outlook, Adobe Acrobat PDF Maker, or Microsoft Teams Meeting add-in) appearing in AddIns registry paths
Other platforms for T1137
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Office Test Registry Key DLL Persistence (T1137.002)
Expected signal: Sysmon Event ID 13 (RegistryValue Set): TargetObject = HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf, Details = C:\Windows\System32\calc.exe. Security Event ID 4657 (if object access auditing enabled) with ObjectName containing Office test. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Office test'.
- Test 2Word Startup Template Drop (T1137.001)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename = C:\Users\<user>\AppData\Roaming\Microsoft\Word\STARTUP\df00tech-test.dotm. DeviceFileEvents: ActionType=FileCreated, FolderPath contains 'Word\STARTUP', FileName=df00tech-test.dotm.
- Test 3Outlook Home Page URL Persistence via Registry (T1137.004)
Expected signal: Sysmon Event ID 13 (RegistryValue Set): TargetObject contains 'Outlook\WebView\Inbox', Details = https://example.com/payload.html. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey has 'WebView', RegistryValueName='URL', RegistryValueData contains the external URL.
- Test 4Excel XLSTART Add-in Drop (T1137.006)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename = C:\Users\<user>\AppData\Roaming\Microsoft\Excel\XLSTART\df00tech-test.xlam. DeviceFileEvents: ActionType=FileCreated, FolderPath contains 'Excel\XLSTART', FileName=df00tech-test.xlam.
- Test 5Outlook VbaProject.OTM Macro Project Replacement (T1137 — APT32 technique)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains 'VbaProject.OTM' in the Outlook AppData directory. InitiatingProcessImage = cmd.exe (not outlook.exe). DeviceFileEvents: ActionType=FileCreated, FileName contains 'VbaProject.OTM', InitiatingProcessFileName != 'outlook.exe'.
References (13)
- https://attack.mitre.org/techniques/T1137/
- https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
- https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
- https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
- https://github.com/sensepost/ruler
- https://github.com/sensepost/notruler
- https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
- https://www.cybereason.com/blog/operation-cobalt-kitty-apt
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-spear-phishing-campaign.html
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
Unlock Pro Content
Get the full detection package for T1137 including response playbook, investigation guide, and atomic red team tests.