title: Office Application Startup (T1137)
id: df00tech-t1137
status: experimental
description: "Adversaries may leverage Microsoft Office-based applications for persistence between startups. Multiple mechanisms exist for Office-based persistence, including Office Template Macros, add-ins, and Outlook-specific features such as rules, forms, and Home Page. These persistence mechanisms activate when an Office application is launched or when specific Office events occur (such as receiving email), providing reliable execution on compromised endpoints. Real-world threat actors including APT32 (OceanLotus) and Gamaredon Group have abused Office persistence mechanisms, with APT32 notably replacing Outlook's VbaProject.OTM file with backdoor macros. The technique spans Word, Excel, Outlook, PowerPoint, and Access, and functions both on-premises and in Office 365 cloud environments. Sub-techniques include Office Template Macros (T1137.001), Office Test registry key (T1137.002), Outlook Forms (T1137.003), Outlook Home Page (T1137.004), Outlook Rules (T1137.005), and Add-ins (T1137.006)."
references:
  - https://attack.mitre.org/techniques/T1137/
  - https://df00tech.com/detections/T1137
author: df00tech
date: 2026/04/18
tags:
  - attack.t1137
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate Office add-in installation by IT administrators deploying enterprise productivity tools such as Adobe Acrobat PDF add-in, Grammarly, or Microsoft Teams Meeting add-in — these create registry entries under Addins and may drop DLL files into AddIns directories"
  - "Software deployment solutions (SCCM, Intune, PDQ Deploy) installing or updating Office plugins and templates during endpoint provisioning — the initiating process will be a deployment agent rather than office apps"
  - Developers or power users creating custom Word STARTUP templates (.dotm) or Excel XLSTART add-ins (.xlam) for personal or departmental productivity macros — verify with the user whether the macro file was intentionally created
  - "Microsoft Office application updates that modify registry keys such as add-in registrations, WebView settings, or default template associations during patching"
  - "Security email gateway add-ins (Proofpoint, Mimecast, Barracuda) that register as Outlook COM add-ins and create standard Addins registry entries on installation"
level: high