# T1137 Office Application Startup

-----------------------------------------------------------------------

## Technique Description

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.

A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)

## Technique Detection

Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.

Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)

Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)

-----------------------------------------------------------------------

### Tactics:

  *   Persistence

### Platforms:

  * Windows

  * Office 365

### Adversary Required Permissions:

  * User

  * Administrator

### Data Sources:

  * **Windows Registry:** Windows Registry Key Creation

  * **File:** File Modification

  * **File:** File Creation

  * **Windows Registry:** Windows Registry Key Modification

  * **Module:** Module Load

  * **Process:** Process Creation

  * **Application Log:** Application Log Content

  * **Command:** Command Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) have replaced Microsoft Outlook's VbaProject.OTM file to install a backdoor macro for persistence.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has inserted malicious macros into existing documents, providing persistence when they are reopened. [Gamaredon Group](https://attack.mitre.org/groups/G0047) has loaded the group's previously delivered VBA project by relaunching Microsoft Outlook with the <code>/altvba</code> option, once the Application.Startup event is received.(Citation: ESET Gamaredon June 2020)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1137)

  * [Sensepost Ruler Github](https://github.com/sensepost/ruler), SensePost. (2016, August 18). Ruler: A tool to abuse Exchange services. Retrieved February 4, 2019.

  * [Technet O365 Outlook Rules](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/), Koeller, B.. (2018, February 21). Defending Against Rules and Forms Injection. Retrieved November 5, 2019.

  * [Crowdstrike Outlook Forms](https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746), Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral Movement and Persistence. Retrieved February 5, 2019.

  * [Outlook Today Home Page](https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943), Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019.

  * [Microsoft Detect Outlook Forms](https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack), Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019.

  * [Sensepost Notruler](https://github.com/sensepost/notruler), SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will leverage Microsoft Office-based applications for persistence between startups.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|


#### APT28	
- has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCU\Software\Microsoft\Office test\Special\Perf to execute code.

#### Gamaredon Group
-  has used a delivered .NET module reduces Office Macro security settings for various document types by modifying the following keys:
    - HKCU\Software\Microsoft\Office\<version>\<product>\Security\VBAWarnings
    - HKCU\Software\Microsoft\Office\<version>\<product>\Security\AccessVBOM

## Detection Blindspots

- Information Here

## Analytical References

  * [Atomic Red Team T1137.002 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md)
  * [Defending Against Rules and Forms Injection](https://docs.microsoft.com/en-us/archive/blogs/office365security/defending-against-rules-and-forms-injection)
  * [Detect and Remediate Outlook Rules Forms Attack (microsoft)](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide)
  * [Outloook Today Homepage Persistence (medium)](https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943)
  * [Technical Walkthrough Office Test Persistence Method Used in Recent Sofacy Attacks (paloaltonetworks)](https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/)
  * [eqlib.readthedocs.io](https://eqllib.readthedocs.io/_/downloads/en/latest/pdf/)
  * [Gamaredon Group Grows Its Game 2020 (welivesecurity)](https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
- Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.
- Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.

#### Analytic 1

  * **Information:** Detect common office executables spawning processes

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```process.parent.name : winword.exe or onenote.exe or excel.exe or powerpnt.exe```

#### Analytic 2

  * **Information:** Adversaries can modify Microsoft Office-related registry keys to establish persistence. 

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```TargetObject :  HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf OR    HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf```
  * **EQL Query:** ```registry where wildcard(registry_path,
"*\\Software\\Microsoft\\Office\\*\\Outlook\\Today\\UserDefinedUrl",
"*\\Software\\Microsoft\\Office\\*\\Excel\\Options\\Open",
"*\\Software\\Microsoft\\Office\\*\\PowerPoint\\AddIns",
"*\\Software\\Microsoft\\Office\\*\\Addins\\*",
"*\\SOFTWARE\\Microsoft\\Office\\*\\Excel\\Options",
"*\\Software\\Microsoft\\VBA\\VBE\\*\\Addins\\*")```

#### Analytic 3

  * **Information:** Adversaries can modify default Microsoft Office templates in order to establish persistence 

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **EQL Query:** ```file where not subtype.delete and
wildcard(file_path,
"*:\\Users\\*\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm",
"*:\\Users\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB",
) ```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

