Office Application Startup (T1137)

View on ATT&CK

In Playbook

Associated Tactics

  • Persistence

Persistence (TA0003)

The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

View on ATT&CK

Procedure Examples

Description Source(s)
Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019. Microsoft Detect Outlook Forms
Koeller, B.. (2018, February 21). Defending Against Rules and Forms Injection. Retrieved November 5, 2019. TechNet O365 Outlook Rules
Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral Movement and Persistence. Retrieved February 5, 2019. CrowdStrike Outlook Forms
SensePost. (2016, August 18). Ruler: A tool to abuse Exchange services. Retrieved February 4, 2019. SensePost Ruler GitHub
SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019. SensePost NotRuler
Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019. Outlook Today Home Page