Esc
Office Application Startup - T1137
(ATT&CK® Technique)
Definition
Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1137["Office Application Startup"] --> |adds| Software["Software"]; class T1137 OffensiveTechniqueNode;
class Software ArtifactNode; click Software href "../../../dao/artifact/d3f:Software";
click T1137 href "../../../offensive-technique/attack/T1137/"; click Software href "../../../dao/artifact/d3f:Software"; T1137["Office Application Startup"] --> |may-modify| SystemConfigurationDatabase["System Configuration Database"]; class T1137 OffensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationDatabase href "../../../dao/artifact/d3f:SystemConfigurationDatabase";
click T1137 href "../../../offensive-technique/attack/T1137/"; click SystemConfigurationDatabase href "../../../dao/artifact/d3f:SystemConfigurationDatabase"; T1137["Office Application Startup"] --> |adds| OfficeApplicationFile["Office Application File"]; class T1137 OffensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode; click OfficeApplicationFile href "../../../dao/artifact/d3f:OfficeApplicationFile";
click T1137 href "../../../offensive-technique/attack/T1137/"; click OfficeApplicationFile href "../../../dao/artifact/d3f:OfficeApplicationFile"; T1137["Office Application Startup"] --> |may-add| ExecutableScript["Executable Script"]; class T1137 OffensiveTechniqueNode;
class ExecutableScript ArtifactNode; click ExecutableScript href "../../../dao/artifact/d3f:ExecutableScript";
click T1137 href "../../../offensive-technique/attack/T1137/"; click ExecutableScript href "../../../dao/artifact/d3f:ExecutableScript"; T1137["Office Application Startup"] --> |may-modify| ExecutableScript["Executable Script"]; class T1137 OffensiveTechniqueNode;
class ExecutableScript ArtifactNode; click ExecutableScript href "../../../dao/artifact/d3f:ExecutableScript";
click T1137 href "../../../offensive-technique/attack/T1137/"; click ExecutableScript href "../../../dao/artifact/d3f:ExecutableScript"; T1137["Office Application Startup"] --> |may-modify| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1137 OffensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "../../../dao/artifact/d3f:SystemConfigurationDatabaseRecord";
click T1137 href "../../../offensive-technique/attack/T1137/"; click SystemConfigurationDatabaseRecord href "../../../dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1137["Office Application Startup"] --> |modifies| ApplicationConfigurationDatabase["Application Configuration Database"]; class T1137 OffensiveTechniqueNode;
class ApplicationConfigurationDatabase ArtifactNode; click ApplicationConfigurationDatabase href "../../../dao/artifact/d3f:ApplicationConfigurationDatabase";
click T1137 href "../../../offensive-technique/attack/T1137/"; click ApplicationConfigurationDatabase href "../../../dao/artifact/d3f:ApplicationConfigurationDatabase"; T1137["Office Application Startup"] --> |modifies| OfficeApplication["Office Application"]; class T1137 OffensiveTechniqueNode;
class OfficeApplication ArtifactNode; click OfficeApplication href "../../../dao/artifact/d3f:OfficeApplication";
click T1137 href "../../../offensive-technique/attack/T1137/"; click OfficeApplication href "../../../dao/artifact/d3f:OfficeApplication"; T1137["Office Application Startup"] --> |modifies| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1137 OffensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "../../../dao/artifact/d3f:SystemConfigurationDatabaseRecord";
click T1137 href "../../../offensive-technique/attack/T1137/"; click SystemConfigurationDatabaseRecord href "../../../dao/artifact/d3f:SystemConfigurationDatabaseRecord"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableScript["Executable Script"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1137["Office Application Startup"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click DecoyFile href "../../../technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | OfficeApplicationFile["Office Application File"];
class DecoyFile DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click DecoyFile href "../../../technique/d3f:DecoyFile"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1137["Office Application Startup"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click EmulatedFileAnalysis href "../../../technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | OfficeApplicationFile["Office Application File"];
class EmulatedFileAnalysis DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click EmulatedFileAnalysis href "../../../technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | OfficeApplicationFile["Office Application File"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1137["Office Application Startup"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click DynamicAnalysis href "../../../technique/d3f:DynamicAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click DynamicAnalysis href "../../../technique/d3f:DynamicAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OfficeApplicationFile["Office Application File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1137["Office Application Startup"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click FileIntegrityMonitoring href "../../../technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableScript["Executable Script"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileIntegrityMonitoring href "../../../technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | OfficeApplicationFile["Office Application File"];
FileEviction["File Eviction"] -.->
| may-evict | T1137["Office Application Startup"] ;
class FileEviction DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click FileEviction href "../../../technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | ExecutableScript["Executable Script"];
class FileEviction DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileEviction href "../../../technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | OfficeApplicationFile["Office Application File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1137["Office Application Startup"] ;
class FileEncryption DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click FileEncryption href "../../../technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableScript["Executable Script"];
class FileEncryption DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileEncryption href "../../../technique/d3f:FileEncryption"; SystemConfigurationPermissions["System Configuration Permissions"] -->
| restricts | SystemConfigurationDatabase["System Configuration Database"];
SystemConfigurationPermissions["System Configuration Permissions"] -.->
| may-harden | T1137["Office Application Startup"] ;
class SystemConfigurationPermissions DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click SystemConfigurationPermissions href "../../../technique/d3f:SystemConfigurationPermissions"; SoftwareUpdate["Software Update"] -->
| updates | OfficeApplication["Office Application"];
SoftwareUpdate["Software Update"] -.->
| may-harden | T1137["Office Application Startup"] ;
class SoftwareUpdate DefensiveTechniqueNode;
class OfficeApplication ArtifactNode;
click SoftwareUpdate href "../../../technique/d3f:SoftwareUpdate"; SoftwareUpdate["Software Update"] -->
| updates | Software["Software"];
class SoftwareUpdate DefensiveTechniqueNode;
class Software ArtifactNode;
click SoftwareUpdate href "../../../technique/d3f:SoftwareUpdate"; ContentQuarantine["Content Quarantine"] -->
| quarantines | ExecutableScript["Executable Script"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1137["Office Application Startup"] ;
class ContentQuarantine DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ContentQuarantine href "../../../technique/d3f:ContentQuarantine"; ContentQuarantine["Content Quarantine"] -->
| quarantines | SystemConfigurationDatabaseRecord["System Configuration Database Record"];
class ContentQuarantine DefensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode;
click ContentQuarantine href "../../../technique/d3f:ContentQuarantine"; ContentModification["Content Modification"] -->
| modifies | OfficeApplicationFile["Office Application File"];
ContentModification["Content Modification"] -.->
| may-isolate | T1137["Office Application Startup"] ;
class ContentModification DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click ContentModification href "../../../technique/d3f:ContentModification"; ContentModification["Content Modification"] -->
| modifies | ExecutableScript["Executable Script"];
class ContentModification DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ContentModification href "../../../technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
| quarantines | OfficeApplicationFile["Office Application File"];
class ContentQuarantine DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click ContentQuarantine href "../../../technique/d3f:ContentQuarantine"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableScript["Executable Script"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1137["Office Application Startup"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ExecutableDenylisting href "../../../technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableScript["Executable Script"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1137["Office Application Startup"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ExecutableAllowlisting href "../../../technique/d3f:ExecutableAllowlisting"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableScript["Executable Script"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1137["Office Application Startup"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click LocalFilePermissions href "../../../technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OfficeApplicationFile["Office Application File"];
class LocalFilePermissions DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click LocalFilePermissions href "../../../technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | ExecutableScript["Executable Script"];
RestoreFile["Restore File"] -.->
| may-restore | T1137["Office Application Startup"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click RestoreFile href "../../../technique/d3f:RestoreFile"; RestoreSoftware["Restore Software"] -->
| restores | Software["Software"];
RestoreSoftware["Restore Software"] -.->
| may-restore | T1137["Office Application Startup"] ;
class RestoreSoftware DefensiveTechniqueNode;
class Software ArtifactNode;
click RestoreSoftware href "../../../technique/d3f:RestoreSoftware"; RestoreSoftware["Restore Software"] -->
| restores | OfficeApplication["Office Application"];
class RestoreSoftware DefensiveTechniqueNode;
class OfficeApplication ArtifactNode;
click RestoreSoftware href "../../../technique/d3f:RestoreSoftware"; RestoreDatabase["Restore Database"] -->
| restores | SystemConfigurationDatabase["System Configuration Database"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1137["Office Application Startup"] ;
class RestoreDatabase DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click RestoreDatabase href "../../../technique/d3f:RestoreDatabase"; RestoreFile["Restore File"] -->
| restores | OfficeApplicationFile["Office Application File"];
class RestoreFile DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click RestoreFile href "../../../technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
| restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1137["Office Application Startup"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode;
click RestoreConfiguration href "../../../technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] -->
| restores | ApplicationConfigurationDatabase["Application Configuration Database"];
class RestoreConfiguration DefensiveTechniqueNode;
class ApplicationConfigurationDatabase ArtifactNode;
click RestoreConfiguration href "../../../technique/d3f:RestoreConfiguration"; FileAnalysis["File Analysis"] -->
| analyzes | OfficeApplicationFile["Office Application File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1137["Office Application Startup"] ;
class FileAnalysis DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click FileAnalysis href "../../../technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
class FileAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileAnalysis href "../../../technique/d3f:FileAnalysis"; ContentFiltering["Content Filtering"] -->
| filters | ExecutableScript["Executable Script"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1137["Office Application Startup"] ;
class ContentFiltering DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ContentFiltering href "../../../technique/d3f:ContentFiltering"; ContentFiltering["Content Filtering"] -->
| filters | OfficeApplicationFile["Office Application File"];
class ContentFiltering DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click ContentFiltering href "../../../technique/d3f:ContentFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OfficeApplicationFile["Office Application File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1137["Office Application Startup"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click RemoteFileAccessMediation href "../../../technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableScript["Executable Script"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click RemoteFileAccessMediation href "../../../technique/d3f:RemoteFileAccessMediation";