Esc
Office Application Startup - T1137
(ATT&CK® Technique)
Definition
Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1137["Office Application Startup"] --> |adds| Software["Software"]; class T1137 OffensiveTechniqueNode;
class Software ArtifactNode; click Software href "/dao/artifact/d3f:Software";
click T1137 href "/offensive-technique/attack/T1137/"; click Software href "/dao/artifact/d3f:Software"; T1137["Office Application Startup"] --> |may-modify| SystemConfigurationDatabase["System Configuration Database"]; class T1137 OffensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase";
click T1137 href "/offensive-technique/attack/T1137/"; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase"; T1137["Office Application Startup"] --> |may-modify| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1137 OffensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
click T1137 href "/offensive-technique/attack/T1137/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1137["Office Application Startup"] --> |modifies| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1137 OffensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
click T1137 href "/offensive-technique/attack/T1137/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1137["Office Application Startup"] --> |adds| OfficeApplicationFile["Office Application File"]; class T1137 OffensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode; click OfficeApplicationFile href "/dao/artifact/d3f:OfficeApplicationFile";
click T1137 href "/offensive-technique/attack/T1137/"; click OfficeApplicationFile href "/dao/artifact/d3f:OfficeApplicationFile"; T1137["Office Application Startup"] --> |may-add| ExecutableScript["Executable Script"]; class T1137 OffensiveTechniqueNode;
class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";
click T1137 href "/offensive-technique/attack/T1137/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; T1137["Office Application Startup"] --> |may-modify| ExecutableScript["Executable Script"]; class T1137 OffensiveTechniqueNode;
class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";
click T1137 href "/offensive-technique/attack/T1137/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; T1137["Office Application Startup"] --> |modifies| ApplicationConfigurationDatabase["Application Configuration Database"]; class T1137 OffensiveTechniqueNode;
class ApplicationConfigurationDatabase ArtifactNode; click ApplicationConfigurationDatabase href "/dao/artifact/d3f:ApplicationConfigurationDatabase";
click T1137 href "/offensive-technique/attack/T1137/"; click ApplicationConfigurationDatabase href "/dao/artifact/d3f:ApplicationConfigurationDatabase"; T1137["Office Application Startup"] --> |modifies| OfficeApplication["Office Application"]; class T1137 OffensiveTechniqueNode;
class OfficeApplication ArtifactNode; click OfficeApplication href "/dao/artifact/d3f:OfficeApplication";
click T1137 href "/offensive-technique/attack/T1137/"; click OfficeApplication href "/dao/artifact/d3f:OfficeApplication"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableScript["Executable Script"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1137["Office Application Startup"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | OfficeApplicationFile["Office Application File"];
class DecoyFile DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1137["Office Application Startup"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1137["Office Application Startup"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | OfficeApplicationFile["Office Application File"];
class EmulatedFileAnalysis DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | OfficeApplicationFile["Office Application File"];
class DynamicAnalysis DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OfficeApplicationFile["Office Application File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1137["Office Application Startup"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableScript["Executable Script"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | ExecutableScript["Executable Script"];
FileEviction["File Eviction"] -.->
| may-evict | T1137["Office Application Startup"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | OfficeApplicationFile["Office Application File"];
class FileEviction DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; SoftwareUpdate["Software Update"] -->
| updates | OfficeApplication["Office Application"];
SoftwareUpdate["Software Update"] -.->
| may-harden | T1137["Office Application Startup"] ;
class SoftwareUpdate DefensiveTechniqueNode;
class OfficeApplication ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; SoftwareUpdate["Software Update"] -->
| updates | Software["Software"];
class SoftwareUpdate DefensiveTechniqueNode;
class Software ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; SystemConfigurationPermissions["System Configuration Permissions"] -->
| restricts | SystemConfigurationDatabase["System Configuration Database"];
SystemConfigurationPermissions["System Configuration Permissions"] -.->
| may-harden | T1137["Office Application Startup"] ;
class SystemConfigurationPermissions DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click SystemConfigurationPermissions href "/technique/d3f:SystemConfigurationPermissions"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableScript["Executable Script"];
FileEncryption["File Encryption"] -.->
| may-harden | T1137["Office Application Startup"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | OfficeApplicationFile["Office Application File"];
class FileEncryption DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OfficeApplicationFile["Office Application File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1137["Office Application Startup"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableScript["Executable Script"];
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableScript["Executable Script"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1137["Office Application Startup"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableScript["Executable Script"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1137["Office Application Startup"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; RestoreFile["Restore File"] -->
| restores | ExecutableScript["Executable Script"];
RestoreFile["Restore File"] -.->
| may-restore | T1137["Office Application Startup"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | OfficeApplicationFile["Office Application File"];
class RestoreFile DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
| restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1137["Office Application Startup"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] -->
| restores | ApplicationConfigurationDatabase["Application Configuration Database"];
class RestoreConfiguration DefensiveTechniqueNode;
class ApplicationConfigurationDatabase ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreSoftware["Restore Software"] -->
| restores | Software["Software"];
RestoreSoftware["Restore Software"] -.->
| may-restore | T1137["Office Application Startup"] ;
class RestoreSoftware DefensiveTechniqueNode;
class Software ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; RestoreSoftware["Restore Software"] -->
| restores | OfficeApplication["Office Application"];
class RestoreSoftware DefensiveTechniqueNode;
class OfficeApplication ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; RestoreDatabase["Restore Database"] -->
| restores | SystemConfigurationDatabase["System Configuration Database"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1137["Office Application Startup"] ;
class RestoreDatabase DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1137["Office Application Startup"] ;
class FileAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | OfficeApplicationFile["Office Application File"];
class FileAnalysis DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableScript["Executable Script"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1137["Office Application Startup"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OfficeApplicationFile["Office Application File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";