Office Application Startup via Template Registry Modification¶
Adversaries can modify Microsoft Office-related registry keys to establish persistence.
id: | 100e0ff0-fae0-4dc0-998d-c168d7e4dcb7 |
---|---|
categories: | enrich |
confidence: | low |
os: | windows |
created: | 7/26/2019 |
updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Persistence |
---|---|
techniques: | T1137 Office Application Startup |
Query¶
registry where wildcard(registry_path,
"*\\Software\\Microsoft\\Office\\*\\Outlook\\Today\\UserDefinedUrl",
"*\\Software\\Microsoft\\Office\\*\\Excel\\Options\\Open",
"*\\Software\\Microsoft\\Office\\*\\PowerPoint\\AddIns",
"*\\Software\\Microsoft\\Office\\*\\Addins\\*",
"*\\SOFTWARE\\Microsoft\\Office\\*\\Excel\\Options",
"*\\Software\\Microsoft\\VBA\\VBE\\*\\Addins\\*")