Office Application Startup via Template Registry Modification

Adversaries can modify Microsoft Office-related registry keys to establish persistence.

id:100e0ff0-fae0-4dc0-998d-c168d7e4dcb7 categories:enrich confidence:low os:windows created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Persistence techniques:T1137 Office Application Startup

Query

registry where wildcard(registry_path,
  "*\\Software\\Microsoft\\Office\\*\\Outlook\\Today\\UserDefinedUrl",
  "*\\Software\\Microsoft\\Office\\*\\Excel\\Options\\Open",
  "*\\Software\\Microsoft\\Office\\*\\PowerPoint\\AddIns",
  "*\\Software\\Microsoft\\Office\\*\\Addins\\*",
  "*\\SOFTWARE\\Microsoft\\Office\\*\\Excel\\Options",
  "*\\Software\\Microsoft\\VBA\\VBE\\*\\Addins\\*")

Contributors

• Endgame