Office Application Startup via Template File Modification

Adversaries can modify default Microsoft Office templates in order to establish persistence

id:d763c9bb-c0f7-4a4f-82b0-06105e178afa categories:enrich confidence:low os:windows created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Persistence techniques:T1137 Office Application Startup

Query

file where not subtype.delete and
  wildcard(file_path,
           "*:\\Users\\*\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm",
           "*:\\Users\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB",
           )

Contributors

• Endgame