Office-based persistence via Office template macros, Outlook forms/rules/homepage, or registry-persistent scripts. Adversary modifies registry keys or Office application directories to load malicious scripts at startup.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13, 14 |
| Application Log Content (DC0038) | WinEventLog:Application | Outlook rule creation, form load, or homepage redirection |
| Field | Description |
|---|---|
| ParentProcessName | Tune based on expected Office process tree (e.g., WINWORD.EXE spawning cmd.exe) |
| RegistryPath | Specific keys related to Office startup such as Outlook Today, AddIns, or Template Macros |
| TimeWindow | Window of process execution after user login or Outlook launch |
| UserContext | Detect persistence within high-value user mailboxes (e.g., admin, finance, C-suite) |
Startup-based persistence mechanisms within Microsoft Office Suite like template macros and home page redirects being configured through internal automation or client-side settings.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | m365:unified | Set-Mailbox, Set-InboxRule, Set-MailboxFolderPermission |
| Application Log Content (DC0038) | m365:mailboxaudit | Outlook rule creation or custom form deployment |
| Field | Description |
|---|---|
| RuleAction | Identify rule actions that execute scripts, forward emails externally, or start external content |
| MailboxTarget | Focus on users with sensitive roles or shared mailboxes |
| TimeWindow | Detect persistence artifacts created shortly after credential access or login from an unusual location |