Adversaries may leverage Microsoft Office startup folders to execute malicious files at login, establishing persistence within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term compromise attempts.
Detection Rule
title: Potential Persistence Via Microsoft Office Startup Folder
id: 0e20c89d-2264-44ae-8238-aeeaba609ece
status: test
description: Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
references:
- https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies
- https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders
author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-02
modified: 2023-06-22
tags:
- attack.persistence
- attack.t1137
logsource:
category: file_event
product: windows
detection:
selection_word_paths:
- TargetFilename|contains: '\Microsoft\Word\STARTUP'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\STARTUP'
selection_word_extension:
TargetFilename|endswith:
- '.doc'
- '.docm'
- '.docx'
- '.dot'
- '.dotm'
- '.rtf'
selection_excel_paths:
- TargetFilename|contains: '\Microsoft\Excel\XLSTART'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\XLSTART'
selection_excel_extension:
TargetFilename|endswith:
- '.xls'
- '.xlsm'
- '.xlsx'
- '.xlt'
- '.xltm'
filter_main_office:
Image|endswith:
- '\WINWORD.exe'
- '\EXCEL.exe'
condition: (all of selection_word_* or all of selection_excel_*) and not filter_main_office
falsepositives:
- Loading a user environment from a backup or a domain controller
- Synchronization of templates
level: high
imFileEvent
| where (((TargetFileName contains "\\Microsoft\\Word\\STARTUP" or (TargetFileName contains "\\Office" and TargetFileName contains "\\Program Files" and TargetFileName contains "\\STARTUP")) and (TargetFileName endswith ".doc" or TargetFileName endswith ".docm" or TargetFileName endswith ".docx" or TargetFileName endswith ".dot" or TargetFileName endswith ".dotm" or TargetFileName endswith ".rtf")) or ((TargetFileName contains "\\Microsoft\\Excel\\XLSTART" or (TargetFileName contains "\\Office" and TargetFileName contains "\\Program Files" and TargetFileName contains "\\XLSTART")) and (TargetFileName endswith ".xls" or TargetFileName endswith ".xlsm" or TargetFileName endswith ".xlsx" or TargetFileName endswith ".xlt" or TargetFileName endswith ".xltm"))) and (not((TargetFilePath endswith "\\WINWORD.exe" or TargetFilePath endswith "\\EXCEL.exe")))Scenario: User creates a macro-enabled document for legitimate reporting
Description: A user creates a .docm file in the Office startup folder to include macros for automating report generation.
Filter/Exclusion: Exclude files with .docm extension created by users in the Documents or Reports directories, or filter by user account with known legitimate use of macros.
Scenario: System administrator deploys a scheduled task using a Word document
Description: An admin uses a Word document with VBA to schedule a task for system maintenance, and saves it in the Office startup folder.
Filter/Exclusion: Exclude files created by users with administrative privileges and containing the string "ScheduledTask" or "Task Scheduler" in the file content.
Scenario: IT team deploys a custom script via Office startup folder for automation
Description: IT deploys a .dotm file containing a script for automating data import/export tasks, stored in the Office startup folder.
Filter/Exclusion: Exclude .dotm files created by the IT service account or those containing specific script keywords like "import", "export", or "automation".
Scenario: Scheduled backup job uses Office to generate a report
Description: A scheduled backup job uses a Word template to generate a report and saves it in the Office startup folder as part of the process.
Filter/Exclusion: Exclude files with .dotx or .dotm extensions created by the backup service account or during scheduled times.
Scenario: User installs a legitimate third-party add-in that requires Office startup folder access
Description: A user installs a legitimate add-in (e.g., from a trusted vendor) that requires registration in the Office startup folder.
Filter/Exclusion: Exclude files signed by known vendors or files with specific file