Potential Persistence Via Microsoft Office Startup Folder

 1title: Potential Persistence Via Microsoft Office Startup Folder
 2id: 0e20c89d-2264-44ae-8238-aeeaba609ece
 3status: test
 4description: Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
 5references:
 6    - https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies
 7    - https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders
 8author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-06-02
10modified: 2023-06-22
11tags:
12    - attack.persistence
13    - attack.t1137
14logsource:
15    category: file_event
16    product: windows
17detection:
18    selection_word_paths:
19        - TargetFilename|contains: '\Microsoft\Word\STARTUP'
20        - TargetFilename|contains|all:
21              - '\Office'
22              - '\Program Files'
23              - '\STARTUP'
24    selection_word_extension:
25        TargetFilename|endswith:
26            - '.doc'
27            - '.docm'
28            - '.docx'
29            - '.dot'
30            - '.dotm'
31            - '.rtf'
32    selection_excel_paths:
33        - TargetFilename|contains: '\Microsoft\Excel\XLSTART'
34        - TargetFilename|contains|all:
35              - '\Office'
36              - '\Program Files'
37              - '\XLSTART'
38    selection_excel_extension:
39        TargetFilename|endswith:
40            - '.xls'
41            - '.xlsm'
42            - '.xlsx'
43            - '.xlt'
44            - '.xltm'
45    filter_main_office:
46        Image|endswith:
47            - '\WINWORD.exe'
48            - '\EXCEL.exe'
49    condition: (all of selection_word_* or all of selection_excel_*) and not filter_main_office
50falsepositives:
51    - Loading a user environment from a backup or a domain controller
52    - Synchronization of templates
53level: high