T1137: T1137

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 14/12/2017 17:46 · Modified 27/04/2026 16:32

Essential information

MITRE technique ID: T1137
Confidence: 100/100
Revoked: No
Published: 14/12/2017 17:46
Modified: 27/04/2026 16:32
Author / Source: The MITRE Corporation

Aliases

Office Application Startup

Platforms

windows Office Suite

Description

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins. A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)

Kill chain phases

Kill chain	Phase
mitre-attack	persistence

Marking (TLP)

External references

SensePost Ruler GitHub
Microsoft Detect Outlook Forms
mitre-attack (T1137)
Outlook Today Home Page
SensePost NotRuler
CrowdStrike Outlook Forms
TechNet O365 Outlook Rules

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (22)

Kimsuky uses Black BansheeVelvet Chollima

The MITRE Corporation Confidence 100

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gamaredon Group uses IRON TILDENPrimitive Bear

The MITRE Corporation Confidence 100

[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
OilRig uses COBALT GYPSYIRN2

The MITRE Corporation Confidence 100

[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT32 uses SeaLotusAPT-C-00

The MITRE Corporation Confidence 100

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Andariel uses Silent ChollimaPLUTONIUM

The MITRE Corporation Confidence 100

[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have included destructive attacks--against South Korean…

First seen 01/01/1970 · Last seen 16/11/5138 ·
KageNoHitobito and DoNex uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
KONNI uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Democratic People's Republic of Korea (DPRK) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mallox uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

13–22 of 22

Stonefly uses
FormBook uses

Family
QuasarRAT uses

Family
SPECTR uses

Family
Zloader uses

Family
StealC uses

Family
Dtrack - S0567 uses

Family
Emotet uses
WarzoneRAT uses
FAUST uses
Atera Agent uses

Family
Lu0Bot uses

Family

← Previous

Page / 6

1–12 of 68

Malicious Artifacts Found in Official KICS Docker Repository … related

AlienVault Confidence 100 19 MITREs 2 Malwares 14 IOCs 14 Observables 1 APT
Docker Gatling Gun Campaign related

14 MITREs 2 Malwares 11 Observables 1 APT
Observes Targeted Attacks Amid FBI Warnings related

16 MITREs 2 Malwares 8 Observables 1 APT
Report on Ukraine government attack campaign related

20 MITREs 2 Malwares 33 Observables 1 APT
Profiling and Detecting Malicious DNS Traffic related

16 MITREs 5 Observables
A Deep Dive into a New ValleyRAT Campaign … related

18 MITREs 1 Malware 34 Observables 1 APT
Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT related

1 CVE 20 MITREs 3 Malwares 6 Observables
Array of malware used to gather intelligence for … related

5 CVEs 19 MITREs 6 Malwares 24 Observables 1 APT
A Social Engineering Tactic to Deploy Malware related

19 MITREs 2 Malwares 7 Observables
Mallox Ransomware: Linux Variant Decryptor Found related

19 MITREs 1 Malware 5 Observables 1 APT
New InnoSetup Malware Created Upon Each Download Attempt related

9 MITREs 3 Malwares 32 Observables
Ransomware Attackers May Have Used Privilege Escalation Vulnerability … related

1 CVE 14 MITREs 2 Malwares 5 Observables

← Previous

Page / 2

1–12 of 17

Vulnerabilities (CVE) (10)

CVE-2023-38831 KEV targets

7.8 High

RARLAB WinRAR contains an unspecified vulnerability that allows an attacker to execute code when a user attempts to view a benign file …

Attack vector: Local
Published: 24/08/2023
Modified: 27/05/2026

CVE-2024-5806 targets

9.1 Critical

Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass in limited scenarios.This issue affects MOVEit Transfer: from …

Attack vector: NETWORK
Published: 25/06/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2023-42793 KEV targets

9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.

Attack vector: Network
Published: 04/10/2023
Modified: 29/05/2026

CVE-2022-0847 KEV targets

Linux kernel contains an improper initialization vulnerability where an unprivileged local user could escalate their privileges on the system. This vulnerability has …

Published: 25/04/2022
Modified: 20/12/2025

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2023-22515 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …

Attack vector: Network
Published: 05/10/2023
Modified: 21/12/2025

CVE-2024-26169 KEV targets

7.8 High

Microsoft Windows Error Reporting Service contains an improper privilege management vulnerability that allows a local attacker with user permissions to gain SYSTEM …

Attack vector: Local
Published: 13/06/2024
Modified: 21/12/2025

CVE-2022-22965

targets

CVE-2023-27350 KEV targets

9.8 Critical

PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context …

Attack vector: Network
Published: 21/04/2023
Modified: 21/12/2025

CVE-2023-46604 KEV targets

10.0 Critical

Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …

Attack vector: Network
Published: 02/11/2023
Modified: 21/12/2025

Attack patterns (MITRE) (6)

Outlook Home Page subtechnique-of

MITRE
Outlook Forms subtechnique-of

MITRE
Office Template Macros subtechnique-of

T1137.001 MITRE
Add-ins subtechnique-of

T1137.006 MITRE
Outlook Rules subtechnique-of

T1137.005 MITRE
Office Test subtechnique-of

MITRE

Course Of Action (4)

Behavior Prevention on Endpoint mitigates
Software Configuration mitigates
Update Software mitigates
Disable or Remove Feature or Program mitigates

Contact About Legal notice Privacy policy Terms of use

T1137: T1137

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (22)

Malware (68)

Reports (17)

Vulnerabilities (CVE) (10)

Attack patterns (MITRE) (6)

Course Of Action (4)