Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started.
Office Template Macros
Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)
Office Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can inserted into the base templated and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded. (Citation: enigma0x3 normal.dotm) (Citation: Hexacorn Office Template Macros)
Word Normal.dotm location:
C:\Users(username)\AppData\Roaming\Microsoft\Templates\Normal.dotmExcel Personal.xlsb location:
C:\Users(username)\AppData\Roaming\Microsoft\Excel\XLSTART\PERSONAL.XLSBAn adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.
A Registry location was found that when a DLL reference was placed within it the corresponding DLL pointed to by the binary path would be executed every time an Office application is started (Citation: Hexacorn Office Test)
HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\PerfOffice add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins)
Add-ins can also be used to obtain persistence because they can be set to execute code when an Office application starts. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), and Visual Studio Tools for Office (VSTO) add-ins. (Citation: MRWLabs Office Persistence Add-ins)
XLL Add-Ins are loaded into Excel when it starts up. Excel is configured to use an XLL add-in by the addition of a registry key in HKU. The key's value points to the name of the XLL to be loaded from a default filesystem path. Detection of this method relies on monitoring the Registry for changes to this key that include the "/R" flag in the value.
Registry Location
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options OPEN -> REG_SZ -> /R <XLLAddIn>.xll
File System Location
%AppData%\Roaming\Microsoft\AddIns\
[WinRegMon://HKCUSoftwareMicrosoftOfficeVersionExcelOptions]
index = wineventlog_registry
baseline = 1
disabled = 0
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Office\\.*\\Excel\\Options\\.*
proc = .*
type = set|create|delete|renameN/A
index=wineventlog_registry
data_type=REG_SZ
key_path="HKU\\*\\software\\microsoft\\office\\*\\excel\\options\\*"
object="open*"
| makemv delim=\ key_path | eval run_key = mvindex(key_path,8)
| eval base="HKLM\\software\\microsoft\\office\\currentversion\\excel\\options\\"
| rex field=_raw "data=\"(?<data_full>.+\")"
| eval data_full = trim(replace(data_full, "\"",""))
| eval run_base = base + run_key
| search data_full="\/R*"
| stats count by run_base, data_full
| sort run_base
| rename run_base as key_path
index=wineventlog_registry
data_type=REG_SZ
key_path="HKU\\*\\software\\microsoft\\office\\*\\excel\\options\\*"
object="open*"
| makemv delim=\ key_path
| eval run_key = mvindex(key_path,8)
| eval base="HKLM\\software\\microsoft\\office\\currentversion\\excel\\options\\"
| rex field=_raw "data=\"(?<data_full>.+\")"
| eval data_full = trim(replace(data_full, "\"",""))
| eval run_base = base + run_key
| search data_full="\/R*"
| rename run_base as key_path
- Earliest Time: -70m
- Latest Time: now
- Cron Schedule: 10-19/60 * * * *