Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1116: Analytic 1116

Office-based persistence via Office template macros, Outlook forms/rules/homepage, or registry-persistent scripts. Adversary modifies registry keys or Office application directories to load malicious scripts at startup.

EnterpriseAN1116AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic concerns persistence that abuses Microsoft Office startup and configuration behavior on Windows, including templates with macros, Outlook forms/rules/homepages, and registry or Office directory changes that cause scripts to load when Office starts. For leaders, the significance is that business productivity tools can become a persistence layer: remediation may require more than removing a payload, because Office configuration, user profiles, and registry state may continue to relaunch malicious content.

Executive priority

Prioritize this as a Windows endpoint and productivity-application resilience issue. Security leaders should ask whether the organization can prove visibility into Office-related registry changes, Office startup locations, Outlook configuration changes, and macro/template activity. This matters for incident response scoping, audit evidence around endpoint controls, and reducing dwell time where adversaries use trusted business applications rather than obvious malware startup paths.

Technical view

SOC, detection engineering, and IR teams should validate coverage for Windows events that show Office application persistence through registry keys, Office application directories, templates, macros, Outlook forms/rules/homepage configuration, and scripts loaded at Office startup. Because the ATT&CK object provides no official detection logic and no relationships, teams should treat AN1116 as a coverage-validation prompt rather than a ready-to-run analytic. Focus testing on whether endpoint telemetry can distinguish legitimate Office customization and administration from unexpected persistence-related modifications.

Likely telemetry

  • Windows registry modification telemetry for Office and Outlook-related keys
  • File creation and modification events in Office application, startup, template, and user profile locations
  • Process execution telemetry for Office applications launching scripts or child processes
  • Office macro and template activity where collected
  • Outlook rule, form, and homepage configuration change evidence where available

Detection direction

  • Inventory which Office persistence surfaces are actually logged: registry keys, Office directories, templates, Outlook rules/forms/homepage, and script execution at startup.
  • Baseline legitimate Office add-ins, templates, administrative customizations, and Outlook automation to reduce false positives.
  • Tune for unusual modifications by non-administrative users, unexpected script content, Office-launched child processes, or changes outside approved software deployment workflows.
  • Correlate Office persistence indicators with user, host, and recent incident activity before escalating, because the supplied object does not provide tactics, relationships, or official detection criteria.
  • Document blind spots where Outlook configuration, macro activity, or Office startup file paths are not collected by current endpoint tooling.

Mitigation priorities

  • Harden Office macro and scripting behavior according to organizational policy and business requirements.
  • Restrict unauthorized modification of Office startup locations, templates, and relevant registry areas where feasible.
  • Control and review Outlook rules, forms, and homepage configuration changes in managed environments.
  • Use endpoint management to maintain known-good Office configuration baselines and investigate drift.
  • Ensure IR playbooks include inspection of Office and Outlook persistence locations during Windows host containment and recovery.
Analyst notes and limits

This is a detection analytic object, not a technique object, and the supplied data names Windows as the only platform. The practical value is in validating whether Office-based persistence paths are visible and governed. No relationship context was supplied, so this take avoids linking the analytic to specific ATT&CK techniques, actors, malware, campaigns, or impacts.

Official detection content, tactics, labels, aliases, and relationships were not provided. The description is high level, so local environment knowledge is required to define exact registry paths, Office locations, normal business use, severity thresholds, and response actions.

Official MITRE ATT&CK definition

Analytic 1116

Office-based persistence via Office template macros, Outlook forms/rules/homepage, or registry-persistent scripts. Adversary modifies registry keys or Office application directories to load malicious scripts at startup.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
471517e8521713bc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 471517e85217…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1116
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use