AN1117: Analytic 1117
Startup-based persistence mechanisms within Microsoft Office Suite like template macros and home page redirects being configured through internal automation or client-side settings.
Analyst context for executives and security teams
AN1117 concerns Office Suite startup-based persistence, such as template macros or home page redirects being set through internal automation or client-side settings. The business issue is not just malware in documents; it is whether routine Office configuration paths could silently preserve unwanted behavior across user sessions and complicate containment if teams cannot see when those settings change.
Executive priority
Security leaders should treat this as an Office configuration governance and monitoring question. Ask whether the organization can prove who or what changed startup-related Office settings, whether automation that manages Office configurations is controlled and auditable, and whether SOC and IR teams can quickly distinguish approved administration from suspicious persistence during an incident.
Technical view
For SOC, detection engineering, and IR teams, validate visibility around Microsoft Office Suite startup-related settings and artifacts referenced by the analytic description: template macro use, home page redirect configuration, internal automation changes, and client-side setting changes. Because no official detection logic or ATT&CK relationships were supplied, coverage should be tested against local Office configuration baselines and approved automation behavior rather than assumed from generic endpoint monitoring.
Likely telemetry
- Office Suite client configuration change records where available
- Endpoint file and configuration monitoring for Office startup-related templates or macro-bearing templates
- Logs from internal automation or management tooling that applies Office settings
- User, device, and process context associated with Office configuration changes
- Baseline inventories of approved Office templates, macros, and redirect settings
Detection direction
- Build or validate detections for changes to Office startup-related templates, macro-enabled templates, and home page redirect settings.
- Correlate Office configuration changes with authorized automation jobs, change tickets, device/user context, and expected deployment windows.
- Tune for false positives from legitimate Office administration, software deployment, or profile management activity.
- Identify blind spots where Office client-side settings are not centrally logged or where automation tools can change settings without producing SOC-visible events.
- Because ATT&CK provides no detection text for this analytic, require local validation with known-good administrative changes and controlled test events.
Mitigation priorities
- Establish approved baselines for Office startup-related configuration, templates, macros, and redirect settings.
- Restrict and audit the automation mechanisms that can modify Office client settings.
- Use change control and administrative accountability for Office configuration updates.
- Ensure incident response playbooks include review of Office startup configuration when persistence is suspected.
- Retain evidence needed for audit and post-incident review, including automation logs and endpoint configuration history.
Analyst notes and limits
The supplied object is a detection analytic for the Office Suite platform with a narrow description and no relationships. The practical value is in validating whether Office startup configuration changes are observable, governed, and explainable. This is especially relevant where Office settings are managed by internal automation, because legitimate administrative activity may look similar to persistence unless baselines and change context are available.
The official object does not provide detection logic, tactics, relationships, data sources, mitigations, or procedure examples. This take does not assert active exploitation, attribution, impact, or existing detection coverage. Local Office deployment details are required to determine exact telemetry sources and control implementation.
Analytic 1117
Startup-based persistence mechanisms within Microsoft Office Suite like template macros and home page redirects being configured through internal automation or client-side settings.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d233773641bd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1117Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.