T1137.002: Office Test
Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.
There exist user and global Registry keys for the Office Test feature, such as:
HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\PerfHKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf
Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_execution: PT-CR-949: Suspicious_Office_Dll_Startup: MS Office launch started a DLL mitre_attck_persistence: PT-CR-963: Perf_Key_Modify: The value of the Perf registry key was changed
Detection
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. |
|---|
| ID | DS0011 | Data source and component | Module: Module Load | Description | Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
|---|
| ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. |
|---|
| ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Creation | Description | Monitor for the creation of the Office Test Registry key. Collect events related to Registry key creation for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key. |
|---|
| ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for changes made to files that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. |
|---|
| ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Modification | Description | Monitor for changes made to the Office Test Registry key. Collect events related to Registry key modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key. |
|---|
| ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for newly constructed files that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. |
|---|
Mitigation
| ID | M1054 | Name | Software Configuration | Description | Create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation. |
|---|
| ID | M1040 | Name | Behavior Prevention on Endpoint | Description | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. |
|---|