DET0315 Detect Persistence via Office Test Registry DLL Injection
| Item |
Value |
| ID |
DET0315 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1137.002 (Office Test)
Analytics
Windows
AN0880
Adversaries create the ‘Office Test\Special\Perf’ registry key and specify a malicious DLL path that is auto-loaded when an Office application starts. This DLL is injected into the Office process memory space and can provide persistent execution without requiring macro enablement.
Log Sources
Mutable Elements
| Field |
Description |
| RegistryPath |
Path to ‘Office test\Special\Perf’ may vary by Office version, 32/64-bit, or architecture (HKCU vs HKLM) |
| DLLPath |
Injected DLL may reside in different user-writable locations (e.g., %APPDATA%, %TEMP%, or network shares) |
| OfficeProcessName |
Process name (e.g., winword.exe, excel.exe) may vary by Office deployment and usage |
| TimeWindow |
Time between DLL registry creation and first Office execution may vary depending on user activity |
| UserContext |
Malicious DLL may target only specific users, necessitating correlation with interactive logon sessions |
Office Suite
AN0881
Office application auto-loads a non-standard DLL during startup triggered via Office Test Registry key, often without macro warning banners. DLL persistence mechanism circumvents traditional macro defenses.
Log Sources
Mutable Elements
| Field |
Description |
| TrustedLocationBypass |
DLL may be placed in location trusted by Office configuration or signed to evade alerts |
| AuditPolicyScope |
Only specific tenants or users may have Office auditing enabled at granular DLL load level |