T1137.002 Office Test
Adversaries may abuse the Microsoft Office “Office Test” Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.12
There exist user and global Registry keys for the Office Test feature:
HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\PerfHKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf
Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.
| Item | Value |
|---|---|
| ID | T1137.002 |
| Sub-techniques | T1137.001, T1137.002, T1137.003, T1137.004, T1137.005, T1137.006 |
| Tactics | TA0003 |
| Platforms | Office 365, Windows |
| Permissions required | Administrator, User |
| Version | 1.1 |
| Created | 07 November 2019 |
| Last Modified | 16 August 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0007 | APT28 | APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCU\Software\Microsoft\Office test\Special\Perf to execute code.2 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1040 | Behavior Prevention on Endpoint | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 3 |
| M1054 | Software Configuration | Create the Registry key used to execute it and set the permissions to “Read Control” to prevent easy access to the key without administrator permissions or requiring Privilege Escalation.2 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Creation |
| DS0011 | Module | Module Load |
| DS0009 | Process | Process Creation |
| DS0024 | Windows Registry | Windows Registry Key Creation |
References
-
Hexacorn. (2014, April 16). Beyond good ol’ Run key, Part 10. Retrieved July 3, 2017. ↩
-
Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017. ↩↩↩
-
Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. ↩