Skip to content

T1137.002 Office Test

Adversaries may abuse the Microsoft Office “Office Test” Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.12

There exist user and global Registry keys for the Office Test feature:

  • HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf

Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.

Item Value
ID T1137.002
Sub-techniques T1137.001, T1137.002, T1137.003, T1137.004, T1137.005, T1137.006
Tactics TA0003
Platforms Office 365, Windows
Permissions required Administrator, User
Version 1.1
Created 07 November 2019
Last Modified 16 August 2021

Procedure Examples

ID Name Description
G0007 APT28 APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCU\Software\Microsoft\Office test\Special\Perf to execute code.2


ID Mitigation Description
M1040 Behavior Prevention on Endpoint On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 3
M1054 Software Configuration Create the Registry key used to execute it and set the permissions to “Read Control” to prevent easy access to the key without administrator permissions or requiring Privilege Escalation.2


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Creation
DS0011 Module Module Load
DS0009 Process Process Creation
DS0024 Windows Registry Windows Registry Key Creation