Description
Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
There exist user and global Registry keys for the Office Test feature, such as:
HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf
HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf
Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.
Platforms
Mitigations (2)
Software ConfigurationM1054
Create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation.(Citation: Palo Alto Office Test Sofacy)
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key <code... |
References
- Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.
- Hexacorn. (2014, April 16). Beyond good ol’ Run key, Part 10. Retrieved July 3, 2017.
Frequently Asked Questions
What is T1137.002 (Office Test)?
T1137.002 is a MITRE ATT&CK technique named 'Office Test'. It belongs to the Persistence tactic(s). Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary...
How can T1137.002 be detected?
Detection of T1137.002 (Office Test) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1137.002?
There are 2 documented mitigations for T1137.002. Key mitigations include: Software Configuration, Behavior Prevention on Endpoint.
Which threat groups use T1137.002?
Known threat groups using T1137.002 include: APT28.