Adversaries create the 'Office Test\Special\Perf' registry key and specify a malicious DLL path that is auto-loaded when an Office application starts. This DLL is injected into the Office process memory space and can provide persistent execution without requiring macro enablement.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Command Execution (DC0064) | WinEventLog:Microsoft-Office-Alerts | Unexpected DLL or component loaded at Office startup |
| Field | Description |
|---|---|
| RegistryPath | Path to 'Office test\Special\Perf' may vary by Office version, 32/64-bit, or architecture (HKCU vs HKLM) |
| DLLPath | Injected DLL may reside in different user-writable locations (e.g., %APPDATA%, %TEMP%, or network shares) |
| OfficeProcessName | Process name (e.g., winword.exe, excel.exe) may vary by Office deployment and usage |
| TimeWindow | Time between DLL registry creation and first Office execution may vary depending on user activity |
| UserContext | Malicious DLL may target only specific users, necessitating correlation with interactive logon sessions |
Office application auto-loads a non-standard DLL during startup triggered via Office Test Registry key, often without macro warning banners. DLL persistence mechanism circumvents traditional macro defenses.
| Data Component | Name | Channel |
|---|---|---|
| Module Load (DC0016) | m365:unified | Non-standard Office startup component detected (e.g., unexpected DLL path) |
| Command Execution (DC0064) | m365:office | Startup execution includes non-default component |
| Field | Description |
|---|---|
| TrustedLocationBypass | DLL may be placed in location trusted by Office configuration or signed to evade alerts |
| AuditPolicyScope | Only specific tenants or users may have Office auditing enabled at granular DLL load level |