1. Home
  2. Techniques
  3. Enterprise
  4. Office Application Startup
  5. Office Test

Office Application Startup: Office Test

ID Name
T1137.001 Office Template Macros
T1137.002 Office Test
T1137.003 Outlook Forms
T1137.004 Outlook Home Page
T1137.005 Outlook Rules
T1137.006 Add-ins

Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.[1][2]

There exist user and global Registry keys for the Office Test feature, such as:

  • HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf

Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.

ID: T1137.002
Sub-technique of:  T1137
Tactic: Persistence
Platforms: Office Suite, Windows
Version: 1.3
Created: 07 November 2019
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0007 APT28

APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCU\Software\Microsoft\Office test\Special\Perf to execute code.[2]

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. [3]
M1054 Software Configuration

Create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation.[2]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0315 Detect Persistence via Office Test Registry DLL Injection AN0880

Adversaries create the 'Office Test\Special\Perf' registry key and specify a malicious DLL path that is auto-loaded when an Office application starts. This DLL is injected into the Office process memory space and can provide persistent execution without requiring macro enablement.
AN0881

Office application auto-loads a non-standard DLL during startup triggered via Office Test Registry key, often without macro warning banners. DLL persistence mechanism circumvents traditional macro defenses.

References

  1. Hexacorn. (2014, April 16). Beyond good ol’ Run key, Part 10. Retrieved July 3, 2017.
  2. Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.
  1. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.