Office Application Startup: Office Test

Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.[1][2]

There exist user and global Registry keys for the Office Test feature:

  • HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf

Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.

ID: T1137.002
Sub-technique of:  T1137
Tactic: Persistence
Platforms: Office 365, Windows
System Requirements: Office 2007, 2010, 2013, and 2016
Permissions Required: Administrator, User
Data Sources: DLL monitoring, File monitoring, Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Version: 1.0
Created: 07 November 2019
Last Modified: 20 March 2020

Procedure Examples

Name Description
APT28

APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCU\Software\Microsoft\Office test\Special\Perf to execute code.[2]

Mitigations

Mitigation Description
Software Configuration

Create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation.[2]

Detection

Monitor for the creation of the Office Test Registry key. Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.[2]

Consider monitoring Office processes for anomalous DLL loads.

References