T1137.002 Office Test Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1137.002 — Office Test Registry Key persistence detection
// The 'Office Test' key is not present in default Office installations — any occurrence is suspicious
let OfficeTestPaths = dynamic([
  "Software\\Microsoft\\Office test\\Special\\Perf",
  "Software\\Microsoft\\Office test"
]);
// Part 1: Detect creation of Office Test registry key
let OfficeTestRegCreate = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_all ("Microsoft", "Office test")
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType;
// Part 2: Detect Office applications loading unexpected DLLs from user-writable locations
let OfficeUnexpectedDLL = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mspub.exe")
| where FolderPath has_any ("\\Users\\", "\\Temp\\", "\\AppData\\", "\\ProgramData\\", "\\Windows\\Temp\\")
| where not (FolderPath has_any ("\\Microsoft Office\\", "\\Microsoft\\Office\\", "\\AppData\\Local\\Microsoft\\"))
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine;
union OfficeTestRegCreate, OfficeUnexpectedDLL
| sort by Timestamp desc

high severity high confidence

Data Sources

Windows Registry: Registry Key Creation Windows Registry: Registry Value Modification Module: Module Load Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceImageLoadEvents

False Positives

Microsoft internal developers using Office Test key for legitimate testing (extremely rare in production environments)
Security researchers or red teamers running controlled tests on isolated systems
Unusual corporate Office customization tools that happen to use this registry path (very uncommon)

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval detection_type=case(
    EventCode=12 AND match(TargetObject, "(?i)Microsoft\\\\Office test"), "OfficeTest_Key_Created",
    EventCode=13 AND match(TargetObject, "(?i)Microsoft\\\\Office test"), "OfficeTest_Key_Modified",
    EventCode=7 AND
      match(Image, "(?i)(winword|excel|powerpnt|outlook|mspub)\.exe") AND
      match(ImageLoaded, "(?i)(\\\\Users\\\\|\\\\Temp\\\\|\\\\AppData\\\\|\\\\ProgramData\\\\|\\\\Windows\\\\Temp\\\\)") AND
      NOT match(ImageLoaded, "(?i)(\\\\Microsoft\\\\Office|\\\\Microsoft Office|\\\\AppData\\\\Local\\\\Microsoft)"),
      "Office_Loading_User_Writable_DLL",
    true(), null()
  )
| where isnotnull(detection_type)
| eval indicator=case(
    EventCode=12 OR EventCode=13, TargetObject,
    EventCode=7, ImageLoaded,
    true(), "-"
  )
| table _time, host, User, detection_type, indicator, Image, CommandLine
| sort - _time

high severity high confidence

Data Sources

Windows Registry: Registry Key Creation Module: Module Load Sysmon Event ID 7, 12, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Microsoft development environments with Office SDK testing components installed
Security researcher workstations running controlled Office persistence tests
Uncommon corporate customization tools that register as Office test components

Elastic Security (EQL)

eql

any where
  (event.category == "registry" and registry.path : "*Microsoft*Office test*") or
  (event.category == "library" and
   process.name : ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","mspub.exe") and
   dll.path : ("*\\Users\\*","*\\Temp\\*","*\\AppData\\*","*\\ProgramData\\*") and
   not dll.path : ("*\\Microsoft Office\\*","*\\AppData\\Local\\Microsoft\\*"))

high severity high confidence

Data Sources

Windows Registry Events Library Load Events

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.library-*

False Positives

Microsoft internal developers using Office Test key for legitimate testing (extremely rare in production environments)
Security researchers or red teamers running controlled tests on isolated systems
Unusual corporate Office customization tools that happen to use this registry path (very uncommon)

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource,
  username as AccountName, sourceip as SourceIP,
  "TargetObject" as RegistryKey, "Image" as ProcessImage,
  CASE WHEN "TargetObject" ILIKE '%Microsoft%Office test%' THEN 10
       WHEN "Image" ILIKE '%winword.exe%' OR "Image" ILIKE '%excel.exe%' THEN 7
       ELSE 5 END as RiskScore
FROM events
WHERE (
  (eventid IN (12, 13) AND "TargetObject" ILIKE '%Microsoft%Office test%')
  OR (eventid = 7 AND ("Image" ILIKE '%winword.exe%' OR "Image" ILIKE '%excel.exe%'
      OR "Image" ILIKE '%powerpnt.exe%') AND
      ("ImageLoaded" ILIKE '%\Users\%' OR "ImageLoaded" ILIKE '%\Temp\%' OR "ImageLoaded" ILIKE '%\AppData\%')
      AND "ImageLoaded" NOT ILIKE '%\Microsoft Office\%')
)
ORDER BY EventTime DESC

high severity high confidence

Data Sources

Windows Sysmon Windows Registry Module Load Events

Required Tables

events

False Positives

Microsoft internal developers using Office Test key for legitimate testing (extremely rare in production environments)
Security researchers or red teamers running controlled tests on isolated systems
Unusual corporate Office customization tools that happen to use this registry path (very uncommon)

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon
| json auto
| where EventID in ("12","13","7")
| eval detection_type = if(
    (EventID in ("12","13")) and matches(TargetObject, "(?i)Microsoft.*Office test"),
    "OfficeTest_Registry",
    if(EventID == "7" and matches(Image, "(?i)(winword|excel|powerpnt|outlook|mspub)\.exe")
       and matches(ImageLoaded, "(?i)(\\Users\\|\\Temp\\|\\AppData\\|\\ProgramData\\)")
       and !matches(ImageLoaded, "(?i)(\\Microsoft Office\\|\\AppData\\Local\\Microsoft\\)"),
       "Office_UserWritable_DLL", null))
| where !isNull(detection_type)
| table _time, Computer, User, detection_type, TargetObject, Image, ImageLoaded, CommandLine
| sort by _time desc

high severity high confidence

Data Sources

Windows Sysmon via Sumo Logic

Required Tables

windows/sysmon

False Positives

Microsoft internal developers using Office Test key for legitimate testing (extremely rare in production environments)
Security researchers or red teamers running controlled tests on isolated systems
Unusual corporate Office customization tools that happen to use this registry path (very uncommon)

Google Chronicle / SecOps

yaral

rule office_test_registry_persistence {
  meta:
    author = "Detection Engineering"
    description = "Detects Office Test registry key persistence (T1137.002)"
    severity = "HIGH"
    tactic = "TA0003"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    re.regex($e.target.registry.registry_key, `(?i)Microsoft\\Office test`) nocase

  condition:
    $e
}

high severity high confidence

Data Sources

Windows Registry Events via Chronicle UDM

Required Tables

REGISTRY_MODIFICATION

False Positives

Microsoft internal developers using Office Test key for legitimate testing (extremely rare in production environments)
Security researchers or red teamers running controlled tests on isolated systems
Unusual corporate Office customization tools that happen to use this registry path (very uncommon)

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "RegOperationV2"
| RegOperationName = /Office\s+test/i
| eval detection_type = "OfficeTest_Registry_Key"
| table timestamp, ComputerName, UserName, RegOperationName, RegObjectName, RegValueName, ImageFileName
| sort by timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon Registry Events

Required Tables

RegOperationV2

False Positives

Microsoft internal developers using Office Test key for legitimate testing (extremely rare in production environments)
Security researchers or red teamers running controlled tests on isolated systems
Unusual corporate Office customization tools that happen to use this registry path (very uncommon)

Office Test

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections