T1137.002 Elastic Security · Elastic

Detect Office Test in Elastic Security

Adversaries abuse the Microsoft Office 'Office Test' registry key to load an arbitrary DLL every time an Office application starts. The keys HKCU\Software\Microsoft\Office test\Special\Perf and HKLM\Software\Microsoft\Office test\Special\Perf are not created during standard Office installations, making their presence a strong indicator of persistence. APT28 (Sofacy) has used this technique operationally.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.002 Office Test
Canonical reference
https://attack.mitre.org/techniques/T1137/002/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (event.category == "registry" and registry.path : "*Microsoft*Office test*") or
  (event.category == "library" and
   process.name : ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","mspub.exe") and
   dll.path : ("*\\Users\\*","*\\Temp\\*","*\\AppData\\*","*\\ProgramData\\*") and
   not dll.path : ("*\\Microsoft Office\\*","*\\AppData\\Local\\Microsoft\\*"))
high severity high confidence

Detects Office Test registry key creation/modification and Office processes loading DLLs from user-writable locations using Elastic EQL.

Data Sources

Windows Registry EventsLibrary Load Events

Required Tables

logs-endpoint.events.registry-*logs-endpoint.events.library-*

False Positives & Tuning

  • Microsoft internal developers using Office Test key for legitimate testing (extremely rare in production environments)
  • Security researchers or red teamers running controlled tests on isolated systems
  • Unusual corporate Office customization tools that happen to use this registry path (very uncommon)
Download portable Sigma rule (.yml)

Other platforms for T1137.002

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Office Test HKCU Registry Key

    Expected signal: Sysmon Event ID 12: RegistryKeyCreate for HKCU\Software\Microsoft\Office test. Sysmon Event ID 13: RegistryValueSet with TargetObject HKCU\Software\Microsoft\Office test\Special\Perf and Details=C:\Windows\System32\calc.exe. Security Event ID 4657 if registry auditing is enabled.

  2. Test 2Create Office Test HKLM Registry Key (Admin Required)

    Expected signal: Sysmon Event ID 12: RegistryKeyCreate for HKLM\Software\Microsoft\Office test (high privilege indicator). Sysmon Event ID 13: RegistryValueSet for HKLM path.

  3. Test 3Query Office Test Key Existence (Detection Validation)

    Expected signal: Sysmon Event ID 1: Process Create with Image=reg.exe and CommandLine containing 'Office test'. No registry modification events generated (query only).

Last updated: 2026-03-11 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1137.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.001Office Template MacrosT1137.003Outlook FormsT1137.004Outlook Home PageT1137.005Outlook RulesT1137.006Add-ins

Related Techniques

T1137Office Application StartupT1137.001Office Template MacrosT1574.001DLLT1055.001Dynamic-link Library InjectionT1027Obfuscated Files or InformationT1566.001Spearphishing Attachment

Same Tactic: Persistence

Popular Detections