Detect Office Test in IBM QRadar
Adversaries abuse the Microsoft Office 'Office Test' registry key to load an arbitrary DLL every time an Office application starts. The keys HKCU\Software\Microsoft\Office test\Special\Perf and HKLM\Software\Microsoft\Office test\Special\Perf are not created during standard Office installations, making their presence a strong indicator of persistence. APT28 (Sofacy) has used this technique operationally.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1137 Office Application Startup
- Sub-technique
- T1137.002 Office Test
- Canonical reference
- https://attack.mitre.org/techniques/T1137/002/
QRadar Detection Query
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
logsourcename(logsourceid) as LogSource,
username as AccountName, sourceip as SourceIP,
"TargetObject" as RegistryKey, "Image" as ProcessImage,
CASE WHEN "TargetObject" ILIKE '%Microsoft%Office test%' THEN 10
WHEN "Image" ILIKE '%winword.exe%' OR "Image" ILIKE '%excel.exe%' THEN 7
ELSE 5 END as RiskScore
FROM events
WHERE (
(eventid IN (12, 13) AND "TargetObject" ILIKE '%Microsoft%Office test%')
OR (eventid = 7 AND ("Image" ILIKE '%winword.exe%' OR "Image" ILIKE '%excel.exe%'
OR "Image" ILIKE '%powerpnt.exe%') AND
("ImageLoaded" ILIKE '%\Users\%' OR "ImageLoaded" ILIKE '%\Temp\%' OR "ImageLoaded" ILIKE '%\AppData\%')
AND "ImageLoaded" NOT ILIKE '%\Microsoft Office\%')
)
ORDER BY EventTime DESCDetects Office Test registry key creation (Sysmon event IDs 12/13) and Office DLL loads from user-writable locations (event ID 7) via QRadar AQL.
Data Sources
Required Tables
False Positives & Tuning
- Microsoft internal developers using Office Test key for legitimate testing (extremely rare in production environments)
- Security researchers or red teamers running controlled tests on isolated systems
- Unusual corporate Office customization tools that happen to use this registry path (very uncommon)
Other platforms for T1137.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Office Test HKCU Registry Key
Expected signal: Sysmon Event ID 12: RegistryKeyCreate for HKCU\Software\Microsoft\Office test. Sysmon Event ID 13: RegistryValueSet with TargetObject HKCU\Software\Microsoft\Office test\Special\Perf and Details=C:\Windows\System32\calc.exe. Security Event ID 4657 if registry auditing is enabled.
- Test 2Create Office Test HKLM Registry Key (Admin Required)
Expected signal: Sysmon Event ID 12: RegistryKeyCreate for HKLM\Software\Microsoft\Office test (high privilege indicator). Sysmon Event ID 13: RegistryValueSet for HKLM path.
- Test 3Query Office Test Key Existence (Detection Validation)
Expected signal: Sysmon Event ID 1: Process Create with Image=reg.exe and CommandLine containing 'Office test'. No registry modification events generated (query only).
References (4)
- https://attack.mitre.org/techniques/T1137/002/
- https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/
- http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md
Unlock Pro Content
Get the full detection package for T1137.002 including response playbook, investigation guide, and atomic red team tests.