T1137.002 Microsoft Sentinel · KQL

Detect Office Test in Microsoft Sentinel

Adversaries abuse the Microsoft Office 'Office Test' registry key to load an arbitrary DLL every time an Office application starts. The keys HKCU\Software\Microsoft\Office test\Special\Perf and HKLM\Software\Microsoft\Office test\Special\Perf are not created during standard Office installations, making their presence a strong indicator of persistence. APT28 (Sofacy) has used this technique operationally.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.002 Office Test
Canonical reference
https://attack.mitre.org/techniques/T1137/002/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1137.002 — Office Test Registry Key persistence detection
// The 'Office Test' key is not present in default Office installations — any occurrence is suspicious
let OfficeTestPaths = dynamic([
  "Software\\Microsoft\\Office test\\Special\\Perf",
  "Software\\Microsoft\\Office test"
]);
// Part 1: Detect creation of Office Test registry key
let OfficeTestRegCreate = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_all ("Microsoft", "Office test")
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType;
// Part 2: Detect Office applications loading unexpected DLLs from user-writable locations
let OfficeUnexpectedDLL = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mspub.exe")
| where FolderPath has_any ("\\Users\\", "\\Temp\\", "\\AppData\\", "\\ProgramData\\", "\\Windows\\Temp\\")
| where not (FolderPath has_any ("\\Microsoft Office\\", "\\Microsoft\\Office\\", "\\AppData\\Local\\Microsoft\\"))
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine;
union OfficeTestRegCreate, OfficeUnexpectedDLL
| sort by Timestamp desc
high severity high confidence

Two-part detection for the Office Test persistence mechanism. Part 1 monitors for creation of the Office Test registry key (HKCU or HKLM path containing 'Office test\Special\Perf'), which is not present in standard Office installations. Any write to this key is highly suspicious. Part 2 detects Office applications loading DLLs from user-writable locations (Users, Temp, AppData, ProgramData) which indicates the Office Test DLL being loaded at startup.

Data Sources

Windows Registry: Registry Key CreationWindows Registry: Registry Value ModificationModule: Module LoadMicrosoft Defender for Endpoint

Required Tables

DeviceRegistryEventsDeviceImageLoadEvents

False Positives & Tuning

  • Microsoft internal developers using Office Test key for legitimate testing (extremely rare in production environments)
  • Security researchers or red teamers running controlled tests on isolated systems
  • Unusual corporate Office customization tools that happen to use this registry path (very uncommon)
Download portable Sigma rule (.yml)

Other platforms for T1137.002

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Office Test HKCU Registry Key

    Expected signal: Sysmon Event ID 12: RegistryKeyCreate for HKCU\Software\Microsoft\Office test. Sysmon Event ID 13: RegistryValueSet with TargetObject HKCU\Software\Microsoft\Office test\Special\Perf and Details=C:\Windows\System32\calc.exe. Security Event ID 4657 if registry auditing is enabled.

  2. Test 2Create Office Test HKLM Registry Key (Admin Required)

    Expected signal: Sysmon Event ID 12: RegistryKeyCreate for HKLM\Software\Microsoft\Office test (high privilege indicator). Sysmon Event ID 13: RegistryValueSet for HKLM path.

  3. Test 3Query Office Test Key Existence (Detection Validation)

    Expected signal: Sysmon Event ID 1: Process Create with Image=reg.exe and CommandLine containing 'Office test'. No registry modification events generated (query only).

Last updated: 2026-03-11 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1137.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.001Office Template MacrosT1137.003Outlook FormsT1137.004Outlook Home PageT1137.005Outlook RulesT1137.006Add-ins

Related Techniques

T1137Office Application StartupT1137.001Office Template MacrosT1574.001DLLT1055.001Dynamic-link Library InjectionT1027Obfuscated Files or InformationT1566.001Spearphishing Attachment

Same Tactic: Persistence

Popular Detections