Detect Office Test in Splunk
Adversaries abuse the Microsoft Office 'Office Test' registry key to load an arbitrary DLL every time an Office application starts. The keys HKCU\Software\Microsoft\Office test\Special\Perf and HKLM\Software\Microsoft\Office test\Special\Perf are not created during standard Office installations, making their presence a strong indicator of persistence. APT28 (Sofacy) has used this technique operationally.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1137 Office Application Startup
- Sub-technique
- T1137.002 Office Test
- Canonical reference
- https://attack.mitre.org/techniques/T1137/002/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval detection_type=case(
EventCode=12 AND match(TargetObject, "(?i)Microsoft\\\\Office test"), "OfficeTest_Key_Created",
EventCode=13 AND match(TargetObject, "(?i)Microsoft\\\\Office test"), "OfficeTest_Key_Modified",
EventCode=7 AND
match(Image, "(?i)(winword|excel|powerpnt|outlook|mspub)\.exe") AND
match(ImageLoaded, "(?i)(\\\\Users\\\\|\\\\Temp\\\\|\\\\AppData\\\\|\\\\ProgramData\\\\|\\\\Windows\\\\Temp\\\\)") AND
NOT match(ImageLoaded, "(?i)(\\\\Microsoft\\\\Office|\\\\Microsoft Office|\\\\AppData\\\\Local\\\\Microsoft)"),
"Office_Loading_User_Writable_DLL",
true(), null()
)
| where isnotnull(detection_type)
| eval indicator=case(
EventCode=12 OR EventCode=13, TargetObject,
EventCode=7, ImageLoaded,
true(), "-"
)
| table _time, host, User, detection_type, indicator, Image, CommandLine
| sort - _timeDetects Office Test registry key creation/modification (Sysmon EventCode 12 and 13) for paths containing 'Office test'. Also detects Office processes loading DLLs from user-writable directories (Sysmon EventCode 7). Since the Office Test key is not present in standard Office installations, any registry activity on this path is an immediate indicator of persistence attempt.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Microsoft development environments with Office SDK testing components installed
- Security researcher workstations running controlled Office persistence tests
- Uncommon corporate customization tools that register as Office test components
Other platforms for T1137.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Office Test HKCU Registry Key
Expected signal: Sysmon Event ID 12: RegistryKeyCreate for HKCU\Software\Microsoft\Office test. Sysmon Event ID 13: RegistryValueSet with TargetObject HKCU\Software\Microsoft\Office test\Special\Perf and Details=C:\Windows\System32\calc.exe. Security Event ID 4657 if registry auditing is enabled.
- Test 2Create Office Test HKLM Registry Key (Admin Required)
Expected signal: Sysmon Event ID 12: RegistryKeyCreate for HKLM\Software\Microsoft\Office test (high privilege indicator). Sysmon Event ID 13: RegistryValueSet for HKLM path.
- Test 3Query Office Test Key Existence (Detection Validation)
Expected signal: Sysmon Event ID 1: Process Create with Image=reg.exe and CommandLine containing 'Office test'. No registry modification events generated (query only).
References (4)
- https://attack.mitre.org/techniques/T1137/002/
- https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/
- http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md
Unlock Pro Content
Get the full detection package for T1137.002 including response playbook, investigation guide, and atomic red team tests.