Detect Office Test in Sumo Logic CSE
Adversaries abuse the Microsoft Office 'Office Test' registry key to load an arbitrary DLL every time an Office application starts. The keys HKCU\Software\Microsoft\Office test\Special\Perf and HKLM\Software\Microsoft\Office test\Special\Perf are not created during standard Office installations, making their presence a strong indicator of persistence. APT28 (Sofacy) has used this technique operationally.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1137 Office Application Startup
- Sub-technique
- T1137.002 Office Test
- Canonical reference
- https://attack.mitre.org/techniques/T1137/002/
Sumo Detection Query
_sourceCategory=windows/sysmon
| json auto
| where EventID in ("12","13","7")
| eval detection_type = if(
(EventID in ("12","13")) and matches(TargetObject, "(?i)Microsoft.*Office test"),
"OfficeTest_Registry",
if(EventID == "7" and matches(Image, "(?i)(winword|excel|powerpnt|outlook|mspub)\.exe")
and matches(ImageLoaded, "(?i)(\\Users\\|\\Temp\\|\\AppData\\|\\ProgramData\\)")
and !matches(ImageLoaded, "(?i)(\\Microsoft Office\\|\\AppData\\Local\\Microsoft\\)"),
"Office_UserWritable_DLL", null))
| where !isNull(detection_type)
| table _time, Computer, User, detection_type, TargetObject, Image, ImageLoaded, CommandLine
| sort by _time descDetects Office Test registry persistence and Office DLL loads from user-writable paths using Sumo Logic with Sysmon data.
Data Sources
Required Tables
False Positives & Tuning
- Microsoft internal developers using Office Test key for legitimate testing (extremely rare in production environments)
- Security researchers or red teamers running controlled tests on isolated systems
- Unusual corporate Office customization tools that happen to use this registry path (very uncommon)
Other platforms for T1137.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Office Test HKCU Registry Key
Expected signal: Sysmon Event ID 12: RegistryKeyCreate for HKCU\Software\Microsoft\Office test. Sysmon Event ID 13: RegistryValueSet with TargetObject HKCU\Software\Microsoft\Office test\Special\Perf and Details=C:\Windows\System32\calc.exe. Security Event ID 4657 if registry auditing is enabled.
- Test 2Create Office Test HKLM Registry Key (Admin Required)
Expected signal: Sysmon Event ID 12: RegistryKeyCreate for HKLM\Software\Microsoft\Office test (high privilege indicator). Sysmon Event ID 13: RegistryValueSet for HKLM path.
- Test 3Query Office Test Key Existence (Detection Validation)
Expected signal: Sysmon Event ID 1: Process Create with Image=reg.exe and CommandLine containing 'Office test'. No registry modification events generated (query only).
References (4)
- https://attack.mitre.org/techniques/T1137/002/
- https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/
- http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md
Unlock Pro Content
Get the full detection package for T1137.002 including response playbook, investigation guide, and atomic red team tests.