title: Office Test (T1137.002)
id: df00tech-t1137-002
status: experimental
description: "Adversaries abuse the Microsoft Office 'Office Test' registry key to load an arbitrary DLL every time an Office application starts. The keys HKCU\\Software\\Microsoft\\Office test\\Special\\Perf and HKLM\\Software\\Microsoft\\Office test\\Special\\Perf are not created during standard Office installations, making their presence a strong indicator of persistence. APT28 (Sofacy) has used this technique operationally."
references:
  - https://attack.mitre.org/techniques/T1137/002/
  - https://df00tech.com/detections/T1137.002
author: df00tech
date: 2026/03/11
tags:
  - attack.t1137.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Microsoft internal developers using Office Test key for legitimate testing (extremely rare in production environments)
  - Security researchers or red teamers running controlled tests on isolated systems
  - Unusual corporate Office customization tools that happen to use this registry path (very uncommon)
level: high