Office Test Registry Persistence
Identifies the modification of the Microsoft Office "Office Test" Registry key, a registry location that can be used to specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/22"
3integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/10"
6min_stack_version = "8.13.0"
7min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the modification of the Microsoft Office "Office Test" Registry key, a registry location that can be used to
13specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain
14persistence on a compromised host.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.registry-*", "logs-m365_defender.event-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Office Test Registry Persistence"
21references = [
22 "https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/",
23]
24risk_score = 21
25rule_id = "14dab405-5dd9-450c-8106-72951af2391f"
26severity = "low"
27tags = [
28 "Domain: Endpoint",
29 "OS: Windows",
30 "Use Case: Threat Detection",
31 "Tactic: Persistence",
32 "Tactic: Defense Evasion",
33 "Data Source: Elastic Defend",
34 "Data Source: Elastic Endgame",
35 "Data Source: Microsoft Defender for Endpoint",
36 "Data Source: SentinelOne",
37]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42registry where host.os.type == "windows" and event.action != "deletion" and
43 registry.path : "*\\Software\\Microsoft\\Office Test\\Special\\Perf\\*"
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1137"
51name = "Office Application Startup"
52reference = "https://attack.mitre.org/techniques/T1137/"
53[[rule.threat.technique.subtechnique]]
54id = "T1137.002"
55name = "Office Test"
56reference = "https://attack.mitre.org/techniques/T1137/002/"
57
58
59
60[rule.threat.tactic]
61id = "TA0003"
62name = "Persistence"
63reference = "https://attack.mitre.org/tactics/TA0003/"
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1112"
68name = "Modify Registry"
69reference = "https://attack.mitre.org/techniques/T1112/"
70
71
72[rule.threat.tactic]
73id = "TA0005"
74name = "Defense Evasion"
75reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
Unit 42's Robert Falcone gives a technical walkthrough of the Office Test persistence method used in recent Sofacy attacks.
Read More
Related rules
- Component Object Model Hijacking
- Startup or Run Key Registry Modification
- Unsigned DLL Loaded by Svchost
- Persistence via a Windows Installer
- Persistence via WMI Standard Registry Provider