Office Test Registry Persistence

  1[metadata]
  2creation_date = "2023/08/22"
  3integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the modification of the Microsoft Office "Office Test" Registry key, a registry location that can be used to
 11specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain
 12persistence on a compromised host.
 13"""
 14from = "now-9m"
 15index = [
 16    "logs-endpoint.events.registry-*",
 17    "logs-m365_defender.event-*",
 18    "endgame-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20]
 21language = "eql"
 22license = "Elastic License v2"
 23name = "Office Test Registry Persistence"
 24note = """## Triage and analysis
 25
 26> **Disclaimer**:
 27> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 28
 29### Investigating Office Test Registry Persistence
 30
 31The Office Test Registry key in Windows environments allows specifying a DLL to execute whenever an Office application starts, providing a mechanism for legitimate customization. However, adversaries can exploit this for persistence by loading malicious DLLs. The detection rule monitors modifications to this registry path, excluding deletions, to identify potential abuse, leveraging data from various security sources to flag suspicious activity.
 32
 33### Possible investigation steps
 34
 35- Review the registry event details to identify the specific DLL path that was added or modified in the Office Test Registry key.
 36- Check the file properties and digital signature of the DLL specified in the registry modification to determine its legitimacy.
 37- Investigate the source of the registry modification by correlating with user activity logs to identify which user account made the change.
 38- Analyze recent process execution logs for any Office applications to detect if the suspicious DLL has been loaded or executed.
 39- Cross-reference the DLL and associated registry modification with threat intelligence sources to check for known malicious indicators.
 40- Examine the system for additional signs of compromise, such as unusual network connections or other persistence mechanisms, to assess the scope of potential intrusion.
 41
 42### False positive analysis
 43
 44- Legitimate software installations or updates may modify the Office Test Registry key as part of their setup process. Users can create exceptions for known software vendors or specific applications that are frequently updated.
 45- System administrators might use scripts or management tools that modify the registry for configuration purposes. Identify and exclude these trusted scripts or tools from triggering alerts.
 46- Customization by IT departments for legitimate business needs can lead to registry modifications. Document and whitelist these customizations to prevent false positives.
 47- Security software or monitoring tools might interact with the registry as part of their normal operations. Verify and exclude these interactions if they are known to be safe and necessary for system functionality.
 48
 49### Response and remediation
 50
 51- Immediately isolate the affected host from the network to prevent further spread or communication with potential command and control servers.
 52- Use endpoint detection and response (EDR) tools to terminate any suspicious processes associated with the malicious DLL identified in the registry path.
 53- Remove the malicious DLL entry from the Office Test Registry key to prevent it from executing on future Office application startups.
 54- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional malicious files or remnants.
 55- Review recent user activity and system logs to identify any unauthorized access or changes that may have led to the registry modification, and reset credentials if necessary.
 56- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 57- Implement enhanced monitoring and alerting for similar registry modifications across the network to detect and respond to future attempts promptly."""
 58references = [
 59    "https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/",
 60]
 61risk_score = 21
 62rule_id = "14dab405-5dd9-450c-8106-72951af2391f"
 63severity = "low"
 64tags = [
 65    "Domain: Endpoint",
 66    "OS: Windows",
 67    "Use Case: Threat Detection",
 68    "Tactic: Persistence",
 69    "Tactic: Defense Evasion",
 70    "Data Source: Elastic Defend",
 71    "Data Source: Elastic Endgame",
 72    "Data Source: Microsoft Defender for Endpoint",
 73    "Data Source: SentinelOne",
 74    "Resources: Investigation Guide",
 75]
 76timestamp_override = "event.ingested"
 77type = "eql"
 78
 79query = '''
 80registry where host.os.type == "windows" and event.action != "deletion" and
 81    registry.path : "*\\Software\\Microsoft\\Office Test\\Special\\Perf\\*"
 82'''
 83
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1137"
 89name = "Office Application Startup"
 90reference = "https://attack.mitre.org/techniques/T1137/"
 91[[rule.threat.technique.subtechnique]]
 92id = "T1137.002"
 93name = "Office Test"
 94reference = "https://attack.mitre.org/techniques/T1137/002/"
 95
 96
 97
 98[rule.threat.tactic]
 99id = "TA0003"
100name = "Persistence"
101reference = "https://attack.mitre.org/tactics/TA0003/"
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1112"
106name = "Modify Registry"
107reference = "https://attack.mitre.org/techniques/T1112/"
108
109
110[rule.threat.tactic]
111id = "TA0005"
112name = "Defense Evasion"
113reference = "https://attack.mitre.org/tactics/TA0005/"