Office Test Registry Persistence
Identifies the modification of the Microsoft Office "Office Test" Registry key, a registry location that can be used to specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/22"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the modification of the Microsoft Office "Office Test" Registry key, a registry location that can be used to
11specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain
12persistence on a compromised host.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.registry-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Office Test Registry Persistence"
19references = [
20 "https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/",
21]
22risk_score = 21
23rule_id = "14dab405-5dd9-450c-8106-72951af2391f"
24severity = "low"
25tags = [
26 "Domain: Endpoint",
27 "OS: Windows",
28 "Use Case: Threat Detection",
29 "Tactic: Persistence",
30 "Tactic: Defense Evasion",
31 "Data Source: Elastic Defend",
32]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37registry where host.os.type == "windows" and event.action != "deletion" and
38 registry.path : "*\\Software\\Microsoft\\Office Test\\Special\\Perf\\*"
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1137"
46name = "Office Application Startup"
47reference = "https://attack.mitre.org/techniques/T1137/"
48[[rule.threat.technique.subtechnique]]
49id = "T1137.002"
50name = "Office Test"
51reference = "https://attack.mitre.org/techniques/T1137/002/"
52
53
54
55[rule.threat.tactic]
56id = "TA0003"
57name = "Persistence"
58reference = "https://attack.mitre.org/tactics/TA0003/"
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1112"
63name = "Modify Registry"
64reference = "https://attack.mitre.org/techniques/T1112/"
65
66
67[rule.threat.tactic]
68id = "TA0005"
69name = "Defense Evasion"
70reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Adding Hidden File Attribute via Attrib
- Component Object Model Hijacking
- Image File Execution Options Injection
- Installation of Security Support Provider
- Persistence via Hidden Run Key Detected