Office Test Registry Persistence

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Tactic: Defense Evasion Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies the modification of the Microsoft Office "Office Test" Registry key, a registry location that can be used to specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/08/22"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the modification of the Microsoft Office "Office Test" Registry key, a registry location that can be used to
11specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain
12persistence on a compromised host.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.registry-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Office Test Registry Persistence"
19references = [
20    "https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/",
21]
22risk_score = 21
23rule_id = "14dab405-5dd9-450c-8106-72951af2391f"
24severity = "low"
25tags = [
26    "Domain: Endpoint",
27    "OS: Windows",
28    "Use Case: Threat Detection",
29    "Tactic: Persistence",
30    "Tactic: Defense Evasion",
31    "Data Source: Elastic Defend",
32]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37registry where host.os.type == "windows" and event.action != "deletion" and
38    registry.path : "*\\Software\\Microsoft\\Office Test\\Special\\Perf\\*"
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1137"
46name = "Office Application Startup"
47reference = "https://attack.mitre.org/techniques/T1137/"
48[[rule.threat.technique.subtechnique]]
49id = "T1137.002"
50name = "Office Test"
51reference = "https://attack.mitre.org/techniques/T1137/002/"
52
53
54
55[rule.threat.tactic]
56id = "TA0003"
57name = "Persistence"
58reference = "https://attack.mitre.org/tactics/TA0003/"
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1112"
63name = "Modify Registry"
64reference = "https://attack.mitre.org/techniques/T1112/"
65
66
67[rule.threat.tactic]
68id = "TA0005"
69name = "Defense Evasion"
70reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top