Office Test Registry Persistence

calendar Apr 16, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Tactic: Defense Evasion Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies the modification of the Microsoft Office "Office Test" Registry key, a registry location that can be used to specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/08/22"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/04/05"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the modification of the Microsoft Office "Office Test" Registry key, a registry location that can be used to
13specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain
14persistence on a compromised host.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.registry-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Office Test Registry Persistence"
21references = [
22    "https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/",
23]
24risk_score = 21
25rule_id = "14dab405-5dd9-450c-8106-72951af2391f"
26severity = "low"
27tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32registry where host.os.type == "windows" and event.action != "deletion" and
33    registry.path : "*\\Software\\Microsoft\\Office Test\\Special\\Perf\\*"
34'''
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1137"
40name = "Office Application Startup"
41reference = "https://attack.mitre.org/techniques/T1137/"
42[[rule.threat.technique.subtechnique]]
43id = "T1137.002"
44name = "Office Test"
45reference = "https://attack.mitre.org/techniques/T1137/002/"
46	
47[rule.threat.tactic]
48id = "TA0003"
49name = "Persistence"
50reference = "https://attack.mitre.org/tactics/TA0003/"
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1112"
56name = "Modify Registry"
57reference = "https://attack.mitre.org/techniques/T1112/"
58
59[rule.threat.tactic]
60id = "TA0005"
61name = "Defense Evasion"
62reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top