Office Application Startup - Office Test
Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
Sigma rule (View on GitHub)
1title: Office Application Startup - Office Test
2id: 3d27f6dd-1c74-4687-b4fa-ca849d128d1c
3status: test
4description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
5references:
6 - https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/
7author: omkar72
8date: 2020/10/25
9modified: 2023/11/08
10tags:
11 - attack.persistence
12 - attack.t1137.002
13logsource:
14 category: registry_event
15 product: windows
16detection:
17 selection:
18 TargetObject|contains: '\Software\Microsoft\Office test\Special\Perf'
19 condition: selection
20falsepositives:
21 - Unlikely
22level: medium
References
-
Unit 42's Robert Falcone gives a technical walkthrough of the Office Test persistence method used in recent Sofacy attacks.
Read More
Related rules
- Linux Webshell Indicators
- Persistence Via Sudoers Files
- Potential Persistence Via Notepad++ Plugins
- Potential Persistence Via Security Descriptors - ScriptBlock
- Potential RipZip Attack on Startup Folder