Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
There exist user and global Registry keys for the Office Test feature, such as:
Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1137.002 | Office Test |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1137.002 | Office Test |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1137.002 | Office Test |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1137.002 | Office Test |
Comments
This diagnostic statement provides protection from Office Test through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1137.002 | Office Test | |
| CM-05 | Access Restrictions for Change | mitigates | T1137.002 | Office Test | |
| AC-17 | Remote Access | mitigates | T1137.002 | Office Test | |
| SC-18 | Mobile Code | mitigates | T1137.002 | Office Test | |
| SC-44 | Detonation Chambers | mitigates | T1137.002 | Office Test | |
| SI-08 | Spam Protection | mitigates | T1137.002 | Office Test | |
| AC-14 | Permitted Actions Without Identification or Authentication | mitigates | T1137.002 | Office Test | |
| CM-02 | Baseline Configuration | mitigates | T1137.002 | Office Test | |
| AC-10 | Concurrent Session Control | mitigates | T1137.002 | Office Test | |
| AC-06 | Least Privilege | mitigates | T1137.002 | Office Test |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1137.002 | Office Test |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1137.002 | Office Test |
Comments
This control may detect changes to the Windows registry to establish persistence with the Office Test sub-technique. The specificity of registry keys involved may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|