Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
There exist user and global Registry keys for the Office Test feature, such as:
Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1137.002 | Office Test | |
| CM-05 | Access Restrictions for Change | mitigates | T1137.002 | Office Test | |
| AC-17 | Remote Access | mitigates | T1137.002 | Office Test | |
| SC-18 | Mobile Code | mitigates | T1137.002 | Office Test | |
| SC-44 | Detonation Chambers | mitigates | T1137.002 | Office Test | |
| SI-08 | Spam Protection | mitigates | T1137.002 | Office Test | |
| AC-14 | Permitted Actions Without Identification or Authentication | mitigates | T1137.002 | Office Test | |
| CM-02 | Baseline Configuration | mitigates | T1137.002 | Office Test | |
| AC-10 | Concurrent Session Control | mitigates | T1137.002 | Office Test | |
| AC-06 | Least Privilege | mitigates | T1137.002 | Office Test |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1137.002 | Office Test |