Microsoft Office 'Office Test' Registry Persistence Abuse

The “Office Test” registry key, located under HKCU\Software\Microsoft\Office Test\Special\Perf, is a legitimate feature that allows specifying a DLL to be executed every time an MS Office application is started. Attackers can abuse this functionality by modifying the registry to point to a malicious DLL, achieving persistence on a compromised host. This allows for continued malicious activity even after a system restart or user logout. Elastic has published a rule to detect this behavior. The modification of this registry key, excluding deletions, is a strong indicator of potential abuse, and can be detected via endpoint detection and response (EDR) solutions as well as traditional Sysmon logging.

Attack Chain

1. An attacker gains initial access to a system, often through phishing or exploiting a vulnerability.
2. The attacker establishes a foothold and escalates privileges to make necessary registry modifications.
3. The attacker modifies the HKCU\Software\Microsoft\Office Test\Special\Perf registry key, adding a new entry or modifying an existing one to point to a malicious DLL.
4. The attacker ensures the malicious DLL is present on the system, either by dropping it directly or using existing system tools to download it.
5. A user launches a Microsoft Office application (e.g., Word, Excel, PowerPoint).
6. The Office application loads the DLL specified in the “Office Test” registry key during startup.
7. The malicious DLL executes its payload, which could include establishing a reverse shell, installing malware, or exfiltrating data.
8. The attacker maintains persistence, allowing them to regain access to the system each time an Office application is started.

Impact

Successful exploitation allows attackers to maintain persistent access to a compromised system. The injected DLL can be used to execute arbitrary code, potentially leading to data theft, malware installation, or further compromise of the network. The relatively low risk score suggests a common technique, but the potential for persistent access makes it a significant threat.

Recommendation

• Deploy the provided Sigma rule to your SIEM and tune for your environment to detect unauthorized modifications to the “Office Test” registry key (HKCU\Software\Microsoft\Office Test\Special\Perf\*).
• Enable Sysmon Registry event logging to capture registry modifications and activate the Sigma rule above.
• Monitor process execution logs for Office applications to detect if a suspicious DLL has been loaded or executed, as described in the investigation guide.
• Implement enhanced monitoring and alerting for similar registry modifications across the network, as described in the remediation steps.