<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Office Test - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/office-test/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/office-test/feed.xml" rel="self" type="application/rss+xml"/><item><title>Office Test Registry Persistence for Malicious DLL Execution</title><link>https://feed.craftedsignal.io/briefs/2024-01-office-test-registry-persistence/</link><pubDate>Tue, 30 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-office-test-registry-persistence/</guid><description>Attackers can modify the Microsoft Office 'Office Test' Registry key to establish persistence by loading a malicious DLL that executes every time an MS Office application starts.</description><content:encoded><![CDATA[<p>Attackers can exploit the Microsoft Office &quot;Office Test&quot; Registry key (located at <code>HKCU\Software\Microsoft\Office Test\Special\Perf</code>) to achieve persistence. This key allows specifying a DLL that is executed whenever an MS Office application is started. By modifying this registry key to point to a malicious DLL, attackers can ensure that their code is executed every time a user opens Word, Excel, or other Office applications. This technique is particularly effective because it leverages a legitimate feature of MS Office, making it harder to detect. This activity has been observed in historical campaigns by the Sofacy APT.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.</li>
<li>The attacker elevates privileges to allow modification of the registry.</li>
<li>The attacker modifies the <code>HKCU\Software\Microsoft\Office Test\Special\Perf</code> registry key to point to a malicious DLL.</li>
<li>The malicious DLL is placed on the system in a location accessible to the user account.</li>
<li>The user launches an MS Office application (e.g., Word, Excel).</li>
<li>The MS Office application loads the malicious DLL specified in the registry key.</li>
<li>The malicious DLL executes its payload, potentially installing malware, establishing a reverse shell, or exfiltrating data.</li>
<li>The attacker maintains persistence on the system, as the malicious DLL will be loaded every time an MS Office application is launched.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to maintain persistent access to compromised systems. This can lead to data theft, installation of ransomware, or further compromise of the network. The number of victims is dependent on the scope of the initial compromise, but any system with MS Office installed is potentially vulnerable. Attackers often use this technique to maintain access to high-value targets, such as executives or system administrators.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor registry modifications to the <code>HKCU\Software\Microsoft\Office Test\Special\Perf</code> key using the Sigma rule provided to detect potential malicious activity.</li>
<li>Enable Sysmon registry event logging to capture the necessary data for the Sigma rule to function correctly.</li>
<li>Regularly scan systems with updated anti-malware solutions to detect and remove any malicious DLLs.</li>
<li>Implement application control policies to prevent the execution of unauthorized DLLs in MS Office applications.</li>
<li>Investigate any alerts generated by the Sigma rule, paying close attention to the DLL path and user activity logs.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>persistence</category><category>registry modification</category><category>office test</category></item></channel></rss>