Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Office Application Startup: Office Test

Other sub-techniques of Office Application Startup (6)

ID	Name
.001	Office Template Macros
.002	Office Test
.003	Outlook Forms
.004	Outlook Home Page
.005	Outlook Rules
.006	Add-ins

Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy) There exist user and global Registry keys for the Office Test feature: * HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf * HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.

ID: T1137.002

Sub-technique of: T1137

Tactic(s): Persistence

Platforms: Office 365, Windows

Permissions Required: Administrator, User

Data Sources: Command: Command Execution, File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification

Version: 1.1

Created: 07 Nov 2019

Last Modified: 16 Aug 2021

Name	Description
Procedure Examples
APT28	APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key `HKCU\Software\Microsoft\Office test\Special\Perf` to execute code.(Citation: Palo Alto Office Test Sofacy)

Mitigation	Description
Mitigations
Software Configuration	Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.
Behavior Prevention on Endpoint	Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

Detection

Monitor for the creation of the Office Test Registry key. Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.(Citation: Palo Alto Office Test Sofacy) Consider monitoring Office processes for anomalous DLL loads.

References

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.