MITRE ATT&CK Technique
Description
Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy) There exist user and global Registry keys for the Office Test feature, such as: * <code>HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf</code> * <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf</code> Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2019-11-07T19:44:04.475Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse the Microsoft Office "Office Test" '
'Registry key to obtain persistence on a compromised system. '
'An Office Test Registry location exists that allows a user to '
'specify an arbitrary DLL that will be executed every time an '
'Office application is started. This Registry key is thought '
'to be used by Microsoft to load DLLs for testing and '
'debugging purposes while developing Office applications. This '
'Registry key is not created by default during an Office '
'installation.(Citation: Hexacorn Office Test)(Citation: Palo '
'Alto Office Test Sofacy)\n'
'\n'
'There exist user and global Registry keys for the Office Test '
'feature, such as:\n'
'\n'
'* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Office '
'test\\Special\\Perf</code>\n'
'* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office '
'test\\Special\\Perf</code>\n'
'\n'
'Adversaries may add this Registry key and specify a malicious '
'DLL that will be executed whenever an Office application, '
'such as Word or Excel, is started.',
'external_references': [{'external_id': 'T1137.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1137/002'},
{'description': 'Falcone, R. (2016, July 20). '
'Technical Walkthrough: Office Test '
'Persistence Method Used In Recent '
'Sofacy Attacks. Retrieved July 3, '
'2017.',
'source_name': 'Palo Alto Office Test Sofacy',
'url': 'https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/'},
{'description': 'Hexacorn. (2014, April 16). Beyond '
'good ol’ Run key, Part 10. Retrieved '
'July 3, 2017.',
'source_name': 'Hexacorn Office Test',
'url': 'http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/'}],
'id': 'attack-pattern--ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:49:34.588Z',
'name': 'Office Test',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'Office Suite'],
'x_mitre_version': '1.3'}