
Summary
This detection rule focuses on identifying the addition of a specific registry key associated with Microsoft Office applications. The key in question, found under `HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf`, allows users to specify an arbitrary DLL to be executed whenever an Office application starts. This behavior is indicative of malicious activities, particularly in the context of persistence methods employed by sophisticated threat actors, including the Sofacy group. The rule is pertinent for environments using Windows and helps security teams monitor unauthorized modifications to the registry that could indicate exploitation attempts. The rule utilizes a selection strategy based on registry events to detect changes to the relevant registry path, which can be exploited for various attack vectors, including delivering malware through legitimate applications.
Categories
- Windows
- Endpoint
Data Sources
- Windows Registry
Created: 2020-10-25