Try it using Invoke-Atomic

Office Application Startup: Office Test

Description from ATT&CK

Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)

There exist user and global Registry keys for the Office Test feature:

  • HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf

Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.

Atomic Tests

Atomic Test #1 - Office Application Startup Test Persistence

Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. Key is used for debugging purposes. Not created by default & exist in HKCU & HKLM hives.

Supported Platforms: windows

auto_generated_guid: c3e35b58-fe1c-480b-b540-7600fb612563

Inputs:

Name Description Type Default Value
thing_to_execute Thing to Run Path C:\Path\AtomicRedTeam.dll

Attack Commands: Run with command_prompt!

1
2
reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d "#{thing_to_execute}"

Cleanup Commands:

1
2
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /f >nul 2>&1

source