AN0880: Analytic 0880
Adversaries create the 'Office Test\Special\Perf' registry key and specify a malicious DLL path that is auto-loaded when an Office application starts. This DLL is injected into the Office process memory space and can provide persistent execution without requiring macro enablement.
Analyst context for executives and security teams
This analytic describes a Windows persistence pattern where a registry location associated with Microsoft Office can cause a DLL to load when an Office application starts. The business significance is that control programs focused mainly on macro blocking may miss this kind of Office-based persistence, so leaders should ask whether endpoint monitoring covers registry-based Office autoload behavior and DLL loading into Office processes.
Executive priority
Prioritize this as an endpoint resilience and incident-readiness validation item for Windows environments using Office. It is most useful for checking whether SOC, EDR, and IR evidence can prove or disprove Office-based persistence without relying only on macro controls. Because no tactic, relationship context, or official detection logic is supplied, this should be treated as a coverage assessment and hunting opportunity rather than a confirmed threat trend.
Technical view
Validate whether Windows telemetry captures creation or modification of the 'Office Test\Special\Perf' registry key and any DLL path configured there. SOC and detection engineering teams should correlate registry changes with subsequent Office application starts and module/DLL loads into Office process memory. IR teams should be prepared to inspect the referenced DLL path, process lineage, user context, and persistence timeline. Since ATT&CK provides no detection logic for AN0880, local baselining is required to separate suspicious Office persistence from any legitimate administrative or testing activity.
Likely telemetry
- Windows registry key creation and modification events for 'Office Test\Special\Perf'
- Endpoint detection and response telemetry for registry persistence changes
- Office application process start events on Windows endpoints
- DLL or image-load telemetry showing modules loaded by Office processes
- File creation or modification telemetry for the DLL path referenced by the registry value
Detection direction
- Create or validate detections for creation or modification of the specified Office-related registry key and values that reference DLL paths.
- Correlate the registry change with Office process execution and DLL/module loading to improve confidence.
- Tune for authorized software deployment, testing, or administrative activity if such use exists in the local environment.
- Do not assume macro telemetry will detect this behavior; the supplied description specifically notes persistence without requiring macro enablement.
- Confirm telemetry coverage on Windows endpoints, because Windows is the only platform supplied for this analytic.
Mitigation priorities
- Confirm that endpoint hardening and monitoring cover registry-based Office persistence, not only Office macro policy.
- Restrict unauthorized users and processes from writing persistence-relevant registry locations where feasible.
- Use application control or allowlisting policies to limit untrusted DLL execution and loading paths where operationally practical.
- Ensure EDR or logging policy captures registry modifications, Office process starts, and DLL/image-load activity needed for investigation.
- Include this registry artifact in IR collection checklists for Windows hosts where Office persistence is suspected.
Analyst notes and limits
AN0880 is a detection analytic object, not a full ATT&CK technique entry. The strongest decision value is in validating whether the organization can observe and investigate this Office registry persistence path on Windows endpoints. Relationship context was not supplied, so this take does not infer associated tactics, procedures, groups, or campaigns.
The official object provides a description but no detection text, no tactics, no relationships, and only the Windows platform. Local environment baselines, registry auditing configuration, EDR visibility, and Office deployment details are required before judging coverage or risk.
Analytic 0880
Adversaries create the 'Office Test\Special\Perf' registry key and specify a malicious DLL path that is auto-loaded when an Office application starts. This DLL is injected into the Office process memory space and can provide persistent execution without requiring macro enablement.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e999719597af… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0880Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.