Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0315: Detect Persistence via Office Test Registry DLL Injection

DET0315 is a MITRE detection strategy for finding persistence that abuses the Microsoft Office “Office Test” Registry capability. The business significance...

EnterpriseDET0315Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0315 is a MITRE detection strategy for finding persistence that abuses the Microsoft Office “Office Test” Registry capability. The business significance is that a compromised Windows endpoint with Office installed may be configured to load an arbitrary DLL whenever an Office application starts, turning normal user activity into a persistence trigger. For leaders, the key question is whether endpoint, registry, and Office process telemetry is sufficient to prove this behavior would be noticed during routine SOC monitoring or incident response.

Executive priority

Prioritize this as an endpoint persistence validation item for Windows and Office Suite environments. It matters for operational resilience because persistence tied to common productivity applications can survive user reboots and blend into normal application launches. Security leaders should ask whether their SOC can show evidence of monitoring for unusual Office-related Registry configuration and DLL loading, and whether incident responders have a repeatable way to inspect Office persistence locations during containment and eradication.

Technical view

This detection strategy is related to ATT&CK technique T1137.002, Office Test, under the persistence tactic. The supplied ATT&CK object does not include an official detection description, so teams should validate coverage against the related technique behavior: suspicious creation or modification of the Office Test Registry location and subsequent Office application execution that loads a non-standard DLL. Detection engineering should focus on the relationship between Registry changes, Office process starts, and DLL load evidence rather than treating any single event as conclusive.

Likely telemetry

  • Windows Registry creation and modification events for Office-related persistence locations
  • Endpoint process execution telemetry for Microsoft Office applications
  • Image/DLL load telemetry associated with Office processes
  • File creation or modification telemetry for DLLs referenced by Office-related Registry values
  • User, host, and timestamp context to correlate Registry modification with later Office execution

Detection direction

  • Validate whether endpoint telemetry captures Registry changes relevant to the Office Test persistence location before an incident occurs.
  • Correlate Registry modification events with Office process launches and DLL loads to reduce false positives and distinguish configuration changes from execution behavior.
  • Baseline legitimate Office add-ins, testing/debugging activity, and administrative software behavior where applicable, because benign enterprise tooling may touch Office-related settings.
  • Hunt for Office processes loading DLLs from unusual or user-writable paths when supported by local telemetry.
  • Ensure detections are scoped to Windows and Office Suite assets, which are the platforms supplied by the related ATT&CK technique, not assumed across other environments.

Mitigation priorities

  • Inventory where Microsoft Office is installed on Windows endpoints and confirm those systems are in scope for endpoint monitoring.
  • Restrict unnecessary Registry modification rights through standard endpoint hardening and least-privilege practices.
  • Control where Office processes can load executable content from, using existing endpoint prevention or application control capabilities where available.
  • Include Office persistence Registry checks in incident response triage and eradication procedures.
  • Maintain audit evidence showing that Registry, process, and module-load telemetry is collected and retained for relevant Windows Office endpoints.
Analyst notes and limits

The ATT&CK detection strategy object itself is sparse: it provides a name and relationship to T1137.002 but no official description, detection text, platforms, or tactics. The practical guidance here is therefore derived from the supplied relationship context for Office Test persistence and framed as validation direction rather than confirmed coverage.

This take does not assert active exploitation, actor use, impact, or guaranteed detection. Local Registry paths, Office versions, telemetry availability, and legitimate administrative or development use must be validated in the organization’s own environment.

Official MITRE ATT&CK definition

Detect Persistence via Office Test Registry DLL Injection

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1137.002 Office Test Sub-technique This object detects Office Test.
Relationship explorer

All related ATT&CK context

detects · Technique T1137.002: Office Test Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e7e96cfe05f7b2c6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e7e96cfe05f7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0315
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use