The Hidden Office Test Key (Persistence)

In this video we'll be exploring how to attack, detect and defend against an undocumented registry key that was intended to be used to connect to a code profiling system to analyse the performance of office apps, however some very clever researchers – and attackers – discovered that it can be abused to launch any arbitrary code, thus providing a method of persistence once initial access to a machine has been achieved. At least some clever registry permissions can provide reasonable defence against this threat.

If you find the video useful please do give it a like, and consider subscribing if you want more of this sort of content. Drop a note in the comments if there’s anything you think I missed, or if you have a good idea of what topic I should cover next.

Further reading/watching:
Mitre ATT&CK on the Office Test Key: https://attack.mitre.org/techniques/T...
Download Sysinternals Suite: https://docs.microsoft.com/en-us/sysi...
PaloAlto Unit 42 research on the Office Test Key: https://unit42.paloaltonetworks.com/u...
How to configure Registry auditing:    • Abusing Default File Associations (Persist...  
Powershell code download page: https://github.com/rot169/AttackDetec...

Audio Credits (licensed under CC0):
Intro/Outro Music by Flavio Concini (https://freesound.org/people/Greek555/)
Transition audio: "Ethereal Woosh" by Newagesoup (https://freesound.org/people/newagesoup/)

Timestamps:
0:00 Intro
1:13 Attack
3:06 Detect
4:01 Defend