T1137.006 · threatengine.sh

Home/ATT&CK Technique/Add-ins

ATT&CK Technique

Add-ins

T1137.006 · persistence

Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. There are different types of add-ins that can be used by the various Office products.

including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.

WindowsOffice Suite

◆

Actors Using This

iranAPT35
north_koreaAPT37
russiaTurla

◈

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.

resource-development earlier

T1584.006 · Web Services ×11.90

execution earlier

T1047 · Windows Management Instrumentation ×4.25

persistence same

T1137 · Office Application Startup ×34.00 T1547.009 · Shortcut Modification ×6.10

privilege-escalation later

T1546 · Event Triggered Execution ×6.10 T1055.001 · Dynamic-link Library Injection ×5.06 T1134 · Access Token Manipulation ×4.41

discovery later

T1049 · System Network Connections Discovery ×4.67 T1012 · Query Registry ×4.18

collection later

T1114.002 · Remote Email Collection ×7.21 T1114.001 · Local Email Collection ×4.49

command-and-control later

T1071.003 · Mail Protocols ×9.52 T1102.002 · Bidirectional Communication ×3.72

exfiltration later

T1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ×4.67

other same

T1027.010 · Command Obfuscation ×7.93

▸

Atomic Tests

Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.

powershellwindowsCode Executed Via Excel Add-in File (XLL)

Loads an XLL file using the excel add-ins library. This causes excel to launch Notepad.exe as a child process. This atomic test does not include persistent code execution as you would typically see when this is implemented in malware.

$excelApp = New-Object -COMObject "Excel.Application"
if(-not $excelApp.path.contains("Program Files (x86)")){
    Write-Host "64-bit Office"
    $excelApp.RegisterXLL("PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll")
}
else{
  Write-Host "32-bit Office"
  $excelApp.RegisterXLL("PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll")
}

powershellwindowsPersistent Code Execution Via Excel Add-in File (XLL)

Creates an Excel Add-in file (XLL) and sets a registry key to make it run automatically when Excel is started The sample XLL provided launches the notepad as a proof-of-concept for persistent execution from Office.

$excelApp = New-Object -COMObject "Excel.Application"
if(-not $excelApp.path.contains("Program Files (x86)")){
    Write-Host "64-bit Office"
    Copy "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll" "$env:APPDATA\Microsoft\AddIns\notepad.xll"
}
else{
  Write-Host "32-bit Office"
  Copy "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll" "$env:APPDATA\Microsoft\AddIns\notepad.xll"
}
$ver = $excelApp.version
$ExcelRegPath="HKCU:\Software\Microsoft\Office\$Ver\Excel\Options"
Remove-Item $ExcelRegPath -ErrorAction Ignore
New-Item -type Directory $ExcelRegPath | Out-Null
New-ItemProperty $ExcelRegPath OPEN -value "/R notepad.xll" -propertyType string | Out-Null
$excelApp.Quit()
Start-Process "Excel"

powershellwindowsPersistent Code Execution Via Word Add-in File (WLL)

Creates a Word Add-in file (WLL) which runs automatically when Word is started The sample WLL provided launches the notepad as a proof-of-concept for persistent execution from Office. Successfully tested on 32-bit Office 2016. Not successful from microsoft 365 version of Office.

$wdApp = New-Object -COMObject "Word.Application"
if(-not $wdApp.path.contains("Program Files (x86)"))  
{
  Write-Host "64-bit Office"
  Copy "PathToAtomicsFolder\T1137.006\bin\Addins\wordwll_x64.wll" "$env:APPDATA\Microsoft\Word\Startup\notepad.wll"        
}
else{
  Write-Host "32-bit Office"
  Copy "PathToAtomicsFolder\T1137.006\bin\Addins\wordwll_x86.wll" "$env:APPDATA\Microsoft\Word\Startup\notepad.wll"
}
Stop-Process -Name "WinWord" 
Start-Process "WinWord"

powershellwindowsPersistent Code Execution Via Excel VBA Add-in File (XLAM)

Creates an Excel VBA Add-in file (XLAM) which runs automatically when Excel is started The sample XLAM provided launches the notepad as a proof-of-concept for persistent execution from Office.

Copy "PathToAtomicsFolder\T1137.006\bin\Addins\ExcelVBAaddin.xlam" "$env:APPDATA\Microsoft\Excel\XLSTART\notepad.xlam"        
Start-Process "Excel"

powershellwindowsPersistent Code Execution Via PowerPoint VBA Add-in File (PPAM)

Creates a PowerPoint VBA Add-in file (PPAM) which runs automatically when PowerPoint is started The sample PPA provided launches the notepad as a proof-of-concept for persistent execution from Office.

Copy "PathToAtomicsFolder\T1137.006\bin\Addins\PptVBAaddin.ppam" "$env:APPDATA\Microsoft\Addins\notepad.ppam"
$ver = (New-Object -COMObject "PowerPoint.Application").version
$ExcelRegPath="HKCU:\Software\Microsoft\Office\$Ver\PowerPoint\AddIns\notepad"
New-Item -type Directory $ExcelRegPath -Force | Out-Null
New-ItemProperty $ExcelRegPath "Autoload" -value "1" -propertyType DWORD  | Out-Null
New-ItemProperty $ExcelRegPath "Path" -value "notepad.ppam" -propertyType string | Out-Null
Stop-Process -Name "PowerPnt" -ErrorAction Ignore
Start-Process "PowerPnt"

▣

Mitigations

MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.

M1040Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack.

Suspicious Process Behavior

Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts.
Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.

Unauthorized File Access

Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization.
Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.

Abnormal API Calls

Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities.
Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like OpenProcess and WriteProcessMemory and terminates the offending process.

Exploit Prevention

Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access.
Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.

◈

Detection Coverage

1/6 layers

Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).

Behavioral / log (Sigma) 4

Analytics (MITRE CAR) none

Runtime / container (Falco) none

File / malware (YARA) none

Network (Suricata/Snort) none

Vuln scan (Nuclei) none

▣

Comply & Defend

NIST 800-53AC-06, CM-02, CM-06, SC-18, SC-44, SI-08

D3FEND7 defensive techniques

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

MITRE ATT&CK Atomic Red Team car (MITRE)

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin