T1137.006 Add-ins
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. 3 There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. 21
Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.
| Item | Value |
|---|---|
| ID | T1137.006 |
| Sub-techniques | T1137.001, T1137.002, T1137.003, T1137.004, T1137.005, T1137.006 |
| Tactics | TA0003 |
| Platforms | Office Suite, Windows |
| Version | 1.2 |
| Created | 07 November 2019 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0268 | Bisonal | Bisonal has been loaded through a .wll extension added to the %APPDATA%\microsoft\word\startup\ repository.6 |
| S1143 | LunarLoader | LunarLoader has the ability to use Microsoft Outlook add-ins to establish persistence. 7 |
| S1142 | LunarMail | LunarMail has the ability to use Outlook add-ins for persistence.7 |
| G0019 | Naikon | Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.8 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1040 | Behavior Prevention on Endpoint | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 5 |
References
-
Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail! Enterprise Email Compromise. Retrieved November 17, 2024. ↩
-
Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved November 17, 2024. ↩
-
Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017. ↩
-
Shukrun, S. (2019, June 2). Office Templates and GlobalDotName - A Stealthy Office Persistence Technique. Retrieved August 26, 2019. ↩
-
Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. ↩
-
Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. ↩
-
Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024. ↩↩
-
CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. ↩