T1137.006 Add-ins
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. 1 There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. 23
Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.
| Item | Value |
|---|---|
| ID | T1137.006 |
| Sub-techniques | T1137.001, T1137.002, T1137.003, T1137.004, T1137.005, T1137.006 |
| Tactics | TA0003 |
| Platforms | Office 365, Windows |
| Permissions required | Administrator, User |
| Version | 1.1 |
| Created | 07 November 2019 |
| Last Modified | 16 August 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0268 | Bisonal | Bisonal has been loaded through a .wll extension added to the %APPDATA%\microsoft\word\startup\ repository.6 |
| G0019 | Naikon | Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.7 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1040 | Behavior Prevention on Endpoint | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 5 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Creation |
| DS0009 | Process | Process Creation |
| DS0024 | Windows Registry | Windows Registry Key Creation |
References
-
Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017. ↩
-
Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved July 3, 2017. ↩
-
Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail! Enterprise Email Compromise. Retrieved April 22, 2019. ↩
-
Shukrun, S. (2019, June 2). Office Templates and GlobalDotName - A Stealthy Office Persistence Technique. Retrieved August 26, 2019. ↩
-
Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. ↩
-
Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. ↩
-
CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. ↩