Skip to content

T1137.006 Add-ins

Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. 1 There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. 23

Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.

Item Value
ID T1137.006
Sub-techniques T1137.001, T1137.002, T1137.003, T1137.004, T1137.005, T1137.006
Tactics TA0003
Platforms Office 365, Windows
Permissions required Administrator, User
Version 1.1
Created 07 November 2019
Last Modified 16 August 2021

Procedure Examples

ID Name Description
S0268 Bisonal Bisonal has been loaded through a .wll extension added to the %APPDATA%\microsoft\word\startup\ repository.6
G0019 Naikon Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.7


ID Mitigation Description
M1040 Behavior Prevention on Endpoint On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. 5


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Creation
DS0009 Process Process Creation
DS0024 Windows Registry Windows Registry Key Creation