Adversaries may use Microsoft Office add-ins to establish persistence by loading malicious code when Office applications start, leveraging the trusted execution environment of Office applications. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term persistence mechanisms that evade traditional detection methods.
Detection Rule
title: Potential Persistence Via Microsoft Office Add-In
id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
status: test
description: Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
references:
- Internal Research
- https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence
- https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md
author: NVISO
date: 2020-05-11
modified: 2023-02-08
tags:
- attack.persistence
- attack.t1137.006
logsource:
category: file_event
product: windows
detection:
selection_wlldropped:
TargetFilename|contains: '\Microsoft\Word\Startup\'
TargetFilename|endswith: '.wll'
selection_xlldropped:
TargetFilename|contains: '\Microsoft\Excel\Startup\'
TargetFilename|endswith: '.xll'
selection_xladropped:
TargetFilename|contains: 'Microsoft\Excel\XLSTART\'
TargetFilename|endswith: '.xlam'
selection_generic:
TargetFilename|contains: '\Microsoft\Addins\'
TargetFilename|endswith:
- '.xlam'
- '.xla'
- '.ppam'
condition: 1 of selection_*
falsepositives:
- Legitimate add-ins
level: high
imFileEvent
| where (TargetFileName contains "\\Microsoft\\Word\\Startup\\" and TargetFileName endswith ".wll") or (TargetFileName contains "\\Microsoft\\Excel\\Startup\\" and TargetFileName endswith ".xll") or (TargetFileName contains "Microsoft\\Excel\\XLSTART\\" and TargetFileName endswith ".xlam") or (TargetFileName contains "\\Microsoft\\Addins\\" and (TargetFileName endswith ".xlam" or TargetFileName endswith ".xla" or TargetFileName endswith ".ppam"))Scenario: Legitimate Office Add-In Deployment
Description: A system administrator installs a legitimate third-party add-in (e.g., Kutools for Excel, Aspose.Cells, or Microsoft Power Automate) that is configured to load at startup.
Filter/Exclusion: Exclude files signed by trusted publishers (e.g., signer:Microsoft Corporation or signer:Kutools), or filter by known safe add-in file names (e.g., kutools.xll).
Scenario: Scheduled Task Triggering Office Automation
Description: A scheduled task runs a script (e.g., PowerShell or VBS) that launches Excel or Word to perform automated reporting or data processing.
Filter/Exclusion: Exclude processes initiated by scheduled tasks (e.g., schtasks.exe or Task Scheduler), or filter by known legitimate scripts (e.g., report_generator.vbs).
Scenario: System-Wide Office Add-In Configuration
Description: An enterprise IT policy configures a company-wide add-in (e.g., Microsoft SharePoint Add-In, OneDrive Sync Add-In) to load on all Office clients.
Filter/Exclusion: Exclude files located in standard enterprise add-in directories (e.g., C:\Program Files\Microsoft Office\AddIns\) or filter by known enterprise add-in names.
Scenario: User-Initiated Office Macro Execution
Description: A user runs a macro (e.g., via Excel or Word) that loads an add-in for data processing or automation.
Filter/Exclusion: Exclude processes initiated by user interaction (e.g., excel.exe launched via explorer.exe or winword.exe), or filter by known macro-enabled files (e.g., macro_utils.xll).
**Scenario: Admin