T1137.006: Add-ins
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins.
Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_persistence: PT-CR-263: Office_XLL_modification: An attempt to modify Excel add-in settings in the Windows OS registry is detected
Detection
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes that may abuse Microsoft Office add-ins to obtain persistence on a compromised system. |
---|
ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Modification | Description | Audit the Registry entries relevant for enabling add-ins. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may abuse Microsoft Office add-ins to obtain persistence on a compromised system. |
---|
ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Creation | Description | Audit the Registry entries relevant for enabling add-ins. |
---|
ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for changes made to files that may abuse Microsoft Office add-ins to obtain persistence on a compromised system. |
---|
ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for newly constructed files that may abuse Microsoft Office add-ins to obtain persistence on a compromised system. |
---|
Mitigation
ID | M1040 | Name | Behavior Prevention on Endpoint | Description | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. |
---|