MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1137.006: Add-ins

Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins.

Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_persistence: PT-CR-263: Office_XLL_modification: An attempt to modify Excel add-in settings in the Windows OS registry is detected

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor newly executed processes that may abuse Microsoft Office add-ins to obtain persistence on a compromised system.

IDDS0024Data source and componentWindows Registry: Windows Registry Key ModificationDescription

Audit the Registry entries relevant for enabling add-ins.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may abuse Microsoft Office add-ins to obtain persistence on a compromised system.

IDDS0024Data source and componentWindows Registry: Windows Registry Key CreationDescription

Audit the Registry entries relevant for enabling add-ins.

IDDS0022Data source and componentFile: File ModificationDescription

Monitor for changes made to files that may abuse Microsoft Office add-ins to obtain persistence on a compromised system.

IDDS0022Data source and componentFile: File CreationDescription

Monitor for newly constructed files that may abuse Microsoft Office add-ins to obtain persistence on a compromised system.

Mitigation

IDM1040NameBehavior Prevention on EndpointDescription

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk.