Potential Persistence Via Microsoft Office Add-In

 1title: Potential Persistence Via Microsoft Office Add-In
 2id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
 3status: test
 4description: Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
 5references:
 6    - Internal Research
 7    - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence
 8    - https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md
 9author: NVISO
10date: 2020/05/11
11modified: 2023/02/08
12tags:
13    - attack.persistence
14    - attack.t1137.006
15logsource:
16    category: file_event
17    product: windows
18detection:
19    selection_wlldropped:
20        TargetFilename|contains: '\Microsoft\Word\Startup\'
21        TargetFilename|endswith: '.wll'
22    selection_xlldropped:
23        TargetFilename|contains: '\Microsoft\Excel\Startup\'
24        TargetFilename|endswith: '.xll'
25    selection_xladropped:
26        TargetFilename|contains: 'Microsoft\Excel\XLSTART\'
27        TargetFilename|endswith: '.xlam'
28    selection_generic:
29        TargetFilename|contains: '\Microsoft\Addins\'
30        TargetFilename|endswith:
31            - '.xlam'
32            - '.xla'
33            - '.ppam'
34    condition: 1 of selection_*
35falsepositives:
36    - Legitimate add-ins
37level: high

References

• Internal Research

  
  Read More

• Add-In Opportunities for Office Persistence

  

  One software product that attackers will almost certainly find in the environments that they're targeting is Microsoft Office. Office applications due to this ubiquity present a consistent source of opportunity for persistence mechanisms.

  
  Read More

• atomic-red-team/atomics/T1137.006/T1137.006.md at 4ae9580a1a8772db87a1b6cdb0d03e5af231e966 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• Code Executed Via Office Add-in XLL File
• Direct Autorun Keys Modification
• MSExchange Transport Agent Installation
• New Service Creation Using PowerShell
• New Service Creation Using Sc.EXE