Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.
Office add-ins can be used to add functionality to Office programs
Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.