T1137.006

Add-ins

Adversaries abuse Microsoft Office add-ins to achieve persistence. Add-ins (WLL/XLL for Word/Excel, COM add-ins, VSTO add-ins, Outlook add-ins) are loaded automatically when the corresponding Office application starts. Bisonal malware used .wll files dropped in Word startup; Naikon APT used intel.wll via RoyalRoad; Turla's LunarLoader and LunarMail use Outlook add-ins. XLL add-ins are particularly dangerous as they can execute arbitrary code when loaded and can be delivered via email attachments.

Microsoft Sentinel / Defender

kusto

// T1137.006 — Office Add-ins persistence detection
// Detect add-in file drops, registry registration, and suspicious DLL loads by Office
let AddInExtensions = dynamic([".wll", ".xll", ".xlam", ".xla", ".vsto", ".ppam", ".ppa"]);
let AddInPaths = dynamic([
  "\\Microsoft\\Word\\STARTUP\\",
  "\\Microsoft\\Excel\\XLSTART\\",
  "\\Microsoft\\AddIns\\",
  "\\Microsoft\\Office\\AddIns\\"
]);
// Part 1: Detect add-in file writes to Office startup/add-in directories
let AddInFileWrite = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (AddInPaths)
    or (FileName has_any (".wll", ".xll", ".xlam", ".vsto"))
| where InitiatingProcessFileName !in~ ("winword.exe", "excel.exe", "powerpnt.exe",
                                        "outlook.exe", "OfficeClickToRun.exe", "setup.exe",
                                        "msiexec.exe", "OfficeC2RClient.exe")
| extend DetectionType = "Office_AddIn_File_Written"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect Office add-in registry registration
let AddInRegistration = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any ("Excel\\Addins", "Word\\Addins", "Outlook\\Addins",
                              "PowerPoint\\Addins", "Office\\Addins", "Excel\\ExcelDNA")
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend DetectionType = "Office_AddIn_Registry_Registration"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect Office processes loading DLLs from non-standard paths (XLL/WLL execution)
let AddInDLLLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe")
| where FileName has_any (".wll", ".xll", ".xlam")
    or (FolderPath has_any ("\\Users\\", "\\Temp\\", "\\AppData\\", "\\Downloads\\"))
| where not (FolderPath has_any ("\\Microsoft Office\\", "\\Program Files\\Microsoft Office\\"))
| extend DetectionType = "Office_AddIn_DLL_Load"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
union AddInFileWrite, AddInRegistration, AddInDLLLoad
| sort by Timestamp desc

high severity high confidence

Data Sources

File: File Creation Windows Registry: Registry Key/Value Creation Module: Module Load Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceRegistryEvents DeviceImageLoadEvents

False Positives

Legitimate third-party Office add-in installations (e.g., Acrobat PDF add-in, Zoom for Outlook, Microsoft Teams add-in)
Corporate IT deploying custom Office add-ins via MSI packages (msiexec.exe writing to add-in directories)
Developer workstations installing VSTO or Excel-DNA add-ins for development purposes
Automated software update processes updating existing legitimate add-ins

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  any where event.category == "file" and event.action in ("creation", "modification")
    and (
      file.extension in ("wll", "xll", "xlam", "xla", "vsto", "ppam", "ppa")
      or file.path : ("*\\Microsoft\\Word\\STARTUP\\*", "*\\Microsoft\\Excel\\XLSTART\\*", "*\\Microsoft\\AddIns\\*", "*\\Microsoft\\Office\\AddIns\\*")
    )
    and not process.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "OfficeClickToRun.exe", "setup.exe", "msiexec.exe", "OfficeC2RClient.exe")
] by process.pid

nor

sequence by host.name with maxspan=1m
[
  any where event.category == "registry" and event.action in ("modification", "creation")
    and registry.path : ("*Excel\\Addins*", "*Word\\Addins*", "*Outlook\\Addins*", "*PowerPoint\\Addins*", "*Office\\Addins*", "*Excel\\ExcelDNA*")
]

nor

sequence by host.name with maxspan=1m
[
  any where event.category == "library" and event.action == "load"
    and process.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe")
    and (
      dll.name : ("*.wll", "*.xll", "*.xlam")
      or dll.path : ("*\\Users\\*", "*\\Temp\\*", "*\\AppData\\*", "*\\Downloads\\*")
    )
    and not dll.path : ("*\\Microsoft Office\\*", "*\\Program Files\\Microsoft Office\\*")
]

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (Endpoint integration)

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.registry-* logs-endpoint.events.library-*

False Positives

Legitimate Office add-in deployment via enterprise software packaging tools (SCCM, Intune) that use non-standard installer processes writing add-in files to XLSTART or STARTUP directories
Third-party productivity add-ins (Bloomberg, SAP, Salesforce, Adobe) that self-update by writing to Office add-in paths from their own launcher processes
Developer workstations where Visual Studio or VSTO tooling writes .vsto or .xlam files to the Office add-in directories during legitimate development and testing workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip",
  "username",
  "QIDNAME"(qid) AS event_name,
  "devicehostname" AS host,
  "TargetFilename" AS target_file,
  "Image" AS initiating_process,
  "TargetObject" AS registry_key,
  "ImageLoaded" AS loaded_dll,
  CASE
    WHEN LOWER("TargetFilename") MATCHES '.*\.(wll|xll|xlam|xla|vsto|ppam|ppa)$'
      AND LOWER("TargetFilename") MATCHES '.*(microsoft\\word\\startup|microsoft\\excel\\xlstart|microsoft\\addins).*'
      AND NOT LOWER("Image") MATCHES '.*(winword|excel|powerpnt|outlook|officeclicktorun|msiexec)\.exe'
      AND "EventID" = 11
      THEN 'Office_AddIn_File_Drop'
    WHEN "EventID" = 13
      AND LOWER("TargetObject") MATCHES '.*(excel|word|outlook|powerpoint)\\.*addin.*'
      THEN 'Office_AddIn_Registry_Registration'
    WHEN "EventID" = 7
      AND LOWER("Image") MATCHES '.*(winword|excel|powerpnt|outlook)\.exe'
      AND LOWER("ImageLoaded") MATCHES '.*\.(wll|xll)'
      AND NOT LOWER("ImageLoaded") MATCHES '.*program files.*'
      THEN 'Office_AddIn_DLL_Load'
    ELSE 'Unknown'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPENAME("devicetype") ILIKE '%Microsoft Windows%'
  AND "EventID" IN (7, 11, 13)
  AND LOWER(QIDNAME(qid)) ILIKE '%sysmon%'
  AND (
    (
      "EventID" = 11
      AND (
        LOWER("TargetFilename") MATCHES '.*\.(wll|xll|xlam|xla|vsto|ppam|ppa)$'
        OR LOWER("TargetFilename") MATCHES '.*(microsoft\\word\\startup|microsoft\\excel\\xlstart|microsoft\\addins).*'
      )
      AND NOT LOWER("Image") MATCHES '.*(winword|excel|powerpnt|outlook|officeclicktorun|msiexec)\.exe'
    ) OR (
      "EventID" = 13
      AND LOWER("TargetObject") MATCHES '.*(excel|word|outlook|powerpoint)\\.*addin.*'
    ) OR (
      "EventID" = 7
      AND LOWER("Image") MATCHES '.*(winword|excel|powerpnt|outlook)\.exe'
      AND LOWER("ImageLoaded") MATCHES '.*\.(wll|xll)'
      AND NOT LOWER("ImageLoaded") MATCHES '.*program files.*'
    )
  )
  AND DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') > DATEADD('day', -1, NOW())
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Microsoft Windows Sysmon (via QRadar WinCollect or Universal DSM) QRadar Windows Security Event Log DSM

Required Tables

events

False Positives

Enterprise add-in management tools (SCCM, Group Policy) deploying legitimate add-ins to Excel XLSTART or Word STARTUP directories using SYSTEM account or custom service accounts
Financial and business software vendors (Bloomberg Terminal, FactSet, Reuters Eikon) that install XLL or XLA add-ins in Office paths as part of their normal installation routine
IT helpdesk or sysadmin accounts performing manual add-in deployment or troubleshooting Office configuration on endpoints, generating registry modification events under Office Addins keys

Sumo Logic CSE

sql

// Part 1: Office Add-in File Drops
(_sourceCategory="*windows*sysmon*" OR _sourceCategory="*endpoint*sysmon*")
| where EventID = 11
| parse regex field=TargetFilename "(?i)(?P<filename>[^\\]+)$"
| where (
    TargetFilename matches /(?i)\.(wll|xll|xlam|xla|vsto|ppam|ppa)$/
    OR TargetFilename matches /(?i)(Microsoft\\Word\\STARTUP|Microsoft\\Excel\\XLSTART|Microsoft\\AddIns|Microsoft\\Office\\AddIns)/
  )
  AND !(Image matches /(?i)(winword|excel|powerpnt|outlook|OfficeClickToRun|msiexec|OfficeC2RClient)\.exe/)
| fields _messageTime, Computer, User, TargetFilename, Image, CommandLine
| withtime _messageTime
| eval detection_type = "Office_AddIn_File_Drop"

// Part 2: Add-in Registry Registration
| union (
  (_sourceCategory="*windows*sysmon*" OR _sourceCategory="*endpoint*sysmon*")
  | where EventID = 13
  | where TargetObject matches /(?i)(Excel|Word|Outlook|PowerPoint)\\.*Addin/
  | fields _messageTime, Computer, User, TargetObject, Details, Image, CommandLine
  | withtime _messageTime
  | eval detection_type = "Office_AddIn_Registry_Registration"
)

// Part 3: Office Processes Loading Add-in DLLs from Anomalous Paths
| union (
  (_sourceCategory="*windows*sysmon*" OR _sourceCategory="*endpoint*sysmon*")
  | where EventID = 7
  | where Image matches /(?i)(winword|excel|powerpnt|outlook)\.exe/
  | where ImageLoaded matches /(?i)\.(wll|xll)/
    OR ImageLoaded matches /(?i)(\\Users\\|\\Temp\\|\\AppData\\|\\Downloads\\)/
  | where !(ImageLoaded matches /(?i)(\\Microsoft Office\\|\\Program Files\\Microsoft Office\\)/)
  | fields _messageTime, Computer, User, ImageLoaded, Image, CommandLine
  | withtime _messageTime
  | eval detection_type = "Office_AddIn_DLL_Load"
)

| count by _messageTime, Computer, User, detection_type, Image, CommandLine
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log source (Sysmon channel) Sumo Logic Cloud SIEM Enterprise with Windows normalization

Required Tables

Sysmon Operational Event Log via Sumo Logic Windows source

False Positives

Software deployment pipelines using tools like Chef, Puppet, or Ansible that write add-in configuration files to Office directories as part of automated workstation configuration management
Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) that install Outlook add-ins for phishing simulation reporting buttons, triggering registry events under Outlook\Addins
Macro-enabled Excel workbooks used in finance departments that dynamically register .xlam add-ins at runtime, causing Office processes to load add-in DLLs from user profile directories

Google Chronicle / SecOps

yaral

rule office_addin_persistence_t1137_006 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Office add-in persistence via file drops to startup dirs, registry registration, or DLL loads by Office processes from non-standard paths (T1137.006)"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1137.006"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1137/006/"
    created = "2026-04-19"
    version = "1.0"

  events:
    (
      // Branch 1: Add-in file written to Office startup/add-in paths
      $e1.metadata.event_type = "FILE_CREATION"
      and (
        re.regex($e1.target.file.full_path, `(?i)\.(wll|xll|xlam|xla|vsto|ppam|ppa)$`)
        or re.regex($e1.target.file.full_path, `(?i)(Microsoft\\Word\\STARTUP|Microsoft\\Excel\\XLSTART|Microsoft\\AddIns|Microsoft\\Office\\AddIns)`)
      )
      and not re.regex($e1.principal.process.file.full_path, `(?i)(winword|excel|powerpnt|outlook|OfficeClickToRun|msiexec|OfficeC2RClient)\.exe`)
    )
    or
    (
      // Branch 2: Registry-based add-in registration under Office add-in keys
      $e1.metadata.event_type = "REGISTRY_MODIFICATION"
      and re.regex($e1.target.registry.registry_key, `(?i)(Excel|Word|Outlook|PowerPoint)\\.*Addin`)
    )
    or
    (
      // Branch 3: Office process loading add-in DLL from anomalous path
      $e1.metadata.event_type = "PROCESS_MODULE_LOAD"
      and re.regex($e1.principal.process.file.full_path, `(?i)(winword|excel|powerpnt|outlook)\.exe`)
      and (
        re.regex($e1.target.file.full_path, `(?i)\.(wll|xll)`)
        or re.regex($e1.target.file.full_path, `(?i)(\\Users\\|\\Temp\\|\\AppData\\|\\Downloads\\)`)
      )
      and not re.regex($e1.target.file.full_path, `(?i)(\\Microsoft Office\\|\\Program Files\\Microsoft Office\\)`)
    )

  condition:
    $e1

high severity high confidence

Data Sources

Chronicle UDM events from Google Chronicle SIEM Endpoint telemetry ingested via Chronicle forwarder (Windows Defender ATP, CrowdStrike, Carbon Black)

Required Tables

UDM events: FILE_CREATION, REGISTRY_MODIFICATION, PROCESS_MODULE_LOAD

False Positives

Legitimate ISV (Independent Software Vendor) add-in installers such as Dynamics 365, SAP Business One, or Adobe Acrobat that register VSTO or COM add-ins under Office registry paths during installation
Excel Power Query or Power Pivot operations that dynamically load .xlam files from user AppData directories as part of normal data model refresh workflows in analytics environments
Corporate IT reimaging or provisioning scripts that configure Office add-ins by writing to XLSTART directories on newly deployed workstations before baseline detection tuning excludes known-good deployment hosts

CrowdStrike LogScale (CQL)

cql

// T1137.006 — Office Add-in Persistence Detection
// Branch 1: Add-in file writes to Office startup/add-in directories
(
  #event_simpleName = "AsepValueUpdate"
  OR #event_simpleName = "WrittenDangerousFile"
  OR #event_simpleName = "NewExecutableWritten"
)
| TargetFileName = /(?i)\.(wll|xll|xlam|xla|vsto|ppam|ppa)$/
  OR TargetDirectory = /(?i)(Microsoft\\Word\\STARTUP|Microsoft\\Excel\\XLSTART|Microsoft\\AddIns|Microsoft\\Office\\AddIns)/
| ImageFileName != /(?i)(winword|excel|powerpnt|outlook|OfficeClickToRun|msiexec|OfficeC2RClient)\.exe/
| rename(field="TargetFileName", as="Indicator")
| detection_type := "Office_AddIn_File_Drop"

// Branch 2: Registry-based add-in registration
| union {
  #event_simpleName = "RegGenericValueUpdate"
    OR #event_simpleName = "RegValueUpdate"
  | RegObjectName = /(?i)(Excel|Word|Outlook|PowerPoint)\\.*Addin/
  | rename(field="RegObjectName", as="Indicator")
  | detection_type := "Office_AddIn_Registry_Registration"
}

// Branch 3: Office processes loading add-in DLLs from non-standard paths
| union {
  #event_simpleName = "ClassifiedModuleLoad"
    OR #event_simpleName = "SuspiciousImageLoad"
  | ImageFileName = /(?i)(winword|excel|powerpnt|outlook)\.exe/
  | (
      ModuleFileName = /(?i)\.(wll|xll)/
      OR ModuleDirectoryName = /(?i)(\\Users\\|\\Temp\\|\\AppData\\|\\Downloads\\)/
    )
  | ModuleDirectoryName != /(?i)(\\Microsoft Office\\|\\Program Files\\Microsoft Office\\)/
  | rename(field="ModuleFileName", as="Indicator")
  | detection_type := "Office_AddIn_DLL_Load"
}

| table(
    [@timestamp, ComputerName, UserName, detection_type, Indicator,
     ImageFileName, CommandLine, ParentImageFileName],
    limit=1000
  )
| sort(field="@timestamp", order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (EDR) Falcon Data Replicator (FDR) streaming to LogScale CrowdStrike Humio (LogScale) SaaS platform

Required Tables

AsepValueUpdate WrittenDangerousFile NewExecutableWritten RegGenericValueUpdate RegValueUpdate ClassifiedModuleLoad SuspiciousImageLoad

False Positives

CrowdStrike Falcon sensor itself or the Falcon Spotlight module may generate module load events when scanning DLLs loaded by Office processes during vulnerability assessment scans
Microsoft 365 Click-to-Run (OfficeClickToRun.exe) and Office update mechanisms writing .xla or .xlam files during channel update operations — particularly when update staging places files temporarily in AppData before moving to final Office install path
Third-party Office automation tools used in RPA (Robotic Process Automation) environments such as UiPath or Blue Prism that load Office COM add-ins programmatically from non-standard directories as part of attended or unattended bot workflows

Last updated: 2026-04-19 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1137.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.001Office Template Macros T1137.002Office Test T1137.003Outlook Forms T1137.004Outlook Home Page T1137.005Outlook Rules

Add-ins

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections