T1137.006 Google Chronicle · YARA-L

Detect Add-ins in Google Chronicle

Adversaries abuse Microsoft Office add-ins to achieve persistence. Add-ins (WLL/XLL for Word/Excel, COM add-ins, VSTO add-ins, Outlook add-ins) are loaded automatically when the corresponding Office application starts. Bisonal malware used .wll files dropped in Word startup; Naikon APT used intel.wll via RoyalRoad; Turla's LunarLoader and LunarMail use Outlook add-ins. XLL add-ins are particularly dangerous as they can execute arbitrary code when loaded and can be delivered via email attachments.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.006 Add-ins
Canonical reference
https://attack.mitre.org/techniques/T1137/006/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule office_addin_persistence_t1137_006 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Office add-in persistence via file drops to startup dirs, registry registration, or DLL loads by Office processes from non-standard paths (T1137.006)"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1137.006"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1137/006/"
    created = "2026-04-19"
    version = "1.0"

  events:
    (
      // Branch 1: Add-in file written to Office startup/add-in paths
      $e1.metadata.event_type = "FILE_CREATION"
      and (
        re.regex($e1.target.file.full_path, `(?i)\.(wll|xll|xlam|xla|vsto|ppam|ppa)$`)
        or re.regex($e1.target.file.full_path, `(?i)(Microsoft\\Word\\STARTUP|Microsoft\\Excel\\XLSTART|Microsoft\\AddIns|Microsoft\\Office\\AddIns)`)
      )
      and not re.regex($e1.principal.process.file.full_path, `(?i)(winword|excel|powerpnt|outlook|OfficeClickToRun|msiexec|OfficeC2RClient)\.exe`)
    )
    or
    (
      // Branch 2: Registry-based add-in registration under Office add-in keys
      $e1.metadata.event_type = "REGISTRY_MODIFICATION"
      and re.regex($e1.target.registry.registry_key, `(?i)(Excel|Word|Outlook|PowerPoint)\\.*Addin`)
    )
    or
    (
      // Branch 3: Office process loading add-in DLL from anomalous path
      $e1.metadata.event_type = "PROCESS_MODULE_LOAD"
      and re.regex($e1.principal.process.file.full_path, `(?i)(winword|excel|powerpnt|outlook)\.exe`)
      and (
        re.regex($e1.target.file.full_path, `(?i)\.(wll|xll)`)
        or re.regex($e1.target.file.full_path, `(?i)(\\Users\\|\\Temp\\|\\AppData\\|\\Downloads\\)`)
      )
      and not re.regex($e1.target.file.full_path, `(?i)(\\Microsoft Office\\|\\Program Files\\Microsoft Office\\)`)
    )

  condition:
    $e1
high severity high confidence

Chronicle YARA-L 2.0 rule detecting three Office add-in persistence patterns for T1137.006: add-in file writes to Office startup directories from suspicious processes, registry key creation/modification under Office Addins paths, and Office application processes loading DLL/add-in files from user-writable or temporary locations outside standard Office installation paths.

Data Sources

Chronicle UDM events from Google Chronicle SIEMEndpoint telemetry ingested via Chronicle forwarder (Windows Defender ATP, CrowdStrike, Carbon Black)

Required Tables

UDM events: FILE_CREATION, REGISTRY_MODIFICATION, PROCESS_MODULE_LOAD

False Positives & Tuning

  • Legitimate ISV (Independent Software Vendor) add-in installers such as Dynamics 365, SAP Business One, or Adobe Acrobat that register VSTO or COM add-ins under Office registry paths during installation
  • Excel Power Query or Power Pivot operations that dynamically load .xlam files from user AppData directories as part of normal data model refresh workflows in analytics environments
  • Corporate IT reimaging or provisioning scripts that configure Office add-ins by writing to XLSTART directories on newly deployed workstations before baseline detection tuning excludes known-good deployment hosts
Download portable Sigma rule (.yml)

Other platforms for T1137.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Drop WLL File to Word Startup Directory

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename ending in .wll in the Word STARTUP path, Image=powershell.exe. If Word is subsequently launched, Sysmon EventCode 7 would show the WLL being loaded.

  2. Test 2Register COM Add-in in Office Registry

    Expected signal: Sysmon EventCode 12/13: RegistryKeyCreate and RegistryValueSet for HKCU\Software\Microsoft\Office\16.0\Excel\Addins\df00tech.TestAddIn with LoadBehavior=3.

  3. Test 3Create XLAM Add-in File (Excel Add-in)

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename ending in .xlam in the Excel XLSTART path, Image=powershell.exe.

Last updated: 2026-04-19 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1137.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.001Office Template MacrosT1137.002Office TestT1137.003Outlook FormsT1137.004Outlook Home PageT1137.005Outlook Rules

Related Techniques

T1137Office Application StartupT1137.001Office Template MacrosT1574.001DLLT1566.001Spearphishing AttachmentT1204.002Malicious FileT1059.005Visual Basic

Same Tactic: Persistence

Popular Detections