T1137.006 Elastic Security · Elastic

Detect Add-ins in Elastic Security

Adversaries abuse Microsoft Office add-ins to achieve persistence. Add-ins (WLL/XLL for Word/Excel, COM add-ins, VSTO add-ins, Outlook add-ins) are loaded automatically when the corresponding Office application starts. Bisonal malware used .wll files dropped in Word startup; Naikon APT used intel.wll via RoyalRoad; Turla's LunarLoader and LunarMail use Outlook add-ins. XLL add-ins are particularly dangerous as they can execute arbitrary code when loaded and can be delivered via email attachments.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.006 Add-ins
Canonical reference
https://attack.mitre.org/techniques/T1137/006/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
[
  any where event.category == "file" and event.action in ("creation", "modification")
    and (
      file.extension in ("wll", "xll", "xlam", "xla", "vsto", "ppam", "ppa")
      or file.path : ("*\\Microsoft\\Word\\STARTUP\\*", "*\\Microsoft\\Excel\\XLSTART\\*", "*\\Microsoft\\AddIns\\*", "*\\Microsoft\\Office\\AddIns\\*")
    )
    and not process.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "OfficeClickToRun.exe", "setup.exe", "msiexec.exe", "OfficeC2RClient.exe")
] by process.pid

nor

sequence by host.name with maxspan=1m
[
  any where event.category == "registry" and event.action in ("modification", "creation")
    and registry.path : ("*Excel\\Addins*", "*Word\\Addins*", "*Outlook\\Addins*", "*PowerPoint\\Addins*", "*Office\\Addins*", "*Excel\\ExcelDNA*")
]

nor

sequence by host.name with maxspan=1m
[
  any where event.category == "library" and event.action == "load"
    and process.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe")
    and (
      dll.name : ("*.wll", "*.xll", "*.xlam")
      or dll.path : ("*\\Users\\*", "*\\Temp\\*", "*\\AppData\\*", "*\\Downloads\\*")
    )
    and not dll.path : ("*\\Microsoft Office\\*", "*\\Program Files\\Microsoft Office\\*")
]
high severity high confidence

Detects Microsoft Office add-in persistence via three mechanisms: (1) add-in files written to Office startup/add-in directories by non-Office processes, (2) registry-based add-in registration under Office add-in keys, and (3) Office processes loading DLL/add-in files from non-standard paths. Covers WLL/XLL/VSTO/XLAM/COM add-in formats used by Bisonal, Naikon, Turla, and generic XLL weaponization.

Data Sources

Elastic Endpoint SecurityWinlogbeat with SysmonElastic Agent (Endpoint integration)

Required Tables

logs-endpoint.events.file-*logs-endpoint.events.registry-*logs-endpoint.events.library-*

False Positives & Tuning

  • Legitimate Office add-in deployment via enterprise software packaging tools (SCCM, Intune) that use non-standard installer processes writing add-in files to XLSTART or STARTUP directories
  • Third-party productivity add-ins (Bloomberg, SAP, Salesforce, Adobe) that self-update by writing to Office add-in paths from their own launcher processes
  • Developer workstations where Visual Studio or VSTO tooling writes .vsto or .xlam files to the Office add-in directories during legitimate development and testing workflows
Download portable Sigma rule (.yml)

Other platforms for T1137.006

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Drop WLL File to Word Startup Directory

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename ending in .wll in the Word STARTUP path, Image=powershell.exe. If Word is subsequently launched, Sysmon EventCode 7 would show the WLL being loaded.

  2. Test 2Register COM Add-in in Office Registry

    Expected signal: Sysmon EventCode 12/13: RegistryKeyCreate and RegistryValueSet for HKCU\Software\Microsoft\Office\16.0\Excel\Addins\df00tech.TestAddIn with LoadBehavior=3.

  3. Test 3Create XLAM Add-in File (Excel Add-in)

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename ending in .xlam in the Excel XLSTART path, Image=powershell.exe.

Last updated: 2026-04-19 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1137.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.001Office Template MacrosT1137.002Office TestT1137.003Outlook FormsT1137.004Outlook Home PageT1137.005Outlook Rules

Related Techniques

T1137Office Application StartupT1137.001Office Template MacrosT1574.001DLLT1566.001Spearphishing AttachmentT1204.002Malicious FileT1059.005Visual Basic

Same Tactic: Persistence

Popular Detections