T1137.006 CrowdStrike LogScale · LogScale

Detect Add-ins in CrowdStrike LogScale

Adversaries abuse Microsoft Office add-ins to achieve persistence. Add-ins (WLL/XLL for Word/Excel, COM add-ins, VSTO add-ins, Outlook add-ins) are loaded automatically when the corresponding Office application starts. Bisonal malware used .wll files dropped in Word startup; Naikon APT used intel.wll via RoyalRoad; Turla's LunarLoader and LunarMail use Outlook add-ins. XLL add-ins are particularly dangerous as they can execute arbitrary code when loaded and can be delivered via email attachments.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.006 Add-ins
Canonical reference
https://attack.mitre.org/techniques/T1137/006/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1137.006 — Office Add-in Persistence Detection
// Branch 1: Add-in file writes to Office startup/add-in directories
(
  #event_simpleName = "AsepValueUpdate"
  OR #event_simpleName = "WrittenDangerousFile"
  OR #event_simpleName = "NewExecutableWritten"
)
| TargetFileName = /(?i)\.(wll|xll|xlam|xla|vsto|ppam|ppa)$/
  OR TargetDirectory = /(?i)(Microsoft\\Word\\STARTUP|Microsoft\\Excel\\XLSTART|Microsoft\\AddIns|Microsoft\\Office\\AddIns)/
| ImageFileName != /(?i)(winword|excel|powerpnt|outlook|OfficeClickToRun|msiexec|OfficeC2RClient)\.exe/
| rename(field="TargetFileName", as="Indicator")
| detection_type := "Office_AddIn_File_Drop"

// Branch 2: Registry-based add-in registration
| union {
  #event_simpleName = "RegGenericValueUpdate"
    OR #event_simpleName = "RegValueUpdate"
  | RegObjectName = /(?i)(Excel|Word|Outlook|PowerPoint)\\.*Addin/
  | rename(field="RegObjectName", as="Indicator")
  | detection_type := "Office_AddIn_Registry_Registration"
}

// Branch 3: Office processes loading add-in DLLs from non-standard paths
| union {
  #event_simpleName = "ClassifiedModuleLoad"
    OR #event_simpleName = "SuspiciousImageLoad"
  | ImageFileName = /(?i)(winword|excel|powerpnt|outlook)\.exe/
  | (
      ModuleFileName = /(?i)\.(wll|xll)/
      OR ModuleDirectoryName = /(?i)(\\Users\\|\\Temp\\|\\AppData\\|\\Downloads\\)/
    )
  | ModuleDirectoryName != /(?i)(\\Microsoft Office\\|\\Program Files\\Microsoft Office\\)/
  | rename(field="ModuleFileName", as="Indicator")
  | detection_type := "Office_AddIn_DLL_Load"
}

| table(
    [@timestamp, ComputerName, UserName, detection_type, Indicator,
     ImageFileName, CommandLine, ParentImageFileName],
    limit=1000
  )
| sort(field="@timestamp", order=desc)
high severity medium confidence

CrowdStrike LogScale (CQL) detection for T1137.006 Office add-in persistence using Falcon endpoint telemetry. Detects add-in file writes to Office startup directories, registry-based COM/VSTO add-in registration, and suspicious DLL loads by Office processes from user-writable paths. Uses union to combine three independent detection branches.

Data Sources

CrowdStrike Falcon Endpoint Protection (EDR)Falcon Data Replicator (FDR) streaming to LogScaleCrowdStrike Humio (LogScale) SaaS platform

Required Tables

AsepValueUpdateWrittenDangerousFileNewExecutableWrittenRegGenericValueUpdateRegValueUpdateClassifiedModuleLoadSuspiciousImageLoad

False Positives & Tuning

  • CrowdStrike Falcon sensor itself or the Falcon Spotlight module may generate module load events when scanning DLLs loaded by Office processes during vulnerability assessment scans
  • Microsoft 365 Click-to-Run (OfficeClickToRun.exe) and Office update mechanisms writing .xla or .xlam files during channel update operations — particularly when update staging places files temporarily in AppData before moving to final Office install path
  • Third-party Office automation tools used in RPA (Robotic Process Automation) environments such as UiPath or Blue Prism that load Office COM add-ins programmatically from non-standard directories as part of attended or unattended bot workflows
Download portable Sigma rule (.yml)

Other platforms for T1137.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Drop WLL File to Word Startup Directory

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename ending in .wll in the Word STARTUP path, Image=powershell.exe. If Word is subsequently launched, Sysmon EventCode 7 would show the WLL being loaded.

  2. Test 2Register COM Add-in in Office Registry

    Expected signal: Sysmon EventCode 12/13: RegistryKeyCreate and RegistryValueSet for HKCU\Software\Microsoft\Office\16.0\Excel\Addins\df00tech.TestAddIn with LoadBehavior=3.

  3. Test 3Create XLAM Add-in File (Excel Add-in)

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename ending in .xlam in the Excel XLSTART path, Image=powershell.exe.

Last updated: 2026-04-19 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1137.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.001Office Template MacrosT1137.002Office TestT1137.003Outlook FormsT1137.004Outlook Home PageT1137.005Outlook Rules

Related Techniques

T1137Office Application StartupT1137.001Office Template MacrosT1574.001DLLT1566.001Spearphishing AttachmentT1204.002Malicious FileT1059.005Visual Basic

Same Tactic: Persistence

Popular Detections