T1137.006 IBM QRadar · QRadar

Detect Add-ins in IBM QRadar

Adversaries abuse Microsoft Office add-ins to achieve persistence. Add-ins (WLL/XLL for Word/Excel, COM add-ins, VSTO add-ins, Outlook add-ins) are loaded automatically when the corresponding Office application starts. Bisonal malware used .wll files dropped in Word startup; Naikon APT used intel.wll via RoyalRoad; Turla's LunarLoader and LunarMail use Outlook add-ins. XLL add-ins are particularly dangerous as they can execute arbitrary code when loaded and can be delivered via email attachments.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.006 Add-ins
Canonical reference
https://attack.mitre.org/techniques/T1137/006/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip",
  "username",
  "QIDNAME"(qid) AS event_name,
  "devicehostname" AS host,
  "TargetFilename" AS target_file,
  "Image" AS initiating_process,
  "TargetObject" AS registry_key,
  "ImageLoaded" AS loaded_dll,
  CASE
    WHEN LOWER("TargetFilename") MATCHES '.*\.(wll|xll|xlam|xla|vsto|ppam|ppa)$'
      AND LOWER("TargetFilename") MATCHES '.*(microsoft\\word\\startup|microsoft\\excel\\xlstart|microsoft\\addins).*'
      AND NOT LOWER("Image") MATCHES '.*(winword|excel|powerpnt|outlook|officeclicktorun|msiexec)\.exe'
      AND "EventID" = 11
      THEN 'Office_AddIn_File_Drop'
    WHEN "EventID" = 13
      AND LOWER("TargetObject") MATCHES '.*(excel|word|outlook|powerpoint)\\.*addin.*'
      THEN 'Office_AddIn_Registry_Registration'
    WHEN "EventID" = 7
      AND LOWER("Image") MATCHES '.*(winword|excel|powerpnt|outlook)\.exe'
      AND LOWER("ImageLoaded") MATCHES '.*\.(wll|xll)'
      AND NOT LOWER("ImageLoaded") MATCHES '.*program files.*'
      THEN 'Office_AddIn_DLL_Load'
    ELSE 'Unknown'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPENAME("devicetype") ILIKE '%Microsoft Windows%'
  AND "EventID" IN (7, 11, 13)
  AND LOWER(QIDNAME(qid)) ILIKE '%sysmon%'
  AND (
    (
      "EventID" = 11
      AND (
        LOWER("TargetFilename") MATCHES '.*\.(wll|xll|xlam|xla|vsto|ppam|ppa)$'
        OR LOWER("TargetFilename") MATCHES '.*(microsoft\\word\\startup|microsoft\\excel\\xlstart|microsoft\\addins).*'
      )
      AND NOT LOWER("Image") MATCHES '.*(winword|excel|powerpnt|outlook|officeclicktorun|msiexec)\.exe'
    ) OR (
      "EventID" = 13
      AND LOWER("TargetObject") MATCHES '.*(excel|word|outlook|powerpoint)\\.*addin.*'
    ) OR (
      "EventID" = 7
      AND LOWER("Image") MATCHES '.*(winword|excel|powerpnt|outlook)\.exe'
      AND LOWER("ImageLoaded") MATCHES '.*\.(wll|xll)'
      AND NOT LOWER("ImageLoaded") MATCHES '.*program files.*'
    )
  )
  AND DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') > DATEADD('day', -1, NOW())
ORDER BY starttime DESC
high severity medium confidence

QRadar AQL rule querying Sysmon events (IDs 7, 11, 13) to detect Office add-in persistence. Covers file drops to Office startup directories (EID 11), registry-based add-in registration (EID 13), and DLL loads of add-in files by Office processes from non-standard paths (EID 7). Detection type is calculated inline per event.

Data Sources

Microsoft Windows Sysmon (via QRadar WinCollect or Universal DSM)QRadar Windows Security Event Log DSM

Required Tables

events

False Positives & Tuning

  • Enterprise add-in management tools (SCCM, Group Policy) deploying legitimate add-ins to Excel XLSTART or Word STARTUP directories using SYSTEM account or custom service accounts
  • Financial and business software vendors (Bloomberg Terminal, FactSet, Reuters Eikon) that install XLL or XLA add-ins in Office paths as part of their normal installation routine
  • IT helpdesk or sysadmin accounts performing manual add-in deployment or troubleshooting Office configuration on endpoints, generating registry modification events under Office Addins keys
Download portable Sigma rule (.yml)

Other platforms for T1137.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Drop WLL File to Word Startup Directory

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename ending in .wll in the Word STARTUP path, Image=powershell.exe. If Word is subsequently launched, Sysmon EventCode 7 would show the WLL being loaded.

  2. Test 2Register COM Add-in in Office Registry

    Expected signal: Sysmon EventCode 12/13: RegistryKeyCreate and RegistryValueSet for HKCU\Software\Microsoft\Office\16.0\Excel\Addins\df00tech.TestAddIn with LoadBehavior=3.

  3. Test 3Create XLAM Add-in File (Excel Add-in)

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename ending in .xlam in the Excel XLSTART path, Image=powershell.exe.

Last updated: 2026-04-19 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1137.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.001Office Template MacrosT1137.002Office TestT1137.003Outlook FormsT1137.004Outlook Home PageT1137.005Outlook Rules

Related Techniques

T1137Office Application StartupT1137.001Office Template MacrosT1574.001DLLT1566.001Spearphishing AttachmentT1204.002Malicious FileT1059.005Visual Basic

Same Tactic: Persistence

Popular Detections