Detect Add-ins in Microsoft Sentinel
Adversaries abuse Microsoft Office add-ins to achieve persistence. Add-ins (WLL/XLL for Word/Excel, COM add-ins, VSTO add-ins, Outlook add-ins) are loaded automatically when the corresponding Office application starts. Bisonal malware used .wll files dropped in Word startup; Naikon APT used intel.wll via RoyalRoad; Turla's LunarLoader and LunarMail use Outlook add-ins. XLL add-ins are particularly dangerous as they can execute arbitrary code when loaded and can be delivered via email attachments.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1137 Office Application Startup
- Sub-technique
- T1137.006 Add-ins
- Canonical reference
- https://attack.mitre.org/techniques/T1137/006/
KQL Detection Query
// T1137.006 — Office Add-ins persistence detection
// Detect add-in file drops, registry registration, and suspicious DLL loads by Office
let AddInExtensions = dynamic([".wll", ".xll", ".xlam", ".xla", ".vsto", ".ppam", ".ppa"]);
let AddInPaths = dynamic([
"\\Microsoft\\Word\\STARTUP\\",
"\\Microsoft\\Excel\\XLSTART\\",
"\\Microsoft\\AddIns\\",
"\\Microsoft\\Office\\AddIns\\"
]);
// Part 1: Detect add-in file writes to Office startup/add-in directories
let AddInFileWrite = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (AddInPaths)
or (FileName has_any (".wll", ".xll", ".xlam", ".vsto"))
| where InitiatingProcessFileName !in~ ("winword.exe", "excel.exe", "powerpnt.exe",
"outlook.exe", "OfficeClickToRun.exe", "setup.exe",
"msiexec.exe", "OfficeC2RClient.exe")
| extend DetectionType = "Office_AddIn_File_Written"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect Office add-in registry registration
let AddInRegistration = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any ("Excel\\Addins", "Word\\Addins", "Outlook\\Addins",
"PowerPoint\\Addins", "Office\\Addins", "Excel\\ExcelDNA")
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend DetectionType = "Office_AddIn_Registry_Registration"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect Office processes loading DLLs from non-standard paths (XLL/WLL execution)
let AddInDLLLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe")
| where FileName has_any (".wll", ".xll", ".xlam")
or (FolderPath has_any ("\\Users\\", "\\Temp\\", "\\AppData\\", "\\Downloads\\"))
| where not (FolderPath has_any ("\\Microsoft Office\\", "\\Program Files\\Microsoft Office\\"))
| extend DetectionType = "Office_AddIn_DLL_Load"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
union AddInFileWrite, AddInRegistration, AddInDLLLoad
| sort by Timestamp descThree-part detection for Office Add-in persistence. Part 1 detects add-in files (.wll, .xll, .xlam, .vsto) written to Office startup/add-in directories by non-Office processes — the primary delivery method. Part 2 monitors registry add-in registration paths for new entries. Part 3 detects Office processes loading DLL-format add-ins from user-writable directories, covering runtime execution of the persistence mechanism.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate third-party Office add-in installations (e.g., Acrobat PDF add-in, Zoom for Outlook, Microsoft Teams add-in)
- Corporate IT deploying custom Office add-ins via MSI packages (msiexec.exe writing to add-in directories)
- Developer workstations installing VSTO or Excel-DNA add-ins for development purposes
- Automated software update processes updating existing legitimate add-ins
Other platforms for T1137.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Drop WLL File to Word Startup Directory
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename ending in .wll in the Word STARTUP path, Image=powershell.exe. If Word is subsequently launched, Sysmon EventCode 7 would show the WLL being loaded.
- Test 2Register COM Add-in in Office Registry
Expected signal: Sysmon EventCode 12/13: RegistryKeyCreate and RegistryValueSet for HKCU\Software\Microsoft\Office\16.0\Excel\Addins\df00tech.TestAddIn with LoadBehavior=3.
- Test 3Create XLAM Add-in File (Excel Add-in)
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename ending in .xlam in the Excel XLSTART path, Image=powershell.exe.
References (5)
- https://attack.mitre.org/techniques/T1137/006/
- https://web.archive.org/web/20190526112859/https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
- https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/
- https://www.welivesecurity.com/en/eset-research/to-the-moon-and-back-again-turlas-lunar-landing-in-diplomatic-missions/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md
Unlock Pro Content
Get the full detection package for T1137.006 including response playbook, investigation guide, and atomic red team tests.