Detect Add-ins in Splunk
Adversaries abuse Microsoft Office add-ins to achieve persistence. Add-ins (WLL/XLL for Word/Excel, COM add-ins, VSTO add-ins, Outlook add-ins) are loaded automatically when the corresponding Office application starts. Bisonal malware used .wll files dropped in Word startup; Naikon APT used intel.wll via RoyalRoad; Turla's LunarLoader and LunarMail use Outlook add-ins. XLL add-ins are particularly dangerous as they can execute arbitrary code when loaded and can be delivered via email attachments.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1137 Office Application Startup
- Sub-technique
- T1137.006 Add-ins
- Canonical reference
- https://attack.mitre.org/techniques/T1137/006/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval detection_type=case(
EventCode=11 AND
(match(TargetFilename, "(?i)\\.(wll|xll|xlam|xla|vsto|ppam|ppa)$") OR
match(TargetFilename, "(?i)(\\\\Microsoft\\\\Word\\\\STARTUP|\\\\Microsoft\\\\Excel\\\\XLSTART|\\\\Microsoft\\\\AddIns)")) AND
NOT match(Image, "(?i)(winword|excel|powerpnt|outlook|OfficeClickToRun|msiexec)\.exe"),
"Office_AddIn_File_Drop",
EventCode=13 AND
match(TargetObject, "(?i)(Excel|Word|Outlook|PowerPoint)\\\\.*Addin"),
"Office_AddIn_Registry_Registration",
EventCode=7 AND
match(Image, "(?i)(winword|excel|powerpnt|outlook)\.exe") AND
match(ImageLoaded, "(?i)\\.(wll|xll)") AND
NOT match(ImageLoaded, "(?i)\\Program Files"),
"Office_AddIn_DLL_Load",
true(), null()
)
| where isnotnull(detection_type)
| eval indicator=case(
EventCode=11, TargetFilename,
EventCode=13, TargetObject." -> ".Details,
EventCode=7, ImageLoaded,
true(), "-"
)
| table _time, host, User, detection_type, indicator, Image, CommandLine
| sort - _timeDetects Office Add-in persistence via Sysmon. EventCode 11 (File Create) catches add-in files (.wll, .xll, .xlam, .vsto) written to Office startup directories by non-Office processes. EventCode 13 (Registry Value Set) catches add-in registration in Office add-in registry paths. EventCode 7 (Image Load) catches Office processes loading .wll/.xll files from non-Program Files locations.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate add-in installations by msiexec, setup.exe, or OfficeClickToRun
- Developer installation of Excel-DNA or VSTO add-ins
- Corporate IT pushing Office add-ins via SCCM/Intune
Other platforms for T1137.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Drop WLL File to Word Startup Directory
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename ending in .wll in the Word STARTUP path, Image=powershell.exe. If Word is subsequently launched, Sysmon EventCode 7 would show the WLL being loaded.
- Test 2Register COM Add-in in Office Registry
Expected signal: Sysmon EventCode 12/13: RegistryKeyCreate and RegistryValueSet for HKCU\Software\Microsoft\Office\16.0\Excel\Addins\df00tech.TestAddIn with LoadBehavior=3.
- Test 3Create XLAM Add-in File (Excel Add-in)
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename ending in .xlam in the Excel XLSTART path, Image=powershell.exe.
References (5)
- https://attack.mitre.org/techniques/T1137/006/
- https://web.archive.org/web/20190526112859/https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
- https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/
- https://www.welivesecurity.com/en/eset-research/to-the-moon-and-back-again-turlas-lunar-landing-in-diplomatic-missions/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md
Unlock Pro Content
Get the full detection package for T1137.006 including response playbook, investigation guide, and atomic red team tests.