T1137.006 Sumo Logic CSE · Sumo

Detect Add-ins in Sumo Logic CSE

Adversaries abuse Microsoft Office add-ins to achieve persistence. Add-ins (WLL/XLL for Word/Excel, COM add-ins, VSTO add-ins, Outlook add-ins) are loaded automatically when the corresponding Office application starts. Bisonal malware used .wll files dropped in Word startup; Naikon APT used intel.wll via RoyalRoad; Turla's LunarLoader and LunarMail use Outlook add-ins. XLL add-ins are particularly dangerous as they can execute arbitrary code when loaded and can be delivered via email attachments.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.006 Add-ins
Canonical reference
https://attack.mitre.org/techniques/T1137/006/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
// Part 1: Office Add-in File Drops
(_sourceCategory="*windows*sysmon*" OR _sourceCategory="*endpoint*sysmon*")
| where EventID = 11
| parse regex field=TargetFilename "(?i)(?P<filename>[^\\]+)$"
| where (
    TargetFilename matches /(?i)\.(wll|xll|xlam|xla|vsto|ppam|ppa)$/
    OR TargetFilename matches /(?i)(Microsoft\\Word\\STARTUP|Microsoft\\Excel\\XLSTART|Microsoft\\AddIns|Microsoft\\Office\\AddIns)/
  )
  AND !(Image matches /(?i)(winword|excel|powerpnt|outlook|OfficeClickToRun|msiexec|OfficeC2RClient)\.exe/)
| fields _messageTime, Computer, User, TargetFilename, Image, CommandLine
| withtime _messageTime
| eval detection_type = "Office_AddIn_File_Drop"

// Part 2: Add-in Registry Registration
| union (
  (_sourceCategory="*windows*sysmon*" OR _sourceCategory="*endpoint*sysmon*")
  | where EventID = 13
  | where TargetObject matches /(?i)(Excel|Word|Outlook|PowerPoint)\\.*Addin/
  | fields _messageTime, Computer, User, TargetObject, Details, Image, CommandLine
  | withtime _messageTime
  | eval detection_type = "Office_AddIn_Registry_Registration"
)

// Part 3: Office Processes Loading Add-in DLLs from Anomalous Paths
| union (
  (_sourceCategory="*windows*sysmon*" OR _sourceCategory="*endpoint*sysmon*")
  | where EventID = 7
  | where Image matches /(?i)(winword|excel|powerpnt|outlook)\.exe/
  | where ImageLoaded matches /(?i)\.(wll|xll)/
    OR ImageLoaded matches /(?i)(\\Users\\|\\Temp\\|\\AppData\\|\\Downloads\\)/
  | where !(ImageLoaded matches /(?i)(\\Microsoft Office\\|\\Program Files\\Microsoft Office\\)/)
  | fields _messageTime, Computer, User, ImageLoaded, Image, CommandLine
  | withtime _messageTime
  | eval detection_type = "Office_AddIn_DLL_Load"
)

| count by _messageTime, Computer, User, detection_type, Image, CommandLine
| sort by _messageTime desc
high severity medium confidence

Sumo Logic CSE query detecting T1137.006 Office add-in persistence across three Sysmon event types: file creation in Office startup directories (EID 11), registry add-in key modification (EID 13), and Office process DLL loads from non-standard paths (EID 7). Uses union to combine all three detection branches into a single result set.

Data Sources

Sumo Logic Installed Collector with Windows Event Log source (Sysmon channel)Sumo Logic Cloud SIEM Enterprise with Windows normalization

Required Tables

Sysmon Operational Event Log via Sumo Logic Windows source

False Positives & Tuning

  • Software deployment pipelines using tools like Chef, Puppet, or Ansible that write add-in configuration files to Office directories as part of automated workstation configuration management
  • Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) that install Outlook add-ins for phishing simulation reporting buttons, triggering registry events under Outlook\Addins
  • Macro-enabled Excel workbooks used in finance departments that dynamically register .xlam add-ins at runtime, causing Office processes to load add-in DLLs from user profile directories
Download portable Sigma rule (.yml)

Other platforms for T1137.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Drop WLL File to Word Startup Directory

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename ending in .wll in the Word STARTUP path, Image=powershell.exe. If Word is subsequently launched, Sysmon EventCode 7 would show the WLL being loaded.

  2. Test 2Register COM Add-in in Office Registry

    Expected signal: Sysmon EventCode 12/13: RegistryKeyCreate and RegistryValueSet for HKCU\Software\Microsoft\Office\16.0\Excel\Addins\df00tech.TestAddIn with LoadBehavior=3.

  3. Test 3Create XLAM Add-in File (Excel Add-in)

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename ending in .xlam in the Excel XLSTART path, Image=powershell.exe.

Last updated: 2026-04-19 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1137.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.001Office Template MacrosT1137.002Office TestT1137.003Outlook FormsT1137.004Outlook Home PageT1137.005Outlook Rules

Related Techniques

T1137Office Application StartupT1137.001Office Template MacrosT1574.001DLLT1566.001Spearphishing AttachmentT1204.002Malicious FileT1059.005Visual Basic

Same Tactic: Persistence

Popular Detections