title: Add-ins (T1137.006)
id: df00tech-t1137-006
status: experimental
description: "Adversaries abuse Microsoft Office add-ins to achieve persistence. Add-ins (WLL/XLL for Word/Excel, COM add-ins, VSTO add-ins, Outlook add-ins) are loaded automatically when the corresponding Office application starts. Bisonal malware used .wll files dropped in Word startup; Naikon APT used intel.wll via RoyalRoad; Turla's LunarLoader and LunarMail use Outlook add-ins. XLL add-ins are particularly dangerous as they can execute arbitrary code when loaded and can be delivered via email attachments."
references:
  - https://attack.mitre.org/techniques/T1137/006/
  - https://df00tech.com/detections/T1137.006
author: df00tech
date: 2026/04/19
tags:
  - attack.t1137.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate third-party Office add-in installations (e.g., Acrobat PDF add-in, Zoom for Outlook, Microsoft Teams add-in)"
  - Corporate IT deploying custom Office add-ins via MSI packages (msiexec.exe writing to add-in directories)
  - Developer workstations installing VSTO or Excel-DNA add-ins for development purposes
  - Automated software update processes updating existing legitimate add-ins
level: high