Office Application Startup: Add-ins
Other sub-techniques of Office Application Startup (6)
ID | Name |
---|---|
T1137.001 | Office Template Macros |
T1137.002 | Office Test |
T1137.003 | Outlook Forms |
T1137.004 | Outlook Home Page |
T1137.005 | Outlook Rules |
T1137.006 | Add-ins |
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. [1] There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. [2][3]
Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.
Procedure Examples
Name | Description |
---|---|
Naikon |
Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.[4] |
Mitigations
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Detection
Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.[5][2]
Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior