Description
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)
Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.
Platforms
Mitigations (1)
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. (Citation: win10_asr)
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0019 | Naikon | [Naikon](https://attack.mitre.org/groups/G0019) has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup... |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S0268 | Bisonal | Malware | [Bisonal](https://attack.mitre.org/software/S0268) has been loaded through a `.wll` extension added to the ` %APPDATA%\microsoft\word\startup\` reposi... |
| S1143 | LunarLoader | Malware | [LunarLoader](https://attack.mitre.org/software/S1143) has the ability to use Microsoft Outlook add-ins to establish persistence. (Citation: ESET Turl... |
| S1142 | LunarMail | Malware | [LunarMail](https://attack.mitre.org/software/S1142) has the ability to use Outlook add-ins for persistence.(Citation: ESET Turla Lunar toolset May 20... |
References
- Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail! Enterprise Email Compromise. Retrieved November 17, 2024.
- Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved November 17, 2024.
- Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
- Shukrun, S. (2019, June 2). Office Templates and GlobalDotName - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
Frequently Asked Questions
What is T1137.006 (Add-ins)?
T1137.006 is a MITRE ATT&CK technique named 'Add-ins'. It belongs to the Persistence tactic(s). Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) T...
How can T1137.006 be detected?
Detection of T1137.006 (Add-ins) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1137.006?
There are 1 documented mitigations for T1137.006. Key mitigations include: Behavior Prevention on Endpoint.
Which threat groups use T1137.006?
Known threat groups using T1137.006 include: Naikon.