T1137.006SubTechniquepersistenceagent-callable
T1137.006Add-ins
Sub-technique of T1137
Platforms: Windows · Office 365
ATT&CK version: 14.1
What it is
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)
Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.
ATT&CK tactics· 1
References
- https://attack.mitre.org/techniques/T1137/006
- https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
- https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
- https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
- https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique