Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)
Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-6 | Least Privilege | Protects | T1137.006 | Add-ins |
| CM-2 | Baseline Configuration | Protects | T1137.006 | Add-ins |
| CM-6 | Configuration Settings | Protects | T1137.006 | Add-ins |
| SC-18 | Mobile Code | Protects | T1137.006 | Add-ins |
| SC-44 | Detonation Chambers | Protects | T1137.006 | Add-ins |
| SI-8 | Spam Protection | Protects | T1137.006 | Add-ins |