Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)
Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1137.006 | Add-ins |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1137.006 | Add-ins | |
| SC-18 | Mobile Code | mitigates | T1137.006 | Add-ins | |
| SC-44 | Detonation Chambers | mitigates | T1137.006 | Add-ins | |
| SI-08 | Spam Protection | mitigates | T1137.006 | Add-ins | |
| CM-02 | Baseline Configuration | mitigates | T1137.006 | Add-ins | |
| AC-06 | Least Privilege | mitigates | T1137.006 | Add-ins |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_ids | Cloud IDS | technique_scores | T1137.006 | Add-ins |
Comments
Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office add-ins.
Although there are ways an attacker could deliver a malicious file, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|