Office Application Startup: Add-ins (T1137.006)
Tactic: Persistence · Platforms: Windows, Office Suite
The interactive view maps 1 detection strategy, 1 mitigation, 1 threat group, 3 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.
Sub-technique of Office Application Startup (T1137).
Overview
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins.
Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.