Code Executed Via Office Add-in XLL File
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Code Executed Via Office Add-in XLL File | Standard | Windows | Persistence: Office Application Startup - Add-ins (T1137.006) | Critical |
About the rule
Rule Type
Standard
Rule Description
Microsoft Office allows the use of add-ins to extend application functionality, including automation and integrations. XLL files are a type of dynamic-link library (DLL) specifically used by Microsoft Excel.
Attackers take advantage of this feature by creating malicious XLL add-ins that automatically execute when Excel launches. Once the malicious XLL file is registered and loaded (often via PowerShell using RegisterXLL), it can run arbitrary code under the user’s context, often without raising immediate alarms. This makes it an effective persistence mechanism post-compromise.
Severity
Trouble
Rule journey
Attack chain scenario
Initial access via malicious attachment → XLL add-in registration → Execution through Excel startup → Payload injection using COM objects → System compromise
Impact
- System compromise
- Abuse of trusted applications to avoid detection
- Data exfiltration
Rule Requirement
Prerequisites
Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".
Criteria
Action1: actionname = "PowerShell Script Block Logged" AND SCRIPTEXECUTED contains "new-object " AND SCRIPTEXECUTED contains "-ComObject " AND SCRIPTEXECUTED contains ".application" AND SCRIPTEXECUTED contains ".RegisterXLL" select Action1.HOSTNAME,Action1.MESSAGE,Action1.SCRIPTEXECUTED
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Persistence: Office Application Startup - Add-ins (T1137.006)
Security standard:
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.
When this rule is triggered, you're notified of a PowerShell scripts that attempt to create a COM object associated with Excel and call the .RegisterXLL method. This enables you to Block or restrict XLL file execution using GPO.
Author
frack113
Future actions
Known False Positives
This rule might be triggered during the legitimate use of Excel add-ins by internal tools or approved third-party analytics platforms.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Audit PowerShell activities: Continuously monitor PowerShell executions, restrict script execution privileges to administrators only, and disable PowerShell on devices where it is not required.
- Monitor add-ins: Disable add-ins that are not signed or come from untrusted sources
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential theft. |
