{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-office-addins/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Office AddIns","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike FDR"],"_cs_severities":["high"],"_cs_tags":["persistence","ms-office","add-ins","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe rule identifies potential persistence mechanisms employed by attackers leveraging Microsoft Office add-ins. It focuses on the creation of specific file types, including \u003ccode\u003e.wll\u003c/code\u003e, \u003ccode\u003e.xll\u003c/code\u003e, \u003ccode\u003e.ppa\u003c/code\u003e, \u003ccode\u003e.ppam\u003c/code\u003e, \u003ccode\u003e.xla\u003c/code\u003e, and \u003ccode\u003e.xlam\u003c/code\u003e, in directories such as \u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\u003c/code\u003e, \u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\u003c/code\u003e, and \u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\u003c/code\u003e. The detection logic also incorporates Crowdstrike specific conditions using NT Object paths. This technique allows malicious actors to execute code each time the corresponding Microsoft Office application starts, achieving persistence on the system. This activity matters because attackers can gain a foothold within an organization and maintain unauthorized access even after system reboots.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, potentially through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a user\u0026rsquo;s profile on the targeted Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker writes a malicious Office add-in file (e.g., a \u003ccode\u003e.wll\u003c/code\u003e, \u003ccode\u003e.xll\u003c/code\u003e, \u003ccode\u003e.ppa\u003c/code\u003e, \u003ccode\u003e.ppam\u003c/code\u003e, \u003ccode\u003e.xla\u003c/code\u003e, or \u003ccode\u003e.xlam\u003c/code\u003e file) to one of the Office startup directories, such as \u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may use a dropper or installer to place the malicious file in the startup directory.\u003c/li\u003e\n\u003cli\u003eThe system restarts or the user launches the corresponding Microsoft Office application (Word, Excel, PowerPoint).\u003c/li\u003e\n\u003cli\u003eThe Office application loads the malicious add-in file from the startup directory.\u003c/li\u003e\n\u003cli\u003eThe malicious add-in executes its payload, providing the attacker with persistent access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform various malicious activities, such as data exfiltration, lateral movement, or further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to persistent unauthorized access to the compromised system. This allows the attacker to maintain a foothold within the network, potentially leading to data theft, disruption of services, or further propagation of malware. The compromised system could be leveraged as a staging point for lateral movement or for launching attacks against other internal resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to capture file creation events, especially in Office startup directories, to activate the detection logic.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Persistence via Microsoft Office AddIns File Creation\u0026rdquo; to your SIEM and tune for your environment to detect malicious add-in creation.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for Microsoft Office applications (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE) loading add-ins from untrusted locations.\u003c/li\u003e\n\u003cli\u003eRestrict write access to Office startup directories and add-in loader locations to prevent unauthorized file creation.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts related to file creations described by \u003ccode\u003efile.path\u003c/code\u003e and \u003ccode\u003efile.extension\u003c/code\u003e in the rule query.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:39:25Z","date_published":"2026-05-12T18:39:25Z","id":"https://feed.craftedsignal.io/briefs/2026-05-persistence-office-addins/","summary":"This rule detects attempts to establish persistence on Windows endpoints by abusing Microsoft Office add-ins through the creation of malicious files in Office startup directories.","title":"Persistence via Microsoft Office Add-Ins File Creation","url":"https://feed.craftedsignal.io/briefs/2026-05-persistence-office-addins/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft Office AddIns","version":"https://jsonfeed.org/version/1.1"}