Add-ins

Information

• Name: Add-ins

• ID: T1137.006

• Tactics: TA0003

• Technique: T1137

Introduction

The MITRE ATT&CK sub-technique T1137.006 - Add-ins refers to adversaries leveraging application add-ins or plugins to achieve persistence, privilege escalation, or execution within compromised systems. Add-ins typically extend the functionality of legitimate software such as Microsoft Office products, email clients, or web browsers, making them appealing vectors for attackers seeking stealth and persistence. By exploiting these trusted extensions, adversaries can seamlessly integrate malicious payloads, making detection and removal challenging.

Deep Dive Into Technique

Attackers exploit add-ins (also known as plugins or extensions) that are designed to enhance or expand the functionality of host applications. These add-ins can be integrated into legitimate software applications such as:

• Microsoft Office Suite (Word, Excel, Outlook, PowerPoint)

• Web browsers (Chrome, Firefox, Edge)

• Email clients (Outlook, Thunderbird)

Common technical methods include:

• Malicious Office Add-ins: Attackers may create malicious Office add-ins (.xll, .xla, .ppa, .dotm, .xlsm) that execute code automatically upon opening or interacting with a document or application. These malicious add-ins often leverage VBA macros, COM objects, or XLL files to execute arbitrary code.

• Browser Extensions: Malicious browser extensions can intercept browsing data, inject code into web pages, redirect users to malicious websites, or steal credentials and session cookies. Attackers may distribute these extensions via social engineering, phishing campaigns, or compromised extension repositories.

• Email Client Plugins: Malicious plugins for email clients can intercept and exfiltrate sensitive communications, inject malicious links or attachments into outgoing emails, or execute code upon receiving specific email messages.

Real-world procedures often include:

• Distributing malicious add-ins via phishing emails or malicious websites.

• Leveraging legitimate software update mechanisms to install compromised plugins.

• Using social engineering to convince users to install or activate malicious add-ins.

• Modifying existing legitimate add-ins to include malicious functionality.

When this Technique is Usually Used

Attackers typically leverage add-ins at various stages of an attack lifecycle, including:

• Initial Access: Attackers may distribute malicious add-ins as email attachments or downloads from compromised websites, tricking users into installing or activating them.

• Persistence: Add-ins provide attackers with persistence mechanisms, as they automatically execute each time the host application is launched or documents are opened.

• Execution: Malicious add-ins can execute arbitrary code, enabling attackers to load additional payloads, establish command-and-control (C2) channels, or perform lateral movement.

• Credential Access and Data Exfiltration: Add-ins can intercept sensitive information, credentials, keystrokes, or communications, enabling attackers to exfiltrate data covertly.

• Privilege Escalation: Certain add-ins may run with elevated permissions or inherit privileges from host applications, allowing attackers to escalate privileges on compromised systems.

How this Technique is Usually Detected

Detection methods and indicators include:

• Endpoint Detection and Response (EDR) Solutions: Monitor and alert on suspicious add-in installations, execution, or behavior, such as unexpected process creation or network connections.

• Application Whitelisting/Blacklisting: Enforce policies restricting unauthorized add-ins, plugins, or extensions from executing on endpoints.

• Logging and Auditing: Monitor event logs for unusual add-in installations, activations, or modifications. Relevant logs include:

  • Windows Event Logs (Application, System, Security)

  • Office Trust Center logs

  • Browser extension installation logs

• Behavioral Analysis: Identify abnormal behaviors, such as unexpected network traffic, credential harvesting attempts, or unusual file system interactions initiated by add-ins.

• Network Security Monitoring: Inspect network traffic for unusual outbound connections initiated by add-ins, especially to unknown or suspicious IP addresses or domains.

Specific Indicators of Compromise (IoCs):

• Unrecognized or unauthorized add-ins appearing in Office applications or browsers.

• Add-ins installed from suspicious URLs or domains.

• Unexpected registry keys or filesystem artifacts related to add-ins:

  • Registry paths:

    • HKCU\Software\Microsoft\Office\<version>\Excel\Addins\

    • HKCU\Software\Microsoft\Office\<version>\Word\Addins\

    • HKCU\Software\Microsoft\Office\Outlook\Addins\

  • File locations:

    • %APPDATA%\Microsoft\AddIns\

    • %ProgramFiles%\Microsoft Office\root\Office16\Library\

Why it is Important to Detect This Technique

Detecting malicious add-ins is critical due to several potential impacts:

• Persistent Access: Add-ins provide attackers with persistent footholds, enabling long-term compromise and repeated exploitation.

• Stealthy Execution: Malicious add-ins often blend into legitimate applications, making detection challenging without dedicated monitoring.

• Sensitive Data Exposure: Attackers can intercept sensitive information such as credentials, intellectual property, financial data, and confidential communications.

• Credential Theft and Account Compromise: Attackers may leverage malicious add-ins to harvest credentials, leading to account takeovers, lateral movement, and further exploitation.

• System Stability and Integrity: Malicious add-ins can degrade application performance, crash systems, or cause data corruption, impacting user productivity and system reliability.

Early detection can significantly reduce the attacker’s dwell time, limit data exfiltration, and mitigate the overall impact of compromise.

Examples

Real-world examples of malicious add-in usage include:

• TA410 Group (APT10) Operation:

  • Attackers deployed malicious Excel Add-ins (.XLL files) to target organizations in espionage operations.

  • Users received phishing emails with malicious Excel attachments containing add-ins that executed payloads upon opening.

  • Impact: Persistent access, data exfiltration, credential theft.

• FIN7 Group Attacks:

  • FIN7 leveraged malicious Office add-ins embedded in spear-phishing documents to execute malware payloads.

  • Malicious documents prompted users to enable macros or install add-ins, resulting in persistent malware infections.

  • Impact: Financial data theft, credential compromise, persistent malware infections.

• Browser Extension Malware Campaigns (Chrome Extension Malware):

  • Attackers distributed malicious browser extensions via compromised Chrome Web Store accounts or phishing campaigns.

  • Malicious extensions harvested user credentials, redirected users to phishing pages, or injected malicious advertisements.

  • Impact: Credential theft, financial fraud, data exfiltration.

• Operation Sharpshooter (North Korean Lazarus Group):

  • Employed malicious Office add-ins and macros embedded in recruitment-themed documents.

  • Upon activation, add-ins executed malicious payloads establishing persistent backdoors and C2 channels.

  • Impact: Persistent espionage operations, data theft, lateral movement within targeted networks.