Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0137: Analytic 0137

An adversary writes or drops a malicious Office Add-in (e.g., WLL, XLL, COM) to a trusted directory or modifies registry keys to load malicious add-ins on Office application launch. Upon user opening Word or Excel, the add-in is automatically loaded, triggering execution of the payload, often spawning scripting engines or anomalous child processes.

EnterpriseAN0137AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0137 describes malicious Microsoft Office add-ins on Windows: an attacker places or configures an add-in so Word or Excel loads it automatically, causing code execution when a user opens the application. The business significance is that normal productivity software can become an execution path that blends into trusted Office activity, making endpoint visibility, Office configuration governance, and incident triage quality important for resilience.

Executive priority

Treat this as a control-validation item for Windows endpoint security and Office hardening. Leaders should ask whether the organization can prove what Office add-ins are allowed, where add-ins can load from, which registry changes are monitored, and whether SOC teams can investigate Office spawning unusual child processes. This matters for business continuity because Office is widely used and trusted; weak monitoring can delay containment when user-facing productivity tools are abused.

Technical view

For SOC, detection engineering, and IR teams, validate visibility around Office add-in loading behavior on Windows. Focus on Office applications such as Word and Excel loading add-ins from trusted directories or through registry configuration, followed by suspicious process creation such as scripting engines or other anomalous child processes. Because the official ATT&CK object provides no detection text and no tactic mapping, teams should build local logic from endpoint telemetry, file/registry monitoring, process lineage, and known-good add-in baselines rather than assuming a complete analytic exists.

Likely telemetry

  • Windows endpoint process creation with parent-child relationships for Word and Excel
  • File creation or modification events in Office add-in locations and trusted directories
  • Windows registry modification events for Office add-in loading configuration
  • Office application execution and add-in load evidence where available
  • Endpoint security alerts or EDR telemetry showing scripting engines or anomalous child processes launched by Office

Detection direction

  • Baseline approved Office add-ins and expected load paths, then alert on new or unusual add-ins in trusted locations.
  • Monitor registry keys that control Office add-in loading and prioritize changes not tied to approved software deployment activity.
  • Correlate Word or Excel launches with immediate child processes, especially scripting engines or uncommon executables, while tuning for legitimate automation and business plug-ins.
  • Use allowlisted add-in inventory and software deployment records to reduce false positives.
  • Do not rely on ATT&CK-provided detection logic for this object; the official detection field is not supplied.

Mitigation priorities

  • Establish governance for approved Office add-ins, including ownership, business justification, and change control.
  • Restrict write access to trusted Office add-in directories to authorized administrators and deployment tooling.
  • Monitor and control registry locations used to configure Office add-in loading.
  • Harden endpoint policy around Office child-process behavior where operationally feasible.
  • Ensure IR playbooks include collection of Office add-in files, registry configuration, and process lineage during suspicious Office execution investigations.
Analyst notes and limits

This take is based on AN0137, a MITRE detection analytic for Windows describing malicious Office add-ins such as WLL, XLL, or COM add-ins placed in trusted directories or configured through registry keys. No ATT&CK relationships, tactics, or official detection logic were supplied, so the practical guidance emphasizes validation areas rather than a specific detection rule.

The object does not include official detection text, relationship context, tactic mapping, procedure examples, mitigations, or data source fields. Local Office configuration, endpoint telemetry availability, approved add-in inventory, and business automation patterns are required to determine actual coverage and tuning.

Official MITRE ATT&CK definition

Analytic 0137

An adversary writes or drops a malicious Office Add-in (e.g., WLL, XLL, COM) to a trusted directory or modifies registry keys to load malicious add-ins on Office application launch. Upon user opening Word or Excel, the add-in is automatically loaded, triggering execution of the payload, often spawning scripting engines or anomalous child processes.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
409bca24c5cb0dc2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 409bca24c5cb…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0137
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use