DET0050: Detect Persistence via Malicious Office Add-ins
This detection strategy matters because malicious Microsoft Office add-ins can turn a compromised Windows endpoint into a persistent foothold. For leaders,...
Analyst context for executives and security teams
This detection strategy matters because malicious Microsoft Office add-ins can turn a compromised Windows endpoint into a persistent foothold. For leaders, the practical question is not just “do we monitor Office?” but whether the organization can prove it would notice unauthorized add-in persistence across Word, Excel, Outlook, and related Office components before it becomes an incident response blind spot.
Executive priority
Prioritize this as a persistence-control validation item for environments that rely on Microsoft Office on Windows. It supports business continuity and incident readiness by helping confirm whether endpoint, identity, and SOC processes can identify unauthorized add-ins that may survive reboots or user sessions. It can also provide useful audit evidence that common persistence locations and Office extensibility mechanisms are governed, monitored, and investigated.
Technical view
The supplied ATT&CK relationship ties DET0050 to T1137.006, Add-ins, under the persistence tactic on Windows and Office Suite. SOC and detection engineering teams should validate visibility into Office add-in installation, registration, loading, and changes across supported add-in types such as WLL/XLL, VBA add-ins, COM add-ins, automation add-ins, VBE, VSTO, and Outlook add-ins. Because the official detection text is not provided, local engineering should map known enterprise-approved add-ins, expected Office behavior, and change-management records before creating high-confidence alerts.
Likely telemetry
- Endpoint file creation and modification events in Office add-in locations
- Windows registry changes associated with Office add-in registration or loading
- Process execution and parent-child process activity involving Microsoft Office applications
- Office application or endpoint security logs showing add-in load events where available
- Software inventory or configuration management data for approved Office add-ins
Detection direction
- Baseline approved Office add-ins by application, user group, and device population before alerting broadly.
- Detect newly introduced, modified, or unusually located Office add-ins, especially where no software deployment or change ticket exists.
- Correlate add-in changes with Office process starts, endpoint file writes, registry modifications, and user identity context.
- Tune for legitimate enterprise Office extensions to reduce false positives while preserving visibility into rare or unmanaged add-ins.
- Review coverage separately for Outlook, Excel, Word, and other Office components because add-in mechanisms differ.
Mitigation priorities
- Maintain an inventory of approved Office add-ins and owners.
- Restrict add-in installation and loading to authorized users, managed devices, and approved sources where enterprise controls allow.
- Use endpoint configuration management to enforce Office add-in policy consistently across Windows systems.
- Include Office add-in persistence checks in incident response triage and post-compromise reviews.
- Validate monitoring and evidence retention for add-in-related file, registry, and process activity.
Analyst notes and limits
The ATT&CK detection strategy object itself has no official description, platforms, tactics, or detection text. The actionable context comes from its relationship to T1137.006, Add-ins, which identifies persistence via Microsoft Office add-ins on Windows and Office Suite. Local environment baselines are essential because many Office add-ins are legitimate business software.
This take is limited to the supplied STIX fields, external reference, and relationship context. It does not assert active exploitation, specific adversary use, guaranteed detection logic, or coverage for any organization. Detection feasibility depends on endpoint telemetry, Office configuration, logging depth, and the organization’s inventory of approved add-ins.
Detect Persistence via Malicious Office Add-ins
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c4f6193e06a6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0050Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.