# Word Library Add-Ins

It' possible to persist in the userland by abusing word library add-ins by putting your malicious DLL into a Word's trusted location. Once the DLL is there, the Word will load it next time it is run.

## Execution

Get Word's trusted locations where library add-ins can be dropped:

{% tabs %}
{% tab title="attacker\@target" %}

```csharp
 Get-ChildItem "hkcu:\Software\Microsoft\Office\16.0\Word\Security\Trusted Locations"
```

{% endtab %}
{% endtabs %}

![](/files/-LhytB9tWdIEMv5lUNLp)

Those trusted locations are actually defined in Word's Security Center if you have access to the GUI:

![](/files/-LhytH-t9VeQiWWp2mBG)

Let's create a simple DLL that will launch a notepad.exe once the DLL addin is loaded:

![](/files/-LhzOmsSztaeNIRcSWpj)

Compile the DLL and copy it over to `Startup` folder and rename it to `evilm64.wll`:

![](/files/-LhytYW4_8OpAlmfrAqk)

```
mv .\evilm64.dll .\evilm64.wll
```

![](/files/-LhzPgNrjVRZH2fMoXh-)

Next time the victim opens up Word, `evilm64.wll` will be loaded and executed:

![](/files/-LhzOSZOxRWdwxLn0rPY)

Interesting to note that Process Explorer does not see the evilm64.wll loaded in any of the currently running processes:

![](/files/-LhzPwCMi_9dZ3vP9MDk)

...although we can definitely see that the add-in is now recognized by Word:

![](/files/-LhzQC88OEHPwAWNcubW)

{% hint style="info" %}
This technique did not work for me on Office 365 version, but worked on Office Professional. Not sure if there's a bug in the 365 version or it's just a limitation of that version.
{% endhint %}

## References

{% embed url="<https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-1-microsoft-office/>" %}

{% embed url="<https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ired.team/offensive-security/persistence/word-library-add-ins.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.