This detection rule addresses the misuse of Microsoft Office add-ins, specifically focusing on XLL files, which are dynamic link libraries utilized by Excel to extend its capabilities within a Microsoft Office environment. Adversaries can exploit these add-ins as a means to achieve persistence on compromised systems. The detection is triggered by identifying specific PowerShell script commands that are indicative of such malicious activity. The commands include the use of 'new-object', '-ComObject', '.application', and '.RegisterXLL', which are commonly associated with the registration and execution of add-ins that may allow a threat actor to execute arbitrary code or maintain access to the system. Moreover, the rule is contingent upon having Script Block Logging enabled to ensure all PowerShell script executions are captured for analysis.