This detection rule identifies potential persistence mechanisms used by malicious actors through Microsoft Office add-ins that can automatically load during the startup of Word and Excel. The primary targets include files ending with .wll and .xll, which are specially crafted dynamic link libraries for Word and Excel respectively. The rule focuses on specific directories, such as the Word Startup folder and the Excel Startup and XLSTART folders, where these add-ins are commonly placed. Additionally, it encompasses other Office add-in formats found in the Microsoft Addins directory. The detection logic employs multiple selection criteria to ascertain the presence of these files, ensuring that at least one condition from the specified selections must match, indicating possible malicious activity. False positives may occur from legitimate add-ins that are installed in the same locations. This rule is critical in helping security teams detect and respond to potentially unauthorized persistence threats utilizing Office applications.