How can defenders detect a VSTO-based backdoor on a system?

Check Control Panel's Programs and Features for suspicious VSTO add-ins (they appear in the program list even though their uninstall keys are not in the standard registry location). Also inspect Office's COM add-ins list. Note that disabling macros does not affect VSTO add-ins, so this persistence method bypasses common macro security controls.