CAR-2021-01-006: Unusual Child Process spawned using DDE exploit
Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Inter-Process Communication | Dynamic Data Exchange | Execution | Low |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-PSA | Process Spawn Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| process | create | command_line |
Implementations
Splunk search - Unusual Child Process spawned using DDE exploit (Splunk, Sysmon native)
This Splunk query looks for any executable invocations from an Excel file.
index = __your_sysmon__index__ (ParentImage="*excel.exe" OR ParentImage="*word.exe" OR ParentImage="*outlook.exe") Image="*.exe"
Splunk search - Unusual Child Process spawned using DDE exploit (Pseudocode)
This Splunk query looks for any executable invocations from an Excel file.
processes = search Process:Create
target_processes = filter processes where (
(parent_image="*excel.exe" OR parent_image="*word.exe" OR parent_image="*outlook.exe")
AND image="*.exe"
)