Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Inter-Process Communication Dynamic Data Exchange Execution Low

Data Model References

Object Action Field
process create command_line

Applicable Sensors

Implementations

Splunk search - Unusual Child Process spawned using DDE exploit (Splunk, Sysmon native)

This Splunk query looks for any executable invocations from an Excel file.

index = __your_sysmon__index__ (ParentImage="*excel.exe" OR ParentImage="*word.exe" OR ParentImage="*outlook.exe") Image="*.exe"

Splunk search - Unusual Child Process spawned using DDE exploit (Pseudocode)

This Splunk query looks for any executable invocations from an Excel file.

processes = search Process:Create
target_processes = filter processes where (
     (parent_image="*excel.exe" OR parent_image="*word.exe" OR parent_image="*outlook.exe")
     AND image="*.exe"
     )