Detects anomalous use of Dynamic Data Exchange (DDE) for code execution, such as Office applications (WINWORD.EXE, EXCEL.EXE) spawning command interpreters, or loading unusual modules through DDEAUTO/DDE formulas. Correlates suspicious parent-child process relationships, registry keys enabling DDE, and module loads inconsistent with normal Office usage.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Windows Registry Key Access (DC0050) | WinEventLog:Security | EventCode=4656 |
| Field | Description |
|---|---|
| AllowedParentChildPairs | Define legitimate parent-child relationships for Office processes to reduce false positives. |
| TimeWindow | Threshold for correlating Office process creation with subsequent command execution via DDE. |
| SuspiciousDLLList | Maintain allow/block list of DLLs that Office is expected to load. |