Skip to content

DET0504 Detect Abuse of Dynamic Data Exchange (T1559.002)

Item Value
ID DET0504
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1559.002 (Dynamic Data Exchange)

Analytics

Windows

AN1393

Detects anomalous use of Dynamic Data Exchange (DDE) for code execution, such as Office applications (WINWORD.EXE, EXCEL.EXE) spawning command interpreters, or loading unusual modules through DDEAUTO/DDE formulas. Correlates suspicious parent-child process relationships, registry keys enabling DDE, and module loads inconsistent with normal Office usage.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Windows Registry Key Access (DC0050) WinEventLog:Security EventCode=4663, 4670, 4656
Mutable Elements
Field Description
AllowedParentChildPairs Define legitimate parent-child relationships for Office processes to reduce false positives.
TimeWindow Threshold for correlating Office process creation with subsequent command execution via DDE.
SuspiciousDLLList Maintain allow/block list of DLLs that Office is expected to load.