T1559.002 Dynamic Data Exchange Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let OfficeProcesses = dynamic(["winword.exe", "excel.exe", "outlook.exe", "onenote.exe", "powerpnt.exe", "msaccess.exe", "mspub.exe"]);
let SuspiciousChildren = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msiexec.exe", "wmic.exe", "schtasks.exe", "net.exe", "net1.exe", "curl.exe", "wget.exe", "forfiles.exe", "pcalua.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (InitiatingProcessFileName has_any (OfficeProcesses) and FileName has_any (SuspiciousChildren))
    or InitiatingProcessFileName =~ "EQNEDT32.EXE"
| extend IsDDE_EquationEditor = (InitiatingProcessFileName =~ "EQNEDT32.EXE")
| extend IsOfficeSpawn = (InitiatingProcessFileName has_any (OfficeProcesses) and FileName has_any (SuspiciousChildren))
| extend SuspiciousArgs = ProcessCommandLine has_any ("http", "https", "-enc", "-EncodedCommand", "DownloadString", "WebClient", "iex(", "invoke-expression", "base64", "-bypass", "-hidden", "frombase64", "Start-BitsTransfer")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath,
         IsDDE_EquationEditor, IsOfficeSpawn, SuspiciousArgs
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate Office COM automation or VSTO add-ins that programmatically spawn cmd.exe or PowerShell for document post-processing (distinguish by correlating InitiatingProcessCommandLine with known automation tool paths)
Corporate IT tools using legacy DDE-based data integration with Excel, common in ERP environments where financial data is pushed via DDE links from mainframe or middleware systems
Developer workstations running Office interop test harnesses that invoke shell processes as part of automated document generation or conversion pipelines
Document management systems (e.g., OpenText, SharePoint integration tools) that open Office documents server-side and spawn helper processes for format conversion or indexing

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval parent_lower=lower(ParentImage)
| eval child_lower=lower(Image)
| eval IsOfficeParent=if(match(parent_lower, "(winword\.exe|excel\.exe|outlook\.exe|onenote\.exe|powerpnt\.exe|msaccess\.exe|mspub\.exe)"), 1, 0)
| eval IsSuspiciousChild=if(match(child_lower, "(\\\\cmd\.exe|\\\\powershell\.exe|\\\\pwsh\.exe|\\\\wscript\.exe|\\\\cscript\.exe|\\\\mshta\.exe|\\\\rundll32\.exe|\\\\regsvr32\.exe|\\\\certutil\.exe|\\\\bitsadmin\.exe|\\\\msiexec\.exe|\\\\wmic\.exe|\\\\schtasks\.exe|\\\\net\.exe|\\\\net1\.exe|\\\\forfiles\.exe)"), 1, 0)
| eval IsEquationEditor=if(match(parent_lower, "eqnedt32\.exe"), 1, 0)
| eval SuspiciousArgs=if(match(lower(CommandLine), "(http|https|-enc|-encodedcommand|downloadstring|webclient|iex\(|invoke-expression|frombase64|-bypass|-hidden|start-bitstransfer)"), 1, 0)
| where (IsOfficeParent=1 AND IsSuspiciousChild=1) OR IsEquationEditor=1
| eval DDEType=case(IsEquationEditor=1, "EquationEditor_CVE-2017-11882", IsOfficeParent=1 AND IsSuspiciousChild=1, "OfficeDDE_Spawn", true(), "Unknown")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DDEType, SuspiciousArgs
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate Office COM automation or VSTO add-ins that spawn cmd.exe or PowerShell for document post-processing
Corporate legacy ERP integrations using DDE data links with Excel to push data from mainframe or middleware
Developer workstations running Office interop test harnesses that spawn helper processes for document conversion
Document management systems that open Office documents server-side and spawn child processes for indexing or conversion

Elastic Security (EQL)

eql

sequence by host.id with maxspan=30s
  [process where event.type == "start" and
   process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "onenote.exe", "powerpnt.exe", "msaccess.exe", "mspub.exe", "EQNEDT32.EXE") and
   process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msiexec.exe", "wmic.exe", "schtasks.exe", "net.exe", "net1.exe", "curl.exe", "wget.exe", "forfiles.exe", "pcalua.exe")]
| where process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "onenote.exe", "powerpnt.exe", "msaccess.exe", "mspub.exe", "EQNEDT32.EXE")

also:
process where event.type == "start" and
  process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "onenote.exe", "powerpnt.exe", "msaccess.exe", "mspub.exe") and
  process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msiexec.exe", "wmic.exe", "schtasks.exe", "net.exe", "net1.exe", "curl.exe", "wget.exe", "forfiles.exe", "pcalua.exe")
or
process where event.type == "start" and
  process.parent.name : "EQNEDT32.EXE"

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate macro-free Office automation tools that spawn cmd.exe or PowerShell for administrative tasks in managed enterprise environments
IT helpdesk tools that open Office documents and launch scripts for document processing pipelines
EQNEDT32.EXE spawning child processes in environments still running legacy Office 2007/2010 with Equation Editor enabled for legitimate scientific document workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "sourceip",
  UPPER("Process Name") AS child_process,
  "Command" AS command_line,
  UPPER("Parent Process Name") AS parent_process,
  CASE
    WHEN UPPER("Parent Process Name") LIKE '%EQNEDT32.EXE%' THEN 'EquationEditor_CVE-2017-11882'
    WHEN (
      UPPER("Parent Process Name") LIKE '%WINWORD.EXE%' OR
      UPPER("Parent Process Name") LIKE '%EXCEL.EXE%' OR
      UPPER("Parent Process Name") LIKE '%OUTLOOK.EXE%' OR
      UPPER("Parent Process Name") LIKE '%ONENOTE.EXE%' OR
      UPPER("Parent Process Name") LIKE '%POWERPNT.EXE%' OR
      UPPER("Parent Process Name") LIKE '%MSACCESS.EXE%' OR
      UPPER("Parent Process Name") LIKE '%MSPUB.EXE%'
    ) THEN 'OfficeDDE_Spawn'
    ELSE 'Unknown'
  END AS dde_type,
  CASE
    WHEN LOWER("Command") LIKE '%http%' OR
         LOWER("Command") LIKE '%-enc%' OR
         LOWER("Command") LIKE '%encodedcommand%' OR
         LOWER("Command") LIKE '%downloadstring%' OR
         LOWER("Command") LIKE '%webclient%' OR
         LOWER("Command") LIKE '%iex(%' OR
         LOWER("Command") LIKE '%invoke-expression%' OR
         LOWER("Command") LIKE '%frombase64%' OR
         LOWER("Command") LIKE '%-bypass%' OR
         LOWER("Command") LIKE '%-hidden%'
    THEN TRUE ELSE FALSE
  END AS suspicious_args
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 119)
  AND (
    (
      (
        UPPER("Parent Process Name") LIKE '%WINWORD.EXE%' OR
        UPPER("Parent Process Name") LIKE '%EXCEL.EXE%' OR
        UPPER("Parent Process Name") LIKE '%OUTLOOK.EXE%' OR
        UPPER("Parent Process Name") LIKE '%ONENOTE.EXE%' OR
        UPPER("Parent Process Name") LIKE '%POWERPNT.EXE%' OR
        UPPER("Parent Process Name") LIKE '%MSACCESS.EXE%' OR
        UPPER("Parent Process Name") LIKE '%MSPUB.EXE%'
      ) AND (
        UPPER("Process Name") LIKE '%\\CMD.EXE' OR
        UPPER("Process Name") LIKE '%\\POWERSHELL.EXE' OR
        UPPER("Process Name") LIKE '%\\PWSH.EXE' OR
        UPPER("Process Name") LIKE '%\\WSCRIPT.EXE' OR
        UPPER("Process Name") LIKE '%\\CSCRIPT.EXE' OR
        UPPER("Process Name") LIKE '%\\MSHTA.EXE' OR
        UPPER("Process Name") LIKE '%\\RUNDLL32.EXE' OR
        UPPER("Process Name") LIKE '%\\REGSVR32.EXE' OR
        UPPER("Process Name") LIKE '%\\CERTUTIL.EXE' OR
        UPPER("Process Name") LIKE '%\\BITSADMIN.EXE' OR
        UPPER("Process Name") LIKE '%\\MSIEXEC.EXE' OR
        UPPER("Process Name") LIKE '%\\WMIC.EXE' OR
        UPPER("Process Name") LIKE '%\\SCHTASKS.EXE' OR
        UPPER("Process Name") LIKE '%\\NET.EXE' OR
        UPPER("Process Name") LIKE '%\\NET1.EXE' OR
        UPPER("Process Name") LIKE '%\\FORFILES.EXE'
      )
    )
    OR UPPER("Parent Process Name") LIKE '%EQNEDT32.EXE%'
  )
  AND starttime > NOW() - 1 DAYS
ORDER BY starttime DESC
LAST 1000

high severity high confidence

Data Sources

IBM QRadar SIEM Windows Security Events via QRadar DSM Sysmon via QRadar Universal DSM

Required Tables

events

False Positives

Automated document processing systems in finance or legal sectors that use Office COM automation to spawn shell commands as part of legitimate batch workflows
Legacy IT management tools that use Office documents as a wrapper to trigger administrative scripts via scheduled tasks
Security awareness training simulations that use EQNEDT32.EXE in sandboxed environments to demonstrate vulnerability

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| where (%"EventID" = "1" OR EventID = 1)
| parse field=%"ParentImage" "*" as parent_image nodrop
| parse field=%"Image" "*" as child_image nodrop
| eval parent_lower = toLowerCase(parent_image)
| eval child_lower = toLowerCase(child_image)
| eval IsOfficeParent = if(parent_lower matches "*winword.exe*" OR parent_lower matches "*excel.exe*" OR parent_lower matches "*outlook.exe*" OR parent_lower matches "*onenote.exe*" OR parent_lower matches "*powerpnt.exe*" OR parent_lower matches "*msaccess.exe*" OR parent_lower matches "*mspub.exe*", 1, 0)
| eval IsEquationEditor = if(parent_lower matches "*eqnedt32.exe*", 1, 0)
| eval IsSuspiciousChild = if(child_lower matches "*\\cmd.exe" OR child_lower matches "*\\powershell.exe" OR child_lower matches "*\\pwsh.exe" OR child_lower matches "*\\wscript.exe" OR child_lower matches "*\\cscript.exe" OR child_lower matches "*\\mshta.exe" OR child_lower matches "*\\rundll32.exe" OR child_lower matches "*\\regsvr32.exe" OR child_lower matches "*\\certutil.exe" OR child_lower matches "*\\bitsadmin.exe" OR child_lower matches "*\\msiexec.exe" OR child_lower matches "*\\wmic.exe" OR child_lower matches "*\\schtasks.exe" OR child_lower matches "*\\net.exe" OR child_lower matches "*\\net1.exe" OR child_lower matches "*\\forfiles.exe", 1, 0)
| eval SuspiciousArgs = if(toLowerCase(%"CommandLine") matches "*http*" OR toLowerCase(%"CommandLine") matches "*-enc*" OR toLowerCase(%"CommandLine") matches "*encodedcommand*" OR toLowerCase(%"CommandLine") matches "*downloadstring*" OR toLowerCase(%"CommandLine") matches "*webclient*" OR toLowerCase(%"CommandLine") matches "*iex(*" OR toLowerCase(%"CommandLine") matches "*invoke-expression*" OR toLowerCase(%"CommandLine") matches "*frombase64*" OR toLowerCase(%"CommandLine") matches "*-bypass*" OR toLowerCase(%"CommandLine") matches "*-hidden*", 1, 0)
| where (IsOfficeParent = 1 AND IsSuspiciousChild = 1) OR IsEquationEditor = 1
| eval DDEType = if(IsEquationEditor = 1, "EquationEditor_CVE-2017-11882", if(IsOfficeParent = 1 AND IsSuspiciousChild = 1, "OfficeDDE_Spawn", "Unknown"))
| fields _messageTime, %"Computer", %"User", child_image, %"CommandLine", parent_image, %"ParentCommandLine", DDEType, SuspiciousArgs
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Sysmon Source Windows Event Log Source Sumo Logic Cloud SIEM (CSE)

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Document management systems that legitimately invoke shell commands from within Office process contexts for printing, conversion, or archival automation
Developer workstations running Office Add-in frameworks or VSTO solutions that spawn PowerShell for build/test automation tasks linked to Office applications
Organizations using Equation Editor in research or academic environments with Office 2007/2010 still deployed, where EQNEDT32.EXE launches child processes for rendering exports

Google Chronicle / SecOps

yaral

rule dde_office_suspicious_child_spawn {
  meta:
    author = "Detection Engineering"
    description = "Detects DDE abuse via suspicious child process spawning from Microsoft Office applications or EQNEDT32.EXE (CVE-2017-11882)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1559.002"
    reference = "https://attack.mitre.org/techniques/T1559/002/"
    created = "2024-01-01"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path != ""

    // Office parent or Equation Editor
    (
      re.regex($e.principal.process.file.full_path, `(?i)(winword\.exe|excel\.exe|outlook\.exe|onenote\.exe|powerpnt\.exe|msaccess\.exe|mspub\.exe|EQNEDT32\.EXE)$`)
    )

    // Suspicious child process
    re.regex($e.target.process.file.full_path, `(?i)(\\cmd\.exe|\\powershell\.exe|\\pwsh\.exe|\\wscript\.exe|\\cscript\.exe|\\mshta\.exe|\\rundll32\.exe|\\regsvr32\.exe|\\certutil\.exe|\\bitsadmin\.exe|\\msiexec\.exe|\\wmic\.exe|\\schtasks\.exe|\\net\.exe|\\net1\.exe|\\curl\.exe|\\wget\.exe|\\forfiles\.exe|\\pcalua\.exe)$`)

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Endpoint Telemetry via Chronicle Forwarder CrowdStrike Falcon via Chronicle Integration Carbon Black via Chronicle Integration

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Enterprise RPA (Robotic Process Automation) solutions like UiPath or Blue Prism that drive Office applications and spawn child processes as part of attended/unattended automation flows
Legitimate Office COM automation from server-side document conversion services (e.g., LibreOffice wrappers, Word to PDF pipelines) that inherit Office process parentage
Security testing or red team exercises against endpoints where EQNEDT32.EXE is intentionally invoked to validate EDR detection coverage

CrowdStrike LogScale (CQL)

cql

// DDE Detection: Office or EQNEDT32 spawning suspicious child processes
#event_simpleName = "ProcessRollup2"
| ParentBaseFileName = /(?i)^(winword|excel|outlook|onenote|powerpnt|msaccess|mspub|EQNEDT32)\.exe$/
| FileName = /(?i)^(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec|wmic|schtasks|net|net1|curl|wget|forfiles|pcalua)\.exe$/
| eval DDEType = case(
    ParentBaseFileName = /(?i)EQNEDT32\.exe/, "EquationEditor_CVE-2017-11882",
    ParentBaseFileName = /(?i)(winword|excel|outlook|onenote|powerpnt|msaccess|mspub)\.exe/, "OfficeDDE_Spawn",
    true, "Unknown"
  )
| eval SuspiciousArgs = if(
    CommandLine = /(?i)(http|https|-enc|-encodedcommand|downloadstring|webclient|iex\(|invoke-expression|frombase64|-bypass|-hidden|start-bitstransfer)/,
    "true", "false"
  )
| table timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DDEType, SuspiciousArgs
| sort timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon LogScale (Humio) CrowdStrike Endpoint Activity Monitor

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Managed print or document workflows where Office applications spawn cmd.exe or PowerShell to trigger print queue management scripts in enterprise environments with Group Policy-enforced document handling
Software deployment tools (e.g., PDQ Deploy, SCCM) that open Office documents in automated testing pipelines and execute associated shell commands as part of regression testing
Penetration testing or red team engagements in the organization where EQNEDT32.EXE exploitation is part of an authorized attack simulation — should be excluded by host/time window

Dynamic Data Exchange

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections