Detect Dynamic Data Exchange in Sumo Logic CSE
Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands without relying on VBA macros. DDE is a legacy client-server IPC protocol supported in Microsoft Office applications that allows documents to request command execution from a server process. Attackers poison Word documents, Excel spreadsheets, Outlook emails, and CSV files with DDE fields (e.g., DDEAUTO cmd) that execute shell commands when the document is opened and field updates are accepted. DDE is also delivered via OLE-embedded Equation Editor objects (EQNEDT32.EXE) exploiting CVE-2017-11882. Threat actors including APT28, FIN7, MuddyWater, Cobalt Group, Gallmaker, APT37, Leviathan, and BITTER have leveraged DDE in targeted spearphishing campaigns to achieve initial code execution.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1559 Inter-Process Communication
- Sub-technique
- T1559.002 Dynamic Data Exchange
- Canonical reference
- https://attack.mitre.org/techniques/T1559/002/
Sumo Detection Query
_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| where (%"EventID" = "1" OR EventID = 1)
| parse field=%"ParentImage" "*" as parent_image nodrop
| parse field=%"Image" "*" as child_image nodrop
| eval parent_lower = toLowerCase(parent_image)
| eval child_lower = toLowerCase(child_image)
| eval IsOfficeParent = if(parent_lower matches "*winword.exe*" OR parent_lower matches "*excel.exe*" OR parent_lower matches "*outlook.exe*" OR parent_lower matches "*onenote.exe*" OR parent_lower matches "*powerpnt.exe*" OR parent_lower matches "*msaccess.exe*" OR parent_lower matches "*mspub.exe*", 1, 0)
| eval IsEquationEditor = if(parent_lower matches "*eqnedt32.exe*", 1, 0)
| eval IsSuspiciousChild = if(child_lower matches "*\\cmd.exe" OR child_lower matches "*\\powershell.exe" OR child_lower matches "*\\pwsh.exe" OR child_lower matches "*\\wscript.exe" OR child_lower matches "*\\cscript.exe" OR child_lower matches "*\\mshta.exe" OR child_lower matches "*\\rundll32.exe" OR child_lower matches "*\\regsvr32.exe" OR child_lower matches "*\\certutil.exe" OR child_lower matches "*\\bitsadmin.exe" OR child_lower matches "*\\msiexec.exe" OR child_lower matches "*\\wmic.exe" OR child_lower matches "*\\schtasks.exe" OR child_lower matches "*\\net.exe" OR child_lower matches "*\\net1.exe" OR child_lower matches "*\\forfiles.exe", 1, 0)
| eval SuspiciousArgs = if(toLowerCase(%"CommandLine") matches "*http*" OR toLowerCase(%"CommandLine") matches "*-enc*" OR toLowerCase(%"CommandLine") matches "*encodedcommand*" OR toLowerCase(%"CommandLine") matches "*downloadstring*" OR toLowerCase(%"CommandLine") matches "*webclient*" OR toLowerCase(%"CommandLine") matches "*iex(*" OR toLowerCase(%"CommandLine") matches "*invoke-expression*" OR toLowerCase(%"CommandLine") matches "*frombase64*" OR toLowerCase(%"CommandLine") matches "*-bypass*" OR toLowerCase(%"CommandLine") matches "*-hidden*", 1, 0)
| where (IsOfficeParent = 1 AND IsSuspiciousChild = 1) OR IsEquationEditor = 1
| eval DDEType = if(IsEquationEditor = 1, "EquationEditor_CVE-2017-11882", if(IsOfficeParent = 1 AND IsSuspiciousChild = 1, "OfficeDDE_Spawn", "Unknown"))
| fields _messageTime, %"Computer", %"User", child_image, %"CommandLine", parent_image, %"ParentCommandLine", DDEType, SuspiciousArgs
| sort by _messageTime descSumo Logic detection for T1559.002 DDE execution. Parses Sysmon EventID 1 (Process Create) logs to identify suspicious child process spawning from Office applications or EQNEDT32.EXE. Classifies results by DDE vector type and flags suspicious command-line arguments indicating post-execution activity.
Data Sources
Required Tables
False Positives & Tuning
- Document management systems that legitimately invoke shell commands from within Office process contexts for printing, conversion, or archival automation
- Developer workstations running Office Add-in frameworks or VSTO solutions that spawn PowerShell for build/test automation tasks linked to Office applications
- Organizations using Equation Editor in research or academic environments with Office 2007/2010 still deployed, where EQNEDT32.EXE launches child processes for rendering exports
Other platforms for T1559.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CSV DDE Injection via Excel
Expected signal: Sysmon Event ID 1: Process Create for excel.exe with the CSV path as argument. If the DDE prompt is accepted: Sysmon Event ID 1 for cmd.exe with ParentImage=excel.exe and CommandLine='/c whoami > %TEMP%\dde_csv_out.txt'. Sysmon Event ID 11: File Create for dde_csv_out.txt in %TEMP%. Security Event ID 4688 (if command line auditing enabled) for the cmd.exe spawn.
- Test 2Word DDEAUTO Field Execution via RTF
Expected signal: Sysmon Event ID 1: Process Create for winword.exe with the RTF file as argument. If DDE executes: Sysmon Event ID 1 for cmd.exe with ParentImage=winword.exe, CommandLine='/c whoami > %TEMP%\dde_word_out.txt'. Sysmon Event ID 11: File Create for dde_word_out.txt. Office telemetry logs the DDEAUTO field activation attempt. Security Event ID 4688 for the spawned cmd.exe.
- Test 3DDE via Outlook Email with Embedded OLE Object
Expected signal: Sysmon Event ID 1: Process Create for outlook.exe with the .msg file path as argument. Outlook COM instantiation visible in Sysmon Event ID 1 for the PowerShell parent spawning outlook.exe. If OLE DDE executes: Sysmon Event ID 1 for cmd.exe with ParentImage=outlook.exe. Security Event ID 4688 for the spawned process.
- Test 4Equation Editor (EQNEDT32.EXE) Presence and Execution Check
Expected signal: If EQNEDT32.EXE is found and executed: Sysmon Event ID 1 for EQNEDT32.EXE with Image=<office_path>\EQNEDT32.EXE. Prefetch file created at C:\Windows\Prefetch\EQNEDT32.EXE-*.pf. Security Event ID 4688 for EQNEDT32.EXE execution. In a real exploitation scenario: Sysmon Event ID 1 for a child process (cmd.exe, powershell.exe) with ParentImage=EQNEDT32.EXE would additionally fire.
References (12)
- https://attack.mitre.org/techniques/T1559/002/
- https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/
- https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/
- https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
- https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee
- https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021
- https://technet.microsoft.com/library/security/4053440
- https://owasp.org/www-community/attacks/CSV_Injection
- https://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/
- https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
Unlock Pro Content
Get the full detection package for T1559.002 including response playbook, investigation guide, and atomic red team tests.