title: Dynamic Data Exchange (T1559.002)
id: df00tech-t1559-002
status: experimental
description: "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands without relying on VBA macros. DDE is a legacy client-server IPC protocol supported in Microsoft Office applications that allows documents to request command execution from a server process. Attackers poison Word documents, Excel spreadsheets, Outlook emails, and CSV files with DDE fields (e.g., DDEAUTO cmd) that execute shell commands when the document is opened and field updates are accepted. DDE is also delivered via OLE-embedded Equation Editor objects (EQNEDT32.EXE) exploiting CVE-2017-11882. Threat actors including APT28, FIN7, MuddyWater, Cobalt Group, Gallmaker, APT37, Leviathan, and BITTER have leveraged DDE in targeted spearphishing campaigns to achieve initial code execution."
references:
  - https://attack.mitre.org/techniques/T1559/002/
  - https://df00tech.com/detections/T1559.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1559.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate Office COM automation or VSTO add-ins that programmatically spawn cmd.exe or PowerShell for document post-processing (distinguish by correlating InitiatingProcessCommandLine with known automation tool paths)
  - "Corporate IT tools using legacy DDE-based data integration with Excel, common in ERP environments where financial data is pushed via DDE links from mainframe or middleware systems"
  - Developer workstations running Office interop test harnesses that invoke shell processes as part of automated document generation or conversion pipelines
  - "Document management systems (e.g., OpenText, SharePoint integration tools) that open Office documents server-side and spawn helper processes for format conversion or indexing"
level: high