Detect Dynamic Data Exchange protocol in doc/docx

Hunt Hypothesis

The hypothesis is that the detection of the Dynamic Data Exchange protocol in document files indicates potential exploitation of legacy vulnerabilities to execute arbitrary code. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity that could lead to persistent threats within the environment.

YARA Rule

rule Contains_DDE_Protocol
{
        meta:
                author = "Nick Beede"
                description = "Detect Dynamic Data Exchange protocol in doc/docx"
                reference = "https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/"
                date = "2017-10-19"
                filetype = "Office documents"
        
        strings:
                $doc = {D0 CF 11 E0 A1 B1 1A E1}
                $s1 = { 13 64 64 65 61 75 74 6F 20 } // !!ddeauto
                $s2 = { 13 64 64 65 20 } // !!dde
                $s3 = "dde" nocase
                $s4 = "ddeauto" nocase

        condition:
                ($doc at 0) and 2 of ($s1, $s2, $s3, $s4)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
• Source Rule

False Positive Guidance

• Scenario: A user is using Microsoft Word to open a document that contains embedded DDE commands for legacy compatibility.
  Filter/Exclusion: process.name != "WINWORD.EXE" or process.name != "WORD.EXE"

• Scenario: A system administrator is running a scheduled task to generate reports using a script that dynamically inserts DDE commands for data aggregation.
  Filter/Exclusion: process.name != "SCHTASKS.EXE" or user.name != "Administrator"

• Scenario: A third-party application like LibreOffice is used to open a .docx file that includes DDE links for compatibility with older systems.
  Filter/Exclusion: process.name != "libreoffice.exe" or process.name != "soffice.bin"

• Scenario: A CI/CD pipeline is executing a build job that processes documents and inadvertently includes DDE references during template rendering.
  Filter/Exclusion: process.name != "jenkins.exe" or process.name != "dockerd.exe"

• Scenario: A network administrator is testing a DDE-based integration between a legacy application and a modern system using a test document.
  Filter/Exclusion: process.name != "explorer.exe" or process.name != "cmd.exe" and user.name != "TestUser"