
Summary
This detection rule targets the Dynamic Data Exchange (DDE) protocol settings in Microsoft Word and Excel, which are critical for the secure functioning of these applications. The rule checks the Windows registry for specific entries related to DDE configurations, indicating whether it is enabled or disabled. For Microsoft Word, it monitors the registry path `\Word\Security\AllowDDE` to identify if DDE is allowed by the presence of values `DWORD (0x00000001)` for enabling or `DWORD (0x00000002)` for disabling. For Excel, it verifies the disabling of DDE access by checking paths `\Excel\Security\DisableDDEServerLaunch` and `\Excel\Security\DisableDDEServerLookup`, ensuring they are set to `DWORD (0x00000000)`. The rule activates if DDE is detected to be enabled in Word or improperly configured in Excel, as these scenarios could lead to vulnerabilities that can be exploited for malicious purposes. The selected settings indicate whether these protocols are managed safely, which is vital for defending against potential remote code execution attacks.
Categories
- Endpoint
- Windows
Data Sources
- Windows Registry
Created: 2022-02-26