Awesome-Mirrors/my-infosec-awesome
1
0
Fork 0
mirror of https://github.com/pe3zx/my-infosec-awesome.git synced 2024-07-02 00:21:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add TLDR version of detecting-dde.md

Browse Source
This commit is contained in:
pe3zx 2018-01-09 13:41:19 +07:00
parent 7112b9268b
commit 972e6a469e
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
files/dfir/detecting-dde.md Normal file
View File

@ -0,0 +1,9 @@
# Detecting DDE
Can be done by looking for Windows Event Logs on Microsoft Office category in event 300 which should be contain alerts display that an Office application launched something. By the way, if there is no pop-up displayed during the attack, there will be no alert in logs. In this case, incident responder can catach this attack by looking for new process event which must be configure by the following command. When process auditing turned on, suspicious event can be seen in Microsoft Windows Security auditing, event 4688.
```
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit /f /t REG_SZ /v ProcessCreationIncludeCmdLine_Enabled=1
auditpol /set /Category:"Detailed Tracking" /subcategory:"Process Creation" /success:enable /failure:enable
```