From 972e6a469e70f7074116c46464cf6ccca99d6866 Mon Sep 17 00:00:00 2001
From: pe3zx <pe3zx@users.noreply.github.com>
Date: Tue, 9 Jan 2018 13:41:19 +0700
Subject: [PATCH] Add TLDR version of detecting-dde.md

---
 files/dfir/detecting-dde.md | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 files/dfir/detecting-dde.md

diff --git a/files/dfir/detecting-dde.md b/files/dfir/detecting-dde.md
new file mode 100644
index 0000000..5d870ab
--- /dev/null
+++ b/files/dfir/detecting-dde.md
@@ -0,0 +1,9 @@
+# Detecting DDE
+
+Can be done by looking for Windows Event Logs on Microsoft Office category in event 300 which should be contain alerts display that an Office application launched something. By the way, if there is no pop-up displayed during the attack, there will be no alert in logs. In this case, incident responder can catach this attack by looking for new process event which must be configure by the following command. When process auditing turned on, suspicious event can be seen in Microsoft Windows Security auditing, event 4688.
+
+```
+reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit /f /t REG_SZ /v ProcessCreationIncludeCmdLine_Enabled=1
+
+auditpol /set /Category:"Detailed Tracking" /subcategory:"Process Creation" /success:enable /failure:enable
+```