Awesome-Mirrors/my-infosec-awesome
1
0
Fork 0
mirror of https://github.com/pe3zx/my-infosec-awesome.git synced 2024-07-03 17:11:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
e04e4320bd
my-infosec-awesome/files/dfir/detecting-dde.md
pe3zx 972e6a469e Add TLDR version of detecting-dde.md
2018-01-09 13:41:19 +07:00

804 B
Raw Blame History

Detecting DDE

Can be done by looking for Windows Event Logs on Microsoft Office category in event 300 which should be contain alerts display that an Office application launched something. By the way, if there is no pop-up displayed during the attack, there will be no alert in logs. In this case, incident responder can catach this attack by looking for new process event which must be configure by the following command. When process auditing turned on, suspicious event can be seen in Microsoft Windows Security auditing, event 4688.

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit /f /t REG_SZ /v ProcessCreationIncludeCmdLine_Enabled=1

auditpol /set /Category:"Detailed Tracking" /subcategory:"Process Creation" /success:enable /failure:enable