AN1357: Analytic 1357
Detects anomalous use of COM, DDE, or named pipes for execution. Correlates creation or access of IPC mechanisms (e.g., named pipes, COM objects) with unusual parent-child process relationships or code injection patterns (e.g., Office spawning cmd.exe via DDE).
Analyst context for executives and security teams
This analytic matters because misuse of Windows inter-process communication features such as COM, DDE, and named pipes can make execution look like normal application behavior. For leaders, the practical question is whether the SOC can connect IPC activity to unusual process relationships, such as Office launching command-line tools, rather than reviewing isolated events that look benign on their own.
Executive priority
Prioritize this as a Windows detection engineering and incident response readiness issue. It supports decisions about endpoint telemetry depth, SOC correlation capability, and whether common business applications are being monitored for abnormal execution chains. Because no ATT&CK tactic or relationship context is supplied, it should be treated as a coverage validation item rather than evidence of a specific campaign or impact scenario.
Technical view
Validate whether Windows telemetry can correlate creation or access of named pipes, COM objects, or DDE-related execution with suspicious parent-child process relationships and code injection patterns. The supplied example is Office spawning cmd.exe via DDE. Detection quality will depend on joining IPC-related events with process creation, parent process lineage, and indicators of unusual execution or injection behavior. No official detection logic is provided, so local baselining and tuning are required.
Likely telemetry
- Windows process creation events with parent-child lineage
- Endpoint telemetry for COM object activity or access where available
- Endpoint telemetry for named pipe creation or access
- Office application process activity and child process launches
- Code injection or suspicious process behavior telemetry from endpoint security tools
Detection direction
- Confirm the SOC can correlate IPC mechanism activity with process lineage instead of alerting on IPC use alone.
- Baseline normal COM, DDE, and named pipe usage for common Windows and business applications to reduce false positives.
- Tune for unusual parent-child relationships, especially Office applications spawning command interpreters or unexpected executables, as described in the source object.
- Validate visibility gaps where endpoint tools do not expose COM, DDE, named pipe, or code injection context.
- Because no ATT&CK relationships are supplied, do not assume coverage for a specific technique without mapping this analytic to local detections and test cases.
Mitigation priorities
- Ensure Windows endpoint logging and EDR collection are sufficient to preserve process lineage and IPC-relevant evidence.
- Harden and monitor Office and other high-risk user applications for abnormal child process execution where business operations allow.
- Use application control or execution policy controls to limit unnecessary command interpreter launches from productivity applications where feasible.
- Document detection coverage and investigation procedures as compliance and incident response evidence.
- Review exceptions regularly so business-required IPC activity does not become an unmanaged blind spot.
Analyst notes and limits
This is a detection analytic for Windows, external ID AN1357, focused on anomalous COM, DDE, or named pipe use for execution. The official object provides a description but no detection implementation, no tactics, and no relationship context. Glexia interpretation should therefore focus on telemetry validation, correlation design, and operational readiness rather than campaign-specific conclusions.
The source does not provide official detection logic, ATT&CK tactic mapping, related techniques, adversary relationships, severity, prevalence, or confirmed exploitation context. Environment-specific baselines are required to distinguish abnormal IPC-driven execution from legitimate Windows and application behavior.
Analytic 1357
Detects anomalous use of COM, DDE, or named pipes for execution. Correlates creation or access of IPC mechanisms (e.g., named pipes, COM objects) with unusual parent-child process relationships or code injection patterns (e.g., Office spawning cmd.exe via DDE).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c65a2668202a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1357Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.