AN1393: Analytic 1393

Detects anomalous use of Dynamic Data Exchange (DDE) for code execution, such as Office applications (WINWORD.EXE, EXCEL.EXE) spawning command interpreters, or loading unusual modules through DDEAUTO/DDE formulas. Correlates suspicious parent-child process relationships, registry keys enabling DDE, and module loads inconsistent with normal Office usage.

EnterpriseAN1393AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

AN1393 is a Windows detection analytic focused on suspicious Dynamic Data Exchange (DDE) behavior, especially Microsoft Office processes such as WINWORD.EXE or EXCEL.EXE launching command interpreters or loading unusual modules. For leaders, the value is in validating whether Office-based execution paths are visible to the SOC, because these behaviors can blur the line between normal document activity and code execution.

Executive priority

Prioritize this analytic where Windows endpoints and Office document workflows are business-critical. The key decision is whether the organization can produce reliable evidence of Office child processes, DDE-related registry settings, and abnormal module loading during an investigation. This supports incident response readiness, audit evidence for endpoint monitoring, and control prioritization around document execution risk.

Technical view

SOC and detection teams should validate coverage for anomalous DDE use on Windows by correlating Office parent processes, suspicious child processes such as command interpreters, DDE-related registry configuration, and module loads inconsistent with normal Office usage. Because no ATT&CK tactic or formal detection logic is supplied, teams should treat AN1393 as a validation target rather than a complete rule specification.

Likely telemetry

Windows endpoint process creation events with parent-child relationships
Execution activity for Office applications such as WINWORD.EXE and EXCEL.EXE
Command interpreter execution spawned by Office processes
Windows registry telemetry for keys enabling or influencing DDE behavior
Module load telemetry for Office processes

Detection direction

Confirm that process creation logging preserves parent process, child process, command line, user, host, and timestamp context.
Baseline normal Office child-process and module-load behavior before treating all Office-spawned processes as malicious.
Tune for suspicious Office-to-command-interpreter relationships and unusual module loads rather than generic Office execution alone.
Validate registry monitoring for DDE-related keys where available.
Account for false positives from legitimate Office automation, add-ins, macros, or business workflows that may resemble DDE-driven activity.

Mitigation priorities

Reduce unnecessary Office automation paths where business processes allow.
Harden endpoint monitoring around Office process spawning, module loading, and relevant registry changes.
Review Office configuration and document-handling controls to limit risky execution behavior where feasible.
Ensure incident response playbooks include triage steps for Office-originated process execution and DDE-related artifacts.
Use local baselines and business application inventories before enforcing broad blocks that could disrupt legitimate workflows.

Analyst notes and limits

This take is based on the supplied ATT&CK analytic description for AN1393. No relationships, tactics, aliases, or official detection logic were supplied, so the guidance is framed around defensive validation and telemetry readiness rather than a specific ATT&CK technique chain.

The source object is sparse: Windows is the only stated platform, the tactic is not specified, and no official detection query or relationship context is provided. Local endpoint configuration, Office usage patterns, and available telemetry are required to determine practical coverage and tuning.

Official MITRE ATT&CK definition

Analytic 1393

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 2d5bbe09407463f4...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`2d5bbe094074…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1393
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use