DET0504: Detect Abuse of Dynamic Data Exchange (T1559.002)
This detection strategy is about finding abuse of Windows Dynamic Data Exchange (DDE), a legacy inter-process communication capability that can be used to...
Analyst context for executives and security teams
This detection strategy is about finding abuse of Windows Dynamic Data Exchange (DDE), a legacy inter-process communication capability that can be used to execute commands through applications that support it. For leaders, the decision value is not that DDE exists, but whether the organization can recognize unusual application-driven execution before it becomes an incident-response blind spot.
Executive priority
Prioritize this as an execution-risk validation item for Windows environments. Security leaders should ask whether SOC, IR, and endpoint teams can prove visibility into application-to-process execution chains involving DDE-capable applications, and whether that evidence is usable for incident triage, audit support, and resilience planning. Because the ATT&CK detection strategy object provides no official detection logic, coverage should be treated as something to validate locally rather than assumed.
Technical view
DET0504 detects ATT&CK technique T1559.002, Dynamic Data Exchange, which is associated with the Execution tactic on Windows. Detection engineering should focus on whether telemetry can show suspicious parent-child process relationships, command execution initiated by document or productivity applications, and inter-process behavior consistent with DDE abuse. IR teams should validate that collected evidence can reconstruct the originating application, spawned process, command line, user context, host, and timing.
Likely telemetry
- Endpoint process creation events with parent-child process relationships
- Command-line arguments for spawned processes
- Application execution logs from Windows endpoints where available
- EDR telemetry showing inter-process communication or application-launched execution
- User, host, and session context tied to execution events
Detection direction
- Validate visibility on Windows endpoints for application-spawned command execution related to DDE-capable workflows.
- Tune detections around unusual child processes launched from productivity or document-handling applications, while accounting for legitimate automation and business workflows.
- Correlate process creation, command line, user context, and file-open activity to reduce false positives.
- Confirm whether existing managed detection or SOC content explicitly maps to T1559.002 rather than only broad process-execution analytics.
- Treat gaps cautiously: the supplied ATT&CK object does not include official detection text, so local telemetry and testing are required to determine coverage.
Mitigation priorities
- Inventory business use of DDE-capable application workflows before applying restrictive controls.
- Harden endpoint and application configurations to reduce unnecessary legacy inter-process execution paths where operationally feasible.
- Apply least privilege so user-launched application abuse has reduced execution and lateral movement value.
- Ensure endpoint monitoring captures process lineage and command-line evidence needed for investigation.
- Document detection assumptions and control decisions for compliance and incident-readiness evidence.
Analyst notes and limits
The strongest use of this object is as a validation prompt: can defenders see and investigate DDE-related execution behavior on Windows? The relationship context provides the key technical anchor: DET0504 detects T1559.002 Dynamic Data Exchange, an Execution technique. No official MITRE detection text or description was supplied for the detection strategy itself.
Platforms and tactics are not specified on the detection strategy object itself; Windows and Execution are derived only from the related T1559.002 technique context. The provided related description is truncated. This summary does not assert active exploitation, specific adversaries, guaranteed detection coverage, or vendor-specific controls.
Detect Abuse of Dynamic Data Exchange (T1559.002)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | This object detects Dynamic Data Exchange. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0023575c4ae7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0504Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.