Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Dynamic Data Exchange

Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by COM, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. [1] [2] [3]

Adversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands [4] [5], directly or through embedded files [6], and used to deliver execution via phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. [7] DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution.

ID: T1173

Tactic: Execution

Platform:  Windows

Permissions Required:  User

Data Sources:  API monitoring, DLL monitoring, Process monitoring, Windows Registry, Windows event logs

Supports Remote:  No

Version: 1.0

Examples

NameDescription
APT28

APT28 has delivered JHUHUGIT and Koadic by executing PowerShell commands through DDE in Word documents.[8][9][10]

APT37

APT37 has used Windows DDE for execution of commands and a malicious VBS.[11]

Cobalt Group

Cobalt Group has sent malicious Word OLE compound documents to victims.[12]

FIN7

FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.[13]

GravityRAT

GravityRAT has been delivered via Word documents using DDE for execution.[14]

Patchwork

Patchwork leveraged the DDE protocol to deliver their malware.[15]

POWERSTATS

POWERSTATS can use DDE to execute additional payloads on compromised hosts.[16]

Mitigation

Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. [3] [1] [17] Microsoft also created Registry keys to completely disable DDE execution in Word and Excel. [2]

Ensure Protected View is enabled [18] and consider disabling embedded files in Office programs, such as OneNote, not enrolled in Protected View. [6] [17]

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs. [19] [6]

Detection

OLE and Office Open XML files can be scanned for ‘DDEAUTO', ‘DDE’, and other strings indicative of DDE execution. [20]

Monitor for Microsoft Office applications loading DLLs and other modules not typically associated with the application.

Monitor for spawning of unusual processes (such as cmd.exe) from Microsoft Office applications.

References