Register to stream ATT&CKcon 2.0 October 29-30

Dynamic Data Exchange

Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by COM, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. [1] [2] [3]

Adversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands [4] [5], directly or through embedded files [6], and used to deliver execution via phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. [7] DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution.

ID: T1173
Tactic: Execution
Platform: Windows
Permissions Required: User
Data Sources: API monitoring, DLL monitoring, Process monitoring, Windows Registry, Windows event logs
Version: 1.1

Procedure Examples

Name Description
APT28 APT28 has delivered JHUHUGIT and Koadic by executing PowerShell commands through DDE in Word documents. [16] [17] [18]
APT37 APT37 has used Windows DDE for execution of commands and a malicious VBS. [22]
Cobalt Group Cobalt Group has sent malicious Word OLE compound documents to victims. [20]
FIN7 FIN7 spear phishing campaigns have included malicious Word documents with DDE execution. [19]
Gallmaker Gallmaker attempted to exploit Microsoft’s DDE protocol in order to gain access to victim machines and for execution. [23]
GravityRAT GravityRAT has been delivered via Word documents using DDE for execution. [11]
HAWKBALL HAWKBALL has used an OLE object that uses Equation Editor to drop the embedded shellcode. [14]
KeyBoy KeyBoy uses the Dynamic Data Exchange (DDE) protocol to download remote payloads. [13]
MuddyWater MuddyWater has used malware that can execute PowerShell scripts via DDE. [21]
Patchwork Patchwork leveraged the DDE protocol to deliver their malware. [15]
POWERSTATS POWERSTATS can use DDE to execute additional payloads on compromised hosts. [12]
TA505 TA505 has leveraged malicious Word documents that abused DDE. [24]

Mitigations

Mitigation Description
Application Isolation and Sandboxing Ensure Protected View is enabled. [10]
Behavior Prevention on Endpoint On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs. [9] [6]
Disable or Remove Feature or Program Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel. [3] [1] [8] [2]
Software Configuration Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View. [6] [8]

Detection

OLE and Office Open XML files can be scanned for ‘DDEAUTO', ‘DDE’, and other strings indicative of DDE execution. [25]

Monitor for Microsoft Office applications loading DLLs and other modules not typically associated with the application.

Monitor for spawning of unusual processes (such as cmd.exe) from Microsoft Office applications.

References

  1. Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017.
  2. Microsoft. (2017, December 12). ADV170021 - Microsoft Office Defense in Depth Update. Retrieved February 3, 2018.
  3. Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017.
  4. El-Sherei, S. (2016, May 20). PowerShell, C-Sharp and DDE The Power Within. Retrieved November 22, 2017.
  5. Kettle, J. (2014, August 29). Comma Separated Vulnerabilities. Retrieved November 22, 2017.
  6. Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.
  7. Stalmans, E., El-Sherei, S. (2017, October 9). Macro-less Code Exec in MSWord. Retrieved November 21, 2017.
  8. Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018.
  9. Brower, N. & D'Souza-Wiltshire, I. (2017, November 9). Enable Attack surface reduction. Retrieved February 3, 2018.
  10. Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.
  11. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  12. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  13. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.