Dynamic Data Exchange
|Dynamic Data Exchange|
|Data Sources||API monitoring, DLL monitoring, Process Monitoring, Windows Registry, Windows event logs|
Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.
Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by COM, DDE is still enabled in Windows 10 and most of Microsoft Office 2016 (a December 2017 patch created a Registry key that disables DDE in Word by default).1
Adversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands23 and used to deliver execution via spear phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.4 DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution.
- APT28 has delivered JHUHUGIT by executing PowerShell commands through DDE in Word documents. 56
- FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.7
Ensure Protected View is enabled.8
OLE and Office Open XML files can be scanned for ‘DDEAUTO', ‘DDE’, and other strings indicative of DDE execution.10
Monitor for Microsoft Office applications loading DLLs and other modules not typically associated with the application.
Monitor for spawning of unusual processes (such as cmd.exe) from Microsoft Office applications.
- Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017.
- El-Sherei, S. (2016, May 20). PowerShell, C-Sharp and DDE The Power Within. Retrieved November 22, 2017.
- Kettle, J. (2014, August 29). Comma Separated Vulnerabilities. Retrieved November 22, 2017.
- Stalmans, E., El-Sherei, S. (2017, October 9). Macro-less Code Exec in MSWord. Retrieved November 21, 2017.
- Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017.
- Paganini, P. (2017, November 9). Russia-Linked APT28 group observed using DDE attack to deliver malware. Retrieved November 21, 2017.
- Waterman, S. (2017, October 16). Fin7 weaponization of DDE is just their latest slick move, say researchers. Retrieved November 21, 2017.
- Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.
- Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017.
- NVISO Labs. (2017, October 11). Detecting DDE in MS Office documents. Retrieved November 21, 2017.