Skip to content

T1559.002 Dynamic Data Exchange

Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by Component Object Model, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.123

Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via Phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.4567 Similarly, adversaries may infect payloads to execute applications and/or commands on a victim device by way of embedding DDE formulas within a CSV file intended to be opened through a Windows spreadsheet program.89

DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a Command and Scripting Interpreter. DDE execution can be invoked remotely via Remote Services such as Distributed Component Object Model (DCOM).10

Item Value
ID T1559.002
Sub-techniques T1559.001, T1559.002, T1559.003
Tactics TA0002
Platforms Windows
Permissions required User
Version 1.2
Created 12 February 2020
Last Modified 22 February 2022

Procedure Examples

ID Name Description
G0007 APT28 APT28 has delivered JHUHUGIT and Koadic by executing PowerShell commands through DDE in Word documents.313233
G0067 APT37 APT37 has used Windows DDE for execution of commands and a malicious VBS.25
G1002 BITTER BITTER has executed OLE objects using Microsoft Equation Editor to download and run malicious payloads.34
G0080 Cobalt Group Cobalt Group has sent malicious Word OLE compound documents to victims.30
G0046 FIN7 FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.36
G0084 Gallmaker Gallmaker attempted to exploit Microsoft’s DDE protocol in order to gain access to victim machines and for execution.28
S0237 GravityRAT GravityRAT has been delivered via Word documents using DDE for execution.19
S0391 HAWKBALL HAWKBALL has used an OLE object that uses Equation Editor to drop the embedded shellcode.21
S0387 KeyBoy KeyBoy uses the Dynamic Data Exchange (DDE) protocol to download remote payloads.20
G0065 Leviathan Leviathan has utilized OLE as a method to insert malicious content inside various phishing documents. 24
G0069 MuddyWater MuddyWater has used malware that can execute PowerShell scripts via DDE.35
C0013 Operation Sharpshooter During Operation Sharpshooter, threat actors sent malicious Word OLE documents to victims.37
G0040 Patchwork Patchwork leveraged the DDE protocol to deliver their malware.23
S0428 PoetRAT PoetRAT was delivered with documents using DDE to execute malicious code.17
S0223 POWERSTATS POWERSTATS can use DDE to execute additional payloads on compromised hosts.16
S0458 Ramsay Ramsay has been delivered using OLE objects in malicious documents.18
S0148 RTM RTM can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism.15
G0121 Sidewinder Sidewinder has used the ActiveXObject utility to create OLE objects to obtain execution through Internet Explorer.2627
G0092 TA505 TA505 has leveraged malicious Word documents that abused DDE.29
S0476 Valak Valak can execute tasks via OLE.22

Mitigations

ID Mitigation Description
M1048 Application Isolation and Sandboxing Ensure Protected View is enabled.13
M1040 Behavior Prevention on Endpoint On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.146
M1042 Disable or Remove Feature or Program Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. 3112 Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.2
M1054 Software Configuration Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.612

Detection

ID Data Source Data Component
DS0011 Module Module Load
DS0009 Process Process Creation
DS0012 Script Script Execution

References

  1. Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017. 

  2. Microsoft. (2017, December 12). ADV170021 - Microsoft Office Defense in Depth Update. Retrieved February 3, 2018. 

  3. Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017. 

  4. El-Sherei, S. (2016, May 20). PowerShell, C-Sharp and DDE The Power Within. Retrieved November 22, 2017. 

  5. Kettle, J. (2014, August 29). Comma Separated Vulnerabilities. Retrieved November 22, 2017. 

  6. Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018. 

  7. Stalmans, E., El-Sherei, S. (2017, October 9). Macro-less Code Exec in MSWord. Retrieved November 21, 2017. 

  8. Albinowax Timo Goosen. (n.d.). CSV Injection. Retrieved February 7, 2022. 

  9. Ishaq Mohammed . (2021, January 10). Everything about CSV Injection and CSV Excel Macro Injection. Retrieved February 7, 2022. 

  10. Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019. 

  11. NVISO Labs. (2017, October 11). Detecting DDE in MS Office documents. Retrieved November 21, 2017. 

  12. Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018. 

  13. Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017. 

  14. Brower, N. & D’Souza-Wiltshire, I. (2017, November 9). Enable Attack surface reduction. Retrieved February 3, 2018. 

  15. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  16. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. 

  17. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. 

  18. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. 

  19. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. 

  20. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. 

  21. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019. 

  22. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020. 

  23. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  24. Accenture iDefense Unit. (2019, March 5). Mudcarp’s Focus on Submarine Technologies. Retrieved August 24, 2021. 

  25. Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018. 

  26. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021. 

  27. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021. 

  28. Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018. 

  29. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019. 

  30. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. 

  31. Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017. 

  32. Paganini, P. (2017, November 9). Russia-Linked APT28 group observed using DDE attack to deliver malware. Retrieved November 21, 2017. 

  33. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. 

  34. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022. 

  35. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. 

  36. Waterman, S. (2017, October 16). Fin7 weaponization of DDE is just their latest slick move, say researchers. Retrieved November 21, 2017. 

  37. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.