# Dynamic Data Exchange Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. Objecting Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by Component Object Model, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry Keys. Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via Phishing campaigns or hosted Web content avoiding the use of Visual Basic for Applications (VBA) macros. DDE could be leveraged by adversary operating on compromised machine who does not have access to a Command and Scripting Interpreter Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of string, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. Example: In the following example will setup a simple DDE command that will use PowerShell to execute a Nishang Reverse Shell that will connect back to my attacker machine. **As of 2017 some products don't support DDE no more, but Excel and Outlook do still by default** I will open a new excel spreadsheet and type the syntax into the formula box on the A1 cell ![](/files/-MRhDOw31SW4BM2BluQr) On the formula field we will write the following syntax. If you receive a formula error it will usually highlight where the error is located. Command With this we save and re-open the File, we will have a server running and a listener on our attacking machine to receive the connection back to us. ![](/files/-MRhDPpw-AlFoC4aVReP) Once the user opens the file an Update button and a Security Warning will be shown on the upper section of the spreadsheet ![](/files/-MRhDQloEvyxIKOk55ii) Once the update is accepted a second prompt will be shown for trusting the external resource. ![](/files/-MRhDRWvX8ImeDzQENiJ) Click Yes and we see our code ran successfully and we receive a connection back to our machine ![](/files/-MRhDSJSmi6jc5zbHkhR) Demo: ![](/files/-MRhDTxzCzAEzv-uSOdh) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/execution/t1559-inter-process-communication/dynamic-data-exchange.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.