Description
Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.
Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by Component Object Model, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.(Citation: BleepingComputer DDE Disabled in Word Dec 2017)(Citation: Microsoft ADV170021 Dec 2017)(Citation: Microsoft DDE Advisory Nov 2017)
Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via Phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.(Citation: SensePost PS DDE May 2016)(Citation: Kettle CSV DDE Aug 2014)(Citation: Enigma Reviving DDE Jan 2018)(Citation: SensePost MacroLess DDE Oct 2017) Similarly, adversaries may infect payloads to execute applications and/or commands on a victim device by way of embedding DDE formulas within a CSV file intended to be opened through a Windows spreadsheet program.(Citation: OWASP CSV Injection)(Citation: CSV Excel Macro Injection )
DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a Command and Scripting Interpreter. DDE execution can be invoked remotely via Remote Services such as Distributed Component Object Model (DCOM).(Citation: Fireeye Hunting COM June 2019)
Platforms
Mitigations (4)
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs.(Citation: Microsoft ASR Nov 2017)(Citation: Enigma Reviving DDE Jan 2018)
Application Isolation and SandboxingM1048
Ensure Protected View is enabled.(Citation: Microsoft Protected View)
Software ConfigurationM1054
Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.(Citation: Enigma Reviving DDE Jan 2018)(Citation: GitHub Disable DDEAUTO Oct 2017)
Disable or Remove Feature or ProgramM1042
Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. (Citation: Microsoft DDE Advisory Nov 2017)(Citation: BleepingComputer DDE Disabled in Word Dec 2017)(Citation: GitHub Disable DDEAUTO Oct 2017) Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.(Citation: Microsoft
Threat Groups (11)
| ID | Group | Context |
|---|---|---|
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has sent malicious Word OLE compound documents to victims.(Citation: Talos Cobalt Group July 201... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) spear phishing campaigns have included malicious Word documents with DDE execution.(Citation: CyberScoop... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used malware that can execute PowerShell scripts via DDE.(Citation: Securelist MuddyWater Oct ... |
| G0121 | Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used the ActiveXObject utility to create OLE objects to obtain execution through Internet Expl... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has delivered [JHUHUGIT](https://attack.mitre.org/software/S0044) and [Koadic](https://attack.mitre.org... |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) has used Windows DDE for execution of commands and a malicious VBS.(Citation: Securelist ScarCruft Jun ... |
| G0084 | Gallmaker | [Gallmaker](https://attack.mitre.org/groups/G0084) attempted to exploit Microsoft’s DDE protocol in order to gain access to victim machines and for ex... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has utilized OLE as a method to insert malicious content inside various phishing documents. (Citati... |
| G1002 | BITTER | [BITTER](https://attack.mitre.org/groups/G1002) has executed OLE objects using Microsoft Equation Editor to download and run malicious payloads.(Citat... |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has leveraged malicious Word documents that abused DDE.(Citation: Proofpoint TA505 June 2018) |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) leveraged the DDE protocol to deliver their malware.(Citation: TrendMicro Patchwork Dec 2017) |
Associated Software (8)
| ID | Name | Type | Context |
|---|---|---|---|
| S0458 | Ramsay | Malware | [Ramsay](https://attack.mitre.org/software/S0458) has been delivered using OLE objects in malicious documents.(Citation: Eset Ramsay May 2020) |
| S0391 | HAWKBALL | Malware | [HAWKBALL](https://attack.mitre.org/software/S0391) has used an OLE object that uses Equation Editor to drop the embedded shellcode.(Citation: FireEye... |
| S0148 | RTM | Malware | [RTM](https://attack.mitre.org/software/S0148) can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism.(Citation: ... |
| S0476 | Valak | Malware | [Valak](https://attack.mitre.org/software/S0476) can execute tasks via OLE.(Citation: SentinelOne Valak June 2020) |
| S0428 | PoetRAT | Malware | [PoetRAT](https://attack.mitre.org/software/S0428) was delivered with documents using DDE to execute malicious code.(Citation: Talos PoetRAT April 202... |
| S0223 | POWERSTATS | Malware | [POWERSTATS](https://attack.mitre.org/software/S0223) can use DDE to execute additional payloads on compromised hosts.(Citation: FireEye MuddyWater Ma... |
| S0387 | KeyBoy | Malware | [KeyBoy](https://attack.mitre.org/software/S0387) uses the Dynamic Data Exchange (DDE) protocol to download remote payloads.(Citation: PWC KeyBoys Feb... |
| S0237 | GravityRAT | Malware | [GravityRAT](https://attack.mitre.org/software/S0237) has been delivered via Word documents using DDE for execution.(Citation: Talos GravityRAT) |
References
- Albinowax Timo Goosen. (n.d.). CSV Injection. Retrieved February 7, 2022.
- Ishaq Mohammed . (2021, January 10). Everything about CSV Injection and CSV Excel Macro Injection. Retrieved February 7, 2022.
- Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017.
- El-Sherei, S. (2016, May 20). PowerShell, C-Sharp and DDE The Power Within. Retrieved November 22, 2017.
- Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.
- Kettle, J. (2014, August 29). Comma Separated Vulnerabilities. Retrieved November 22, 2017.
- Microsoft. (2017, December 12). ADV170021 - Microsoft Office Defense in Depth Update. Retrieved February 3, 2018.
- Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017.
- Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.
- NVISO Labs. (2017, October 11). Detecting DDE in MS Office documents. Retrieved November 21, 2017.
Frequently Asked Questions
What is T1559.002 (Dynamic Data Exchange)?
T1559.002 is a MITRE ATT&CK technique named 'Dynamic Data Exchange'. It belongs to the Execution tactic(s). Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applicat...
How can T1559.002 be detected?
Detection of T1559.002 (Dynamic Data Exchange) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1559.002?
There are 4 documented mitigations for T1559.002. Key mitigations include: Behavior Prevention on Endpoint, Application Isolation and Sandboxing, Software Configuration, Disable or Remove Feature or Program.
Which threat groups use T1559.002?
Known threat groups using T1559.002 include: Cobalt Group, FIN7, MuddyWater, Sidewinder, APT28, APT37, Gallmaker, Leviathan.