# T1559.002 Dynamic Data Exchange

-----------------------------------------------------------------------

## Technique Description

Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.(Citation: BleepingComputer DDE Disabled in Word Dec 2017)(Citation: Microsoft ADV170021 Dec 2017)(Citation: Microsoft DDE Advisory Nov 2017)

Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.(Citation: SensePost PS DDE May 2016)(Citation: Kettle CSV DDE Aug 2014)(Citation: Enigma Reviving DDE Jan 2018)(Citation: SensePost MacroLess DDE Oct 2017) Similarly, adversaries may infect payloads to execute applications and/or commands on a victim device by way of embedding DDE formulas within a CSV file intended to be opened through a Windows spreadsheet program.(Citation: OWASP CSV Injection)(Citation: CSV Excel Macro Injection )

DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)

## Technique Detection

Monitor processes for abnormal behavior indicative of DDE abuse, such as Microsoft Office applications loading DLLs and other modules not typically associated with the application or these applications spawning unusual processes (such as cmd.exe).

OLE, Office Open XML, CSV, and other files can be scanned for ‘DDEAUTO', ‘DDE’, and other strings indicative of DDE execution.(Citation: NVisio Labs DDE Detection Oct 2017)(Citation: OWASP CSV Injection)(Citation: CSV Excel Macro Injection )

-----------------------------------------------------------------------

### Tactics:

  *   Execution

### Platforms:

  * Windows

### Adversary Required Permissions:

  * User

### Data Sources:

  * **Script:** Script Execution

  * **Module:** Module Load

  * **Process:** Process Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used the ActiveXObject utility to create OLE objects to obtain execution through Internet Explorer.(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)| 
| Sharpshooter | [Sharpshooter](https://attack.mitre.org/groups/G0104) has sent malicious Word OLE documents to victims.(Citation: McAfee Sharpshooter December 2018)| 
| TA505 | [TA505](https://attack.mitre.org/groups/G0092) has leveraged malicious Word documents that abused DDE.(Citation: Proofpoint TA505 June 2018)| 
| Gallmaker | [Gallmaker](https://attack.mitre.org/groups/G0084) attempted to exploit Microsoft’s DDE protocol in order to gain access to victim machines and for execution.(Citation: Symantec Gallmaker Oct 2018)| 
| Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has sent malicious Word OLE compound documents to victims.(Citation: Talos Cobalt Group July 2018)| 
| Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has utilized OLE as a method to insert malicious content inside various phishing documents. (Citation: Accenture MUDCARP March 2019)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used malware that can execute PowerShell scripts via DDE.(Citation: Securelist MuddyWater Oct 2018)| 
| APT37 | [APT37](https://attack.mitre.org/groups/G0067) has used Windows DDE for execution of commands and a malicious VBS.(Citation: Securelist ScarCruft Jun 2016)| 
| FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) spear phishing campaigns have included malicious Word documents with DDE execution.(Citation: CyberScoop FIN7 Oct 2017)| 
| Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) leveraged the DDE protocol to deliver their malware.(Citation: TrendMicro Patchwork Dec 2017)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has delivered [JHUHUGIT](https://attack.mitre.org/software/S0044) and [Koadic](https://attack.mitre.org/software/S0250) by executing PowerShell commands through DDE in Word documents.(Citation: McAfee APT28 DDE1 Nov 2017)(Citation: McAfee APT28 DDE2 Nov 2017)(Citation: Palo Alto Sofacy 06-2018)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1559/002)

  * [Bleepingcomputer Dde Disabled In Word Dec 2017](https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/), Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017.

  * [Microsoft Adv170021 Dec 2017](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021), Microsoft. (2017, December 12). ADV170021 - Microsoft Office Defense in Depth Update. Retrieved February 3, 2018.

  * [Microsoft Dde Advisory Nov 2017](https://technet.microsoft.com/library/security/4053440), Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017.

  * [Sensepost Ps Dde May 2016](https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/), El-Sherei, S. (2016, May 20). PowerShell, C-Sharp and DDE The Power Within. Retrieved November 22, 2017.

  * [Kettle Csv Dde Aug 2014](https://www.contextis.com/blog/comma-separated-vulnerabilities), Kettle, J. (2014, August 29). Comma Separated Vulnerabilities. Retrieved November 22, 2017.

  * [Enigma Reviving Dde Jan 2018](https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee), Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.

  * [Sensepost Macroless Dde Oct 2017](https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/), Stalmans, E., El-Sherei, S. (2017, October 9). Macro-less Code Exec in MSWord. Retrieved November 21, 2017.

  * [Owasp Csv Injection](https://owasp.org/www-community/attacks/CSV_Injection),  Albinowax Timo Goosen. (n.d.). CSV Injection. Retrieved February 7, 2022.

  * [Csv Excel Macro Injection ](https://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/),  Ishaq Mohammed . (2021, January 10). Everything about CSV Injection and CSV Excel Macro Injection. Retrieved February 7, 2022.

  * [Fireeye Hunting Com June 2019](https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html), Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.

  * [Nvisio Labs Dde Detection Oct 2017](https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/), NVISO Labs. (2017, October 11). Detecting DDE in MS Office documents. Retrieved November 21, 2017.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Information Here

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Information Here

## Analytical References

  * [Other references: All custom links should go here](example.lan)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

