T1559.002SubTechniqueexecutionagent-callable

T1559.002Dynamic Data Exchange

Sub-technique of T1559

Platforms: Windows

ATT&CK version: 14.1

What it is

Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.(Citation: BleepingComputer DDE Disabled in Word Dec 2017)(Citation: Microsoft ADV170021 Dec 2017)(Citation: Microsoft DDE Advisory Nov 2017) Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.(Citation: SensePost PS DDE May 2016)(Citation: Kettle CSV DDE Aug 2014)(Citation: Enigma Reviving DDE Jan 2018)(Citation: SensePost MacroLess DDE Oct 2017) Similarly, adversaries may infect payloads to execute applications and/or commands on a victim device by way of embedding DDE formulas within a CSV file intended to be opened through a Windows spreadsheet program.(Citation: OWASP CSV Injection)(Citation: CSV Excel Macro Injection ) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)

ATT&CK tactics· 1

Execution

References

  1. https://attack.mitre.org/techniques/T1559/002
  2. https://owasp.org/www-community/attacks/CSV_Injection
  3. https://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/
  4. https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/
  5. https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/
  6. https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
  7. https://www.contextis.com/blog/comma-separated-vulnerabilities
  8. https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021
  9. https://technet.microsoft.com/library/security/4053440
  10. https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.