Home/ATT&CK Technique/Dynamic Data Exchange
ATT&CK Technique

Dynamic Data Exchange

T1559.002 · execution

Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by Component Object Model, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via Phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.

Similarly, adversaries may infect payloads to execute applications and/or commands on a victim device by way of embedding DDE formulas within a CSV file intended to be opened through a Windows spreadsheet program. DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a Command and Scripting Interpreter. DDE execution can be invoked remotely via Remote Services such as Distributed Component Object Model (DCOM).

Windows

Actors Using This

7
russiaAPT28
iranOilRig
north_koreaAPT38
russiaGamaredon Group
north_koreaKimsuky
iranMuddyWater
russiaSandworm Team

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
reconnaissance earlier
T1589 · Gather Victim Identity Information ×8.16T1591 · Gather Victim Org Information ×8.00T1591.004 · Identify Roles ×7.85T1589.002 · Email Addresses ×7.39
resource-development earlier
T1586.002 · Email Accounts ×8.95T1586 · Compromise Accounts ×8.50T1584.006 · Web Services ×6.80
persistence later
T1098.002 · Additional Email Delegate Permissions ×13.60
privilege-escalation later
T1546.015 · Component Object Model Hijacking ×17.00T1546.011 · Application Shimming ×13.60T1546.001 · Change Default File Association ×11.33
command-and-control later
T1071.003 · Mail Protocols ×6.80
impact later
T1561.001 · Disk Content Wipe ×6.54
other same
T1070.006 · Timestomp ×7.03T1480 · Execution Guardrails ×6.48

Atomic Tests

3
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
manualwindowsExecute Commands
Executes commands via DDE using Microsfot Word
command_promptwindowsExecute PowerShell script via Word DDE
When the word document opens it will prompt the user to click ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download and execute a powershell script 
start "$PathToAtomicsFolder\T1559.002\bin\DDE_Document.docx"
manualwindowsDDEAUTO
TrustedSec - Unicorn - https://github.com/trustedsec/unicorn SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/ Word VBA Macro [Dragon's Tail](https://github.com/redcanaryco/atomic-red-team/tree/master/ARTifacts/Adversary/Dragons_Tail)

Mitigations

4
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1040Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack.

Suspicious Process Behavior
  • Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts.
  • Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.
Unauthorized File Access
  • Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization.
  • Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.
Abnormal API Calls
  • Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities.
  • Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like OpenProcess and WriteProcessMemory and terminates the offending process.
Exploit Prevention
  • Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access.
  • Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.
M1042Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled.

Remove Legacy Software
  • Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash).
  • Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.
Disable Unused Features
  • Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required.
  • Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.
Control Applications Installed by Users
  • Use Case: Prevent users from installing unauthorized software via group policies or other management tools.
  • Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.
Remove Unnecessary Services
  • Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices.
  • Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.
Restrict Add-ons and Plugins
  • Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes.
  • Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.
M1048Application Isolation and Sandboxing

Application Isolation and Sandboxing refers to the technique of restricting the execution of code to a controlled and isolated environment (e.g., a virtual environment, container, or sandbox). This method prevents potentially malicious code from affecting the rest of the system or network by limiting access to sensitive resources and critical operations. The goal is to contain threats and minimize their impact.

Browser Sandboxing
  • Use Case: Implement browser sandboxing to isolate untrusted web content and prevent malicious web pages or scripts from accessing sensitive system resources or initiating unauthorized downloads.
  • Implementation: Use browsers with built-in sandboxing features (e.g., Google Chrome, Microsoft Edge) or deploy enhanced browser security frameworks that limit the execution scope of active content. Consider controls that monitor or restrict script-based file generation and downloads commonly abused in evasion techniques like HTML smuggling.
Application Virtualization
  • Use Case: Deploy critical or high-risk applications in a virtualized environment to ensure any compromise does not affect the host system.
  • Implementation: Use application virtualization platforms to run applications in isolated environments.
Email Attachment Sandboxing
  • Use Case: Route email attachments to a sandbox environment to detect and block malware before delivering emails to end-users.
  • Implementation: Integrate security solutions with sandbox capabilities to analyze email attachments.
Endpoint Sandboxing
  • Use Case: Run all downloaded files and applications in a restricted environment to monitor their behavior for malicious activity.
  • Implementation: Use endpoint protection tools for sandboxing at the endpoint level.
M1054Software Configuration

Software configuration refers to making security-focused adjustments to the settings of applications, middleware, databases, or other software to mitigate potential threats. These changes help reduce the attack surface, enforce best practices, and protect sensitive data.

Conduct a Security Review of Application Settings
  • Review the software documentation to identify recommended security configurations.
  • Compare default settings against organizational policies and compliance requirements.
Implement Access Controls and Permissions
  • Restrict access to sensitive features or data within the software.
  • Enforce least privilege principles for all roles and accounts interacting with the software.
Enable Logging and Monitoring
  • Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity.
  • Integrate logs with a centralized monitoring solution, such as a SIEM.
Update and Patch Software Regularly
  • Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities.
  • Use automated patch management tools to streamline the update process.
Disable Unnecessary Features or Services
  • Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs.
Test Configuration Changes
  • Perform configuration changes in a staging environment before applying them in production.
  • Conduct regular audits to ensure that settings remain aligned with security policies.
Tools for Implementation Configuration Management Tools
  • Ansible: Automates configuration changes across multiple applications and environments.
  • Chef: Ensures consistent application settings through code-based configuration management.
  • Puppet: Automates software configurations and audits changes for compliance.
Security Benchmarking Tools
  • CIS-CAT: Provides benchmarks and audits for secure software configurations.
  • Aqua Security Trivy: Scans containerized applications for configuration issues.
Vulnerability Management Solutions
  • Nessus: Identifies misconfigurations and suggests corrective actions.
Logging and Monitoring Tools
  • Splunk: Aggregates and analyzes application logs to detect suspicious activity.

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 1
Analytics (MITRE CAR) 1
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

CAR Analytics

1
MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.
CAR-2021-01-006Low coverageUnusual Child Process spawned using DDE exploit

Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

Splunk - Splunk search - Unusual Child Process spawned using DDE exploit
index = __your_sysmon__index__ (ParentImage="*excel.exe" OR ParentImage="*word.exe" OR ParentImage="*outlook.exe") Image="*.exe"
Pseudocode - Splunk search - Unusual Child Process spawned using DDE exploit
processes = search Process:Create
target_processes = filter processes where (
     (parent_image="*excel.exe" OR parent_image="*word.exe" OR parent_image="*outlook.exe")
     AND image="*.exe"
     )

Comply & Defend

NIST 800-53AC-04, AC-06, CM-02, CM-06, CM-07, CM-08, CM-10, RA-05, SC-03, SC-07, SC-18, SI-02, SI-03, SI-04
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin