Dynamic Data Exchange (T1173)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Dynamic Data Exchange

Associated Tactics

  • Execution

Execution (TA0002)

The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

View on ATT&CK

Procedure Examples

Description Source(s)
Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017. BleepingComputer DDE Disabled in Word Dec 2017
Microsoft. (2017, December 12). ADV170021 - Microsoft Office Defense in Depth Update. Retrieved February 3, 2018. Microsoft ADV170021 Dec 2017
Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017. Microsoft DDE Advisory Nov 2017
El-Sherei, S. (2016, May 20). PowerShell, C-Sharp and DDE The Power Within. Retrieved November 22, 2017. SensePost PS DDE May 2016
Kettle, J. (2014, August 29). Comma Separated Vulnerabilities. Retrieved November 22, 2017. Kettle CSV DDE Aug 2014
Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018. Enigma Reviving DDE Jan 2018
Stalmans, E., El-Sherei, S. (2017, October 9). Macro-less Code Exec in MSWord. Retrieved November 21, 2017. SensePost MacroLess DDE Oct 2017
NVISO Labs. (2017, October 11). Detecting DDE in MS Office documents. Retrieved November 21, 2017. NVisio Labs DDE Detection Oct 2017