Common Information
| Type | Value |
|---|---|
| Value |
Dynamic Data Exchange - T1559.002 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.(Citation: BleepingComputer DDE Disabled in Word Dec 2017)(Citation: Microsoft ADV170021 Dec 2017)(Citation: Microsoft DDE Advisory Nov 2017) Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.(Citation: SensePost PS DDE May 2016)(Citation: Kettle CSV DDE Aug 2014)(Citation: Enigma Reviving DDE Jan 2018)(Citation: SensePost MacroLess DDE Oct 2017) Similarly, adversaries may infect payloads to execute applications and/or commands on a victim device by way of embedding DDE formulas within a CSV file intended to be opened through a Windows spreadsheet program.(Citation: OWASP CSV Injection)(Citation: CSV Excel Macro Injection ) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-08-14 | 6 | Zero Day Initiative — CVE-2024-38213: Copy2Pwn Exploit Evades Windows Web Protections | ||
| Details | Website | 2023-12-06 | 198 | Russia/Ukraine Update - December 2023 | ||
| Details | Website | 2023-11-30 | 27 | AeroBlade on the Hunt Targeting the U.S. Aerospace Industry | ||
| Details | Website | 2023-08-25 | 195 | Russia/Ukraine Update - August 2023 | ||
| Details | Website | 2023-07-25 | 47 | Decoding RomCom: Behaviors and Opportunities for Detection | ||
| Details | Website | 2023-06-17 | 8 | SOC First Defense - Understanding The Cyber Attack Chain - A Defense with/without SOC | ||
| Details | Website | 2023-05-15 | 1 | We’re celebrating our 10th anniversary! | ||
| Details | Website | 2023-01-17 | 6 | Speared in a Click: Documents with Executables - Red Canary | ||
| Details | Website | 2023-01-02 | 47 | Dark Web Profile: MuddyWater APT Group - SOCRadar | ||
| Details | Website | 2022-10-14 | 5 | Microsoft Security Advisory 4053440 | ||
| Details | Website | 2022-09-26 | 5 | Visual Basic for Applications - Wikipedia | ||
| Details | Website | 2022-09-07 | 36 | SafeBreach Uncovers New Remote Access Trojan (RAT) | ||
| Details | Website | 2022-07-26 | 65 | New Wave of Emotet - When Project X Turns Into Y - Cynet | ||
| Details | Website | 2022-02-24 | 123 | Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks | CISA | ||
| Details | Website | 2022-01-14 | 10 | How Attackers Use XLL Malware to Infect Systems | HP Wolf Security | ||
| Details | Website | 2022-01-12 | 10 | How to Analyze Malicious Microsoft Office Files - Intezer | ||
| Details | Website | 2021-09-13 | 78 | Hide and Seek | New Zloader Infection Chain Comes With Improved Stealth and Evasion Mechanisms | ||
| Details | Website | 2021-08-10 | 105 | UNC215: Spotlight on a Chinese Espionage Campaign in Israel | Mandiant | ||
| Details | Website | 2021-04-20 | 1 | Carbanak and FIN7 Attack Techniques | ||
| Details | Website | 2021-04-20 | 1 | Carbanak and FIN7 Attack Techniques | ||
| Details | Website | 2021-04-09 | 44 | Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware | ||
| Details | Website | 2021-03-30 | 1 | Security baseline for Microsoft 365 Apps for enterprise (v2103, March 2021) - DRAFT | ||
| Details | Website | 2021-01-10 | 6 | Everything about CSV Injection and CSV Excel Macro Injection | ||
| Details | Website | 2020-09-24 | 5 | Threat landscape for industrial automation systems. H1 2020 | Kaspersky ICS CERT | ||
| Details | Website | 2019-11-05 | 18 | How adversaries use politics for compromise |