MS Excel DDE Formulas
DDE (Dynamic Data Exchange) elements are an attacker's alternative to MS Office Macros with the same end result of executing malcious commands. This "macro-less" technique picked in popularity because historically, security solutions and awareness efforts have heavily focused on macro-based threats. DDE might not trigger the same security alerts or user suspicions as macros would - but now rely on the user clicking "yes" to a new popup after opening the document.
Technique Detailsβ
Requirementsβ
- Windows Operating System
- Microsoft Excel
Targetsβ
Users running Office 365 or MS Office 2016 may not be affected by this attack since DDE execution was disabled by default.
- Windows user's utilizing Microsoft Excel
Execution Chainβ
- User receives DDE-laced MS Excel sheet
- User opens DDE-laced MS Excel sheet
- User is prompted by Excel if they want to run the DDE command
- DDE command executes, if the user clicked "yes"
Proceduresβ
-
In any cell, enter the following formula (replacing
<COMMAND>with the actual commands you want to run, andA1with the current cell address - this example is the very first top-left cell)=MSEXCEL|'\..\..\..\Windows\System32\cmd.exe "/c <COMMAND>"'!A1warningYou will recieve a prompt after entering the formula - click No. This is the same popup that a user will see when they open the Excel document - clicking Yes will cause the command within the formula to execute.
-
Save the MS Excel document - you now have a maldoc
Hardeningβ
The following registry key can be set (replacing <VERSION> and <APPLICATION> with the appropriate values) to harden against DDE:
- Key Path:
HKEY_CURRENT_USER\Software\Microsoft\Office\<VERSION>\<APPLICATION>\Options - Value Name:
DontUpdateLinks - Value Type:
DWORD - Value Data:
1(disable DDE)
Applications:
ExcelWordPowerPointAccessOutlookPublisher
Versions:
12.0(Office 2007)14.0(Office 2010)15.0(Office 2013)16.0(Office 2016+)