Wednesday, 6 February 2019

Threat Hunting #4 - Detecting Excel/Word documents with DDE activity

Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.

Adversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution.

Opening a document with DDE content, office processes will popup 2 consecutive warning messages:

Example of *.slk file containing DDE expression invoking cmd.exe as an external data source to execute whatever you wanna execute.

The victim will have to click Enable and Yes to avoid two security warning (social engineering may help to convince the victim it's the way to access interesting confidential data):

Finally the supplied command will be executed:

We found out that office processes do log the previous 2 security warning message in the event log file:
  • %SystemRoot%\System32\Winevt\Logs\OAlerts.evtx (EventID=300)

You can see in the following screenshot the presence of the string "cmd.exe":

The name of the document related to the above 2 events is not captured in the same event, but you can find it next to them in a different 300 event:

Furthermore, depending on the user/machine activity, you may find alert pertaining to 3 months (not so noisy event log file) and which is useful for forensics and finding any potential previous DDE infection.


No comments:

Post a Comment