Delaware, USA – November 8, 2017 – A month ago, SensePost published an article about the threat of exploiting the Dynamic Data Exchange feature used in Microsoft Office. The usage of DDE allows attackers to execute PowerShell scripts and download malicious files from external servers. A few days after that, Cisco Researchers detected sophisticated APT attack using this technique to drop fileless Trojan DNSMessenger. Other threat actors also quickly adapted their infection techniques: through the exploitation of the DDE protocol, they drop Ransomware, banking Trojans and sophisticated spyware on targeted systems. Anything in Microsoft Office can be exploited including Word, Excel, PowerPoint, OneNote and even Outlook using calendar invites. Multiple actors and tools use this attack technique including Fancy Bear / APT 28, Fin7, Necurs Botnet, Locky, Hancitor malware and others.
It is recommended to immediately disable DDE functionality using one of following methods:
1. GPO update
2. Registry updates such as ones published by Null Byte: https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b
3. Manually, example with Microsoft word: Open Word → Select File → Options → Advanced and scroll down to General and then uncheck “Update Automatic links at Open.”
DDE Exploitation Detector is designed for ArcSight, QRadar and Splunk and it helps your SIEM detect execution of the PowerShell or cmd command-line process using the DDE feature in MS Office. It notifies SIEM administrators about detected connections to malicious IP or URL, the run of malicious files, as well as any suspicious activity associated with this threat. This use case provides enhanced capabilities to detect modern cyber attacks that use DDE to bypass security solutions.
Use case contains 96 IOCs including IP, Port, URL, File hashes and File names. Dashboard is included for both individual analyst and SOC usage. SOC channel is also included flagging events with different priorities for events of interest. All events are tagged according to Cyber Kill Chain and MITRE ATT&CK attributing to 4 tactics and 6 techniques. This SIEM content works based on Firewall and Proxy events, Sysmon and CrowdStrike Falcon EDR log data.
Link to DDE Exploitation Detector – https://my.socprime.com/en/integrations/dde-exploitation-detector