Oct 20, 2017

Microsoft Office Windows Dynamic Data Exchange (DDE) Mitigations

Out with the old, in with the new. Are macro trojans a thing of the past, or just put off to the side while the new kid on the block gets to show off for a bit? That’s the question behind Dynamic Data Exchange method of executing a payload. Using this technique, which has been available since Windows 2.0, allows an attacker to give the user a different prompt when sending a document with a malicious payload, and in some cases, can change it to say whatever they want!

If you’re looking to spin your head around for a bit reading up on the technical specs, here is a link from Microsoft outlining DDE

I’m going to share with you a couple of methods that can be used to mitigate this threat, in various environments.

Let’s start out with the basics, of getting the registry changes that will be needed:

(Credit to: https://gist.github.com/wdormann for sharing this!)

Let’s start out by saving a copy of the disable_ddeauto.reg file somewhere on your network, or local machine. If you’re saving it on your network, put it on a shared drive, and set the permissions to read only.

Here are some ways you can import this registry file:

reg.exe IMPORT disable_ddeauto.reg

DisableDDE.bat

%windir%\system32\reg.exe IMPORT \\server\share\disable_ddeauto.reg

DisableDDE.ps1

[Diagnostics.Process]::Start("reg.exe","import \\server\share\disable_ddeauto.reg")

By placing either of these methods in the Logon policy under User Settings, will ensure that Office 2010-2016 will block

The following script can be converted easily into a base 64 string

DisableDDE-Direct.ps1

New-Item -Path c:\temp -Force
(New-Object System.Net.WebClient).DownloadFile("https://gist.githubusercontent.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b/raw/6d19917f59f1d20c46ddc9c97765bc6ef4f2814e/disable_ddeauto.reg", "c:\temp\disable_ddeauto.reg")
[Diagnostics.Process]::Start("reg.exe", "import c:\temp\disable_ddeauto.reg")
Remove-Item -Path C:\temp\disable_ddeauto.reg -Force

Finally if you have a method of “firing and forgetting” to multiple systems to protect, you can convert to a base64 value and push through a command line:

$stringToEncode =
{
New-Item -Path c:\temp -Force
(New-Object System.Net.WebClient).DownloadFile("https://gist.githubusercontent.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b/raw/6d19917f59f1d20c46ddc9c97765bc6ef4f2814e/disable_ddeauto.reg", "c:\temp\disable_ddeauto.reg")
[Diagnostics.Process]::Start("reg.exe", "import c:\temp\disable_ddeauto.reg")
Remove-Item -Path C:\temp\disable_ddeauto.reg -Force
}
$base64 = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($stringToEncode))

With it’s output (please don’t rely on mine! 😉)

powershell.exe -ex bypass -enc DQAKAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgAGMAOgBcAHQAZQBtAHAAIAAtAEYAbwByAGMAZQANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcABzADoALwAvAGcAaQBzAHQALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAHcAZABvAHIAbQBhAG4AbgAvADcAMwAyAGIAYgA4ADgAZAA5AGIANQBkAGQANQBhADYANgBjADkAZgAxAGUAMQA0ADkAOABmADMAMQBhADEAYgAvAHIAYQB3AC8ANgBkADEAOQA5ADEANwBmADUAOQBmADEAZAAyADAAYwA0ADYAZABkAGMAOQBjADkANwA3ADYANQBiAGMANgBlAGYANABmADIAOAAxADQAZQAvAGQAaQBzAGEAYgBsAGUAXwBkAGQAZQBhAHUAdABvAC4AcgBlAGcAIgAsACAAIgBjADoAXAB0AGUAbQBwAFwAZABpAHMAYQBiAGwAZQBfAGQAZABlAGEAdQB0AG8ALgByAGUAZwAiACkADQAKAFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAiAHIAZQBnAC4AZQB4AGUAIgAsACAAIgBpAG0AcABvAHIAdAAgAGMAOgBcAHQAZQBtAHAAXABkAGkAcwBhAGIAbABlAF8AZABkAGUAYQB1AHQAbwAuAHIAZQBnACIAKQANAAoAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAdABlAG0AcABcAGQAaQBzAGEAYgBsAGUAXwBkAGQAZQBhAHUAdABvAC4AcgBlAGcAIAAtAEYAbwByAGMAZQANAAoA

Good luck and happy protecting!