MITRE ATT&CK Technique
Description
Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by COM, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017) Adversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2018-01-16T16:13:52.465Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Windows Dynamic Data Exchange (DDE) is a client-server '
'protocol for one-time and/or continuous inter-process '
'communication (IPC) between applications. Once a link is '
'established, applications can autonomously exchange '
'transactions consisting of strings, warm data links '
'(notifications when a data item changes), hot data links '
'(duplications of changes to a data item), and requests for '
'command execution.\n'
'\n'
'Object Linking and Embedding (OLE), or the ability to link '
'data between documents, was originally implemented through '
'DDE. Despite being superseded by COM, DDE may be enabled in '
'Windows 10 and most of Microsoft Office 2016 via Registry '
'keys. (Citation: BleepingComputer DDE Disabled in Word Dec '
'2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: '
'Microsoft DDE Advisory Nov 2017)\n'
'\n'
'Adversaries may use DDE to execute arbitrary commands. '
'Microsoft Office documents can be poisoned with DDE commands '
'(Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV '
'DDE Aug 2014), directly or through embedded files (Citation: '
'Enigma Reviving DDE Jan 2018), and used to deliver execution '
'via phishing campaigns or hosted Web content, avoiding the '
'use of Visual Basic for Applications (VBA) macros. (Citation: '
'SensePost MacroLess DDE Oct 2017) DDE could also be leveraged '
'by an adversary operating on a compromised machine who does '
'not have direct access to command line execution.',
'external_references': [{'external_id': 'T1173',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1173'},
{'description': 'Cimpanu, C. (2017, December 15). '
'Microsoft Disables DDE Feature in '
'Word to Prevent Further Malware '
'Attacks. Retrieved December 19, '
'2017.',
'source_name': 'BleepingComputer DDE Disabled in '
'Word Dec 2017',
'url': 'https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/'},
{'description': 'Microsoft. (2017, December 12). '
'ADV170021 - Microsoft Office Defense '
'in Depth Update. Retrieved February '
'3, 2018.',
'source_name': 'Microsoft ADV170021 Dec 2017',
'url': 'https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021'},
{'description': 'Microsoft. (2017, November 8). '
'Microsoft Security Advisory 4053440 '
'- Securely opening Microsoft Office '
'documents that contain Dynamic Data '
'Exchange (DDE) fields. Retrieved '
'November 21, 2017.',
'source_name': 'Microsoft DDE Advisory Nov 2017',
'url': 'https://technet.microsoft.com/library/security/4053440'},
{'description': 'El-Sherei, S. (2016, May 20). '
'PowerShell, C-Sharp and DDE The '
'Power Within. Retrieved November 22, '
'2017.',
'source_name': 'SensePost PS DDE May 2016',
'url': 'https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/'},
{'description': 'Kettle, J. (2014, August 29). Comma '
'Separated Vulnerabilities. Retrieved '
'November 22, 2017.',
'source_name': 'Kettle CSV DDE Aug 2014',
'url': 'https://www.contextis.com/blog/comma-separated-vulnerabilities'},
{'description': 'Nelson, M. (2018, January 29). '
'Reviving DDE: Using OneNote and '
'Excel for Code Execution. Retrieved '
'February 3, 2018.',
'source_name': 'Enigma Reviving DDE Jan 2018',
'url': 'https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee'},
{'description': 'Stalmans, E., El-Sherei, S. (2017, '
'October 9). Macro-less Code Exec in '
'MSWord. Retrieved November 21, 2017.',
'source_name': 'SensePost MacroLess DDE Oct 2017',
'url': 'https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/'},
{'description': 'NVISO Labs. (2017, October 11). '
'Detecting DDE in MS Office '
'documents. Retrieved November 21, '
'2017.',
'source_name': 'NVisio Labs DDE Detection Oct 2017',
'url': 'https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/'}],
'id': 'attack-pattern--edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'execution'}],
'modified': '2025-10-24T17:49:34.766Z',
'name': 'Dynamic Data Exchange',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.2'}