{
	"id": "a8e53f01-4069-465a-b124-2d8d193c438c",
	"created_at": "2026-04-06T00:17:17.738862Z",
	"updated_at": "2026-04-10T03:21:53.887223Z",
	"deleted_at": null,
	"sha1_hash": "6820d9c247ce0e2f3226aabe7ac72d636ae11e65",
	"title": "Leveraging Excel DDE for lateral movement via DCOM",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 901644,
	"plain_text": "Leveraging Excel DDE for lateral movement via DCOM\r\nBy Philip Tsukerman\r\nArchived: 2026-04-05 19:56:32 UTC\r\nDDE, or Dynamic Data Exchange, is a legacy interprocess communication mechanism that’s been part of some\r\nWindows applications since as early as 1987. DDE enables applications to request items made available by other\r\nprograms, such as cells in a Microsoft Excel spreadsheet, and be notified of any changes within these items.\r\nRead a blog by Philip on a vulnerability with Excel 4.0 Macros.\r\nThe DDE mechanism has appeared in recent discussions on how to carry out macro-less code execution in Office\r\ndocuments. This technique works by making Excel (or other MS Office applications) evaluate an expression\r\n(\"=cmd|' /C calc'!A0\", for example) that requires data to be transmitted via DDE from another application. This\r\nallows an attacker to specify an arbitrary command line as the DDE server to be run, thus performing arbitrary\r\ncode execution.\r\nhttps://sensepost.com/blog/2017/macro-less-code-exec-in-msword/This functionality is implemented in the\r\nbackground using a method called DDEInitiate, which is exposed through COM. This made me wonder if the\r\nDDE functionality in Office applications could be used remotely through DCOM in a manner similar to the\r\ntechniques described by Matt Nelson of SpecterOps (here and here) by trying to call this method through DCOM.\r\nA quick look at the methods exposed by the Excel.Application object shows promise.\r\nIndeed, the DDEInitiate method exists and is even documented by MSDN.\r\nhttps://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom\r\nPage 1 of 5\n\nWe may supply \"cmd\" as the App parameter, while the Topic parameter will be any chosen command line\r\narguments.\r\nThis method is not without its quirks; it limits the App parameter to eight characters (no directly calling\r\nPowerShell for you). But the Topic has a much more manageable character limit of 1,024, which is imposed by\r\nthe CreateProcess function. Furthermore, the method appends \".exe\"  to the App parameter, so \"cmd.exe\" tries to\r\nrun \"cmd.exe.exe\", which will obviously fail.\r\nNow let's try to actually run the method.\r\nhttps://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom\r\nPage 2 of 5\n\nInitially, things didn’t go as I hoped. Clicking \"yes\" indeed spawned a shell that ran calc, but this isn't much of a\r\nlateral movement method if it requires a user on the victim machine to interact with this extremely suspicious alert\r\n(especially if they didn't even open Excel). We need to look at the DCOM object again for assistance.\r\nThe DisplayAlerts property looks very promising, and playing with it gives good results.\r\nhttps://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom\r\nPage 3 of 5\n\nIt seems the DisplayAlerts property controls the alert presented by DDEInitiate.\r\nSadly, while some other Office applications, including MS Word, do expose the DDEInitiate method via DCOM,\r\nI have not been able to get it to work on anything but Excel.\r\nWhile all of this was done on a single machine, getting this technique to work remotely can be done by simply\r\nreplacing\r\nwith\r\nhttps://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom\r\nPage 4 of 5\n\nNow all we need to do is replace the command line with our favorite PowerShell download cradle, and we're good\r\nto go with our new lateral movement technique.\r\nCreate a closed-loop, strategic security process for your defense. Read how to create a closed-loop security\r\nprocess with MITRE ATT\u0026CK.\r\nAbout the Author\r\nPhilip Tsukerman\r\nPhilip Tsukerman is a researcher Cybereason Innovation Labs.\r\nSource: https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom\r\nhttps://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom"
	],
	"report_names": [
		"leveraging-excel-dde-for-lateral-movement-via-dcom"
	],
	"threat_actors": [],
	"ts_created_at": 1775434637,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6820d9c247ce0e2f3226aabe7ac72d636ae11e65.pdf",
		"text": "https://archive.orkl.eu/6820d9c247ce0e2f3226aabe7ac72d636ae11e65.txt",
		"img": "https://archive.orkl.eu/6820d9c247ce0e2f3226aabe7ac72d636ae11e65.jpg"
	}
}