MethodInvocationException - Line 686 - Exception calling "Save" with "0" argument(s): "Error saving file C:\Working\canary.xlsx"

[robertstrom]

Hello,

Thanks very much for this PowerShell module! It is amazing!

I am currently trying to add data to an existing, blank spreadsheet the was created using the Canary Token generator that can be found here - https://canarytokens.org/nest/generate

Creating one of these gives you a blank spreadsheet that contains a webhook embedded in the spreadsheet. This article has some information on it and links to a Python script that shows the embedded URL - https://neroswarm.com/blog/detecting-canary-tokens-in-office-files. You can also see the information if you use 7-Zip to view the contents of the Excel file.

Using 7-Zip, you can see that this is where the Canary Token information is stored in the Excel file

When you view that file you can see the embedded WebHook URL

I am trying to add content to the blank sheet1 using the code below, where canary.xlsx is the name of the spreadsheet that was generated by the Canary Token website.

$CanaryTokenData = @"
SamAccountName,DisplayName,GivenName,SurName,UserPrincipalName,pwd
MDB85399,"Vargas, Timothy",Timothy,Vargas,MDB85399@blahbahoods.com,7f+iP(AH}~\rDAEvBhZt0'#ku]$&)!A8+_
MDB123456,"Vargas, Timothy (Admin)",Timothy,Vargas,MDB123456@blahbah.ad.blahbahood.local,"iqG!wOhfQFq2ym$<Nu(,5E8?Tw](""v<9x:"
jas123456,"Blowhard, Jeff",Jeff,Blohard,Jeff.Blowhard@blahbahoods.com,"D(l""Qu8)A}z@TMx5UYG=P?}t(S7n%YClyW"
p1c2012,"Smith, Mark",Mark,Smith,p1c2012@blahbahoods.com,aGL{z5*xsoWIGUC7rSl38R=\mU?k?.|1JZ
kjl123456,"Keating, Jim",Jim,Keating,kjl123456@blahbah.ad.blahbahood.local,{[>LX6%vknVGMYwPGJ%5K%N4cp;FX{0GG=
s_mscs-2024csqlsp02,"s_mscs-2024csqlsp02, Service",Service,s_mscs-2024csqlsp02,s_mscs-2024csqlsp02@blahbah.AD.blahbahOOD.LOCAL,"}qfY3g""wMPL)].!cLMbgf;D$r'13D8%{3E"
s_MSCS-2024cinfip01,"s_MSCS-2024cinfip01, Service",Service,s_MSCS-2024cinfip01,s_MSCS-2024cinfip01@blahbah.ad.blahbahood.local,kOH>GO&4Gp\I^-@JVoGVVA)o=MZ(K\j1As
s_oldaccounts,"s_oldaccounts, Service",Service,s_oldaccounts,s_oldaccounts@blahbah.ad.blahbahood.local,Mw%VdalNFwRb4GyS%-+-0a%z;&^$lNg|KE
s_passwordexpire,"Service, Expire Password",Service,Expire Password,s_passwordexpire@blahbah.ad.blahbahood.local,"kZx_^Qu6^#(i1Bi#G~M3vUbB=,YFPST}pV"
MDBbadaccount,"Vargas, Timothy (Admin",Timothy,Vargas,MDBbadaccount@blahbah.ad.blahbahood.local,UjeqEV;/CfY=|6sUWI%8PrY{=3oLd}<^kn
fdebadaccount,"Franken, Dan (Admin)",Dan,Franken,fdebadaccount@blahbah.ad.blahbahood.local,n{xmcEN{{hX7moeJe?d\3:2Me&=}H42wb3
"@ | ConvertFrom-Csv

$CanaryTokenData | Export-Excel -AutoSize -AutoFilter  -BoldTopRow -FreezeTopRow -Path "C:\Temp\canary.xlsx" -Append

When running the commands above I get the error shown below:

MethodInvocationException: C:\Users\UserName\Documents\PowerShell\Modules\ImportExcel\7.8.9\Public\Export-Excel.ps1:686
Line |
 686 |              else { $pkg.Save() }
     |                     ~~~~~~~~~~~
     | Exception calling "Save" with "0" argument(s): "Error saving file C:\Working\canary.xlsx"

I can run the commands above to create a new spreadsheet without issue. I can create a new blank spreadsheet in Excel and then append the data to it without issue but I have found no way to append data to the spreadsheet that is created with the Canary Token embedded in it.

I'm looking for a scripted way to be able to populate the data into a bunch of these Canary Token spreadsheets.

Any assistance in helping me to accomplish this would be very much appreciated.

Thanks very much!

[dfinke]

Thank you @robertstrom for the kind words and using the module.

It is possible that using the Canary Token generator, it generates a sheet that the DLL that interacts with the writing of the xlsx ends up corrupting it based on fields in the xml that it cannot map.

[robertstrom]

@dfinke - understood but curious. I can open the Canary Token Excel file in Excel and add content to it in Excel without issue. Any additional thoughts on why that works but Export-Excel does not?

[robertstrom]

Import-Excel is able to read one of the Canary Token generated files that I have populated with data. I have also validated that the canary token functionality still works after populating it with data via opening it with Excel. Just another data point.

[dfinke]

Export-Excel depends on older free version of EPPlus. Off the top of my head, there may be fields it is not exporting or stepping on.

[robertstrom]

FYI - I tried updating the Excel file using python and I was able to update it but it wiped out the Canary Token functionality. The spreadsheet no longer had the embedded URL. It no longer had the drawings section (as shown in the screenshots) at all.

[dfinke]

Which python pkg? So it seems how the canery tokens aspect is created, Excel proper has no issues, 3rd parties do?

[robertstrom]

it wasn't a specific python package. I just found some code and played with it

create an Excel file

# import pandas
import pandas as pd

# dataframe with Name and Age columns
df = pd.DataFrame({'Name': ['A', 'B', 'C', 'D'], 'Age': [10, 0, 30, 50]})

# create a Pandas Excel writer object using XlsxWriter as the engine
# writer = pd.ExcelWriter('canary.xlsx', engine='xlsxwriter')
writer = pd.ExcelWriter('canary.xlsx', engine='xlsxwriter')

# write data to the excel sheet
df.to_excel(writer, sheet_name='Sheet1', index=False)

# close file
writer.close()

append to an Excel file

# import pandas
import pandas as pd

# new dataframe with same columns
df = pd.DataFrame({'Name': ['I', 'J', 'K', 'L'], 'Age': [1000, 700, 400, 600]})

# read  file content
reader = pd.read_excel('canary.xlsx')

# create writer object
# used engine='openpyxl' because append operation is not supported by xlsxwriter
writer = pd.ExcelWriter('canary.xlsx', engine='openpyxl', mode='a', if_sheet_exists="overlay")

# append new dataframe to the excel sheet
df.to_excel(writer, index=False, header=False, startrow=len(reader) + 1)

# close file
writer.close()

So it seems how the canery tokens aspect is created, Excel proper has no issues, 3rd parties do?

Yes, canary token Excel file is created and you can open it in Excel and add data to it (it is blank when the Canary Token Excel file is created) using Excel and the Canary Token functionality is still there.

Modify the Canary Token Excel file using the python code and I can add data to the Excel file but the Canary Token "phone home" (embedded webhook) is gone. Completely removed from the Excel file.

[dfinke]

ok. and ImportExcel corrupts the file when you add add to the canary file.

well, you know what they say, canary in the coal mine

[robertstrom]

Canary In A Coalmine

[dfinke]

That's the one! 🙂