{"id":33245164,"url":"https://github.com/outflanknl/Excel4-DCOM","last_synced_at":"2025-12-16T04:03:13.071Z","repository":{"id":110172430,"uuid":"177778513","full_name":"outflanknl/Excel4-DCOM","owner":"outflanknl","description":"PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe)","archived":false,"fork":false,"pushed_at":"2019-03-26T16:01:44.000Z","size":14,"stargazers_count":325,"open_issues_count":0,"forks_count":74,"subscribers_count":27,"default_branch":"master","last_synced_at":"2025-05-20T10:08:05.156Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/outflanknl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-03-26T11:52:29.000Z","updated_at":"2025-04-17T00:41:07.000Z","dependencies_parsed_at":null,"dependency_job_id":"5a791ed6-2685-4b23-b3d0-075f8bbd0430","html_url":"https://github.com/outflanknl/Excel4-DCOM","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/outflanknl/Excel4-DCOM","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outflanknl%2FExcel4-DCOM","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outflanknl%2FExcel4-DCOM/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outflanknl%2FExcel4-DCOM/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outflanknl%2FExcel4-DCOM/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/outflanknl","download_url":"https://codeload.github.com/outflanknl/Excel4-DCOM/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/outflanknl%2FExcel4-DCOM/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":27759450,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-16T02:00:10.477Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-11-16T21:00:32.219Z","updated_at":"2025-12-16T04:03:13.064Z","avatar_url":"https://github.com/outflanknl.png","language":"PowerShell","readme":"# Excel4-DCOM\nPowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe).\n\n## Technology\nLast year, after our presentation at DerbyCon, we released a blog post detailing the abuse of Excel 4.0 macros (also called XLM macros). This is a macro language which is completely different from VBA and which has been embedded within Excel since 1992. The original blog can be found here, which includes a process injection sample: https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/\n\nIt turns out that Excel 4.0 macros are also exposed to DCOM via the ExecuteExcel4Macro method. We modified our process injection XLM macro sample to work on remote hosts as well via DCOM and we hereby release it in PowerShell and Cobalt Strike script versions.\n\n## Usage\n**Cobalt Strike version**\n\n`Excel4-DCOM \u003ctargethost\u003e \u003clistener\u003e`\n\nThis will inject a x86 staging payload into excel.exe on the target host. Make sure to execute this from a 32 bit beacon (which can be running on a 64 bit system).\n\n**PowerShell version**\n\n`Invoke-Excel4DCOM -ComputerName \u003ctarget\u003e -Payload \u003cpayload location\u003e`\n\nThis will inject a x86 staging payload into excel.exe on the target host. Make sure to execute this from a 32 bit PowerShell host (%SystemRoot%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe). \n\n## Why would I use this method over lateral movement method XYZ?\nA big plus for this method is that it does direct shellcode injection into excel.exe via Windows API calls. In contrast to most other lateral movement methods (including practically all DCOM-based ones), this technique does **not** rely on powershell.exe or any other LOLBIN at the target. Hence, this method can be completely *\"fileless\"*. And as a plus, AMSI only works for VBA macros and not for XLM, making this method very difficult to detect by AV.\n\n## What are the disadvantages of this method?\nFirstly, this method is slow. The Cobalt Strike staging payload (roughly 800 bytes) requires about 1 to 2 minutes to be injected in a remote host. Note that this is mostly due to the Proof of Concept implementation which injects the payload byte-by-byte in order to avoid XLM macro line-length constraints. It should be possible to do this in chunks of 10 bytes, while still remaining under XLM line-length limits. I just need to find some time to brush up my code. :-)\n\nSecondly, due to XLM data type constraints (read our blog for details), this method only targets 32 bit installs of Excel.exe - which fortunately is the vast majority of installations. Note that x86 installs on x64 systems are fine. This also means that you should execute this method from a 32 bit PowerShell host or beacon.\n\n## Authors\nStan Hegt (@StanHacked) / Outflank\n\nSpecial thanks to Philip Tsukerman (@PhilipTsukerman) for pointing out to me that Excel 4.0 macros are exposed via DCOM.\n","funding_links":[],"categories":["Pentesting"],"sub_categories":["ShellCodes"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foutflanknl%2FExcel4-DCOM","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foutflanknl%2FExcel4-DCOM","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foutflanknl%2FExcel4-DCOM/lists"}