Mastering Modern Red Teaming Infrastructure Part 6: Simulated APT Initial Access via Excel XLL…

Mastering Modern Red Teaming Infrastructure Part 6: Simulated APT Initial Access via Excel XLL Add-in — Malicious DLL Execution Bypassing Macro Restrictions

For years, Microsoft Office Macros have been a staple initial access vector in red team operations and real-world APT campaigns. However, Microsoft has made significant efforts to mitigate this risk. Starting in 2022 and continuing into 2023 and 2024, Microsoft progressively disabled macros by default for files downloaded from the internet — rendering legacy macro-based payloads nearly obsolete.

So… are we done with Excel-based payloads?

Absolutely not.

Red teamers adapt. That’s what we do.

In this article, I’ll show you how to leverage XLL (Excel Add-in) files as a payload delivery method, bypassing macro restrictions entirely. We’ll break down a real XLL payload that downloads and executes shellcode directly when the .xll is opened in Excel — no macros, no VBA, no warning dialogs.

📌 Real-world Note:

This technique is documented in the MITRE ATT&CK framework under sub-technique T1137.006: Office Application Startup: Add-ins.
APT groups like TA410 and commodity malware like Dridex have used .xll payloads to bypass macro restrictions and achieve stealthy execution.

https://thehackernews.com/2022/12/apt-hackers-turn-to-malicious-excel-add.html

Table of Contents

1. Why Did Microsoft Disable Macros?
2. What Is an XLL File?
3. Why .xll Bypasses Macro Restrictions
4. 💻 POC Steps With Full Code Breakdown: Excel Shellcode Loader via XLL
5. Red Teaming Impact
6. Defenders, Beware
7. Final Thought

1. Why Did Microsoft Disable Macros?

In response to the abuse of macros in phishing and malware campaigns, Microsoft began enforcing stricter controls:

• Macros from the internet are blocked by default in Office.
• Files flagged with the Mark of the Web (MoTW) are opened in Protected View.
• Even in enterprise environments, admins must explicitly enable macros now.

While this was a major win for defenders, it pushed red teams and threat actors to evolve.

Enter XLL files.

2. What Is an XLL File?

.xll is an Excel Add-in — a compiled binary (DLL) with exported functions that Excel can call. It behaves like a plugin that extends Excel with custom features or functions.

Why is this interesting?

• XLLs do not require macros to be enabled.
• When opened in Excel, XLLs automatically call the xlAutoOpen() function.
• They can contain native code, shellcode loaders, or even reverse shells.
• Antivirus and EDR tools often overlook XLL behavior.

This makes .xllpayloads a powerful alternative to macro-based delivery.

One disadvantage of XLL files is that they can only be loaded by Excel with the correct bit. For example, a 64-bit XLL can only be loaded by the 64-bit version of Excel. The same goes for 32-bit versions. Therefore, malware authors have to rely on the Excel version that is installed on the victim’s machine.

Like with VBA macros, Excel will warn the user about the security concern arising from executing the add-in. In that aspect, it has no advantage for malware compared to VBA macros.

3. Why .xll Bypasses Macro Restrictions

• Excel Add-Ins (.xll) are NOT VBA macros.
• They are compiled native DLLs, written in C/C++.
• When an .xll is loaded, Excel executes it automatically via exported functions like xlAutoOpen() — independently of macro settings.

📌 Macro settings in Excel control VBA and XLM macros only, not native DLLs.

4. 💻 POC Steps With Full Code Breakdown: Excel Shellcode Loader via XLL

Generate shellcode from Sliver and host it to be downloaded and injected

Open listener

Here’s a working example on my GitHub profile that you can compile into FinancePlugin1.xll. When the user opens this .xll file in Excel, it downloads shellcode from a remote server and executes it in memory.

AV-EDR-bypass-payloads/XLL-payloads/xll-shellcode.cpp at main · 0xFFF-cmd/AV-EDR-bypass-payloads

is a collection of custom-built payloads designed to bypass modern Antivirus (AV) and Endpoint Detection and Response…

x86_64-w64-mingw32-g++ -std=c++11 xll_shellcode2.cpp -o FinancePlugin1.xll -shared -lwinhttp -static-libgcc -static-libstdc++ -s

Compiled xll file

Double click to open it and choose enable this add-in for this session only

Then the beacon session will start in sliver C2 backend

5. Red Teaming Impact

Using .xll payloads brings several advantages:

• Works when macros are disabled
• Can bypass sandbox and EDR detections
• Doesn’t rely on Office scripting engines
• Easy to deploy with social engineering or phishing campaigns

Pro tip:

• Sign your .xll file and use a legitimate-looking name like FinanceAnalysisAddin.xll
• To bypass Mark-of-the-Web (MoTW), place the .xll file inside a container such as .zip archive.
• Host your shellcode using TLS (HTTPS) and behind redirector
• Use encryption or obfuscation inside the shellcode buffer with stealth techniques such as system calls.

6. Defenders, Beware

If you’re a blue teamer or SOC analyst, make sure to:

• Monitor .xll file executions
• Inspect calls to xlAutoOpen
• Block or restrict unknown add-ins from being loaded in Excel

7. Final Thought

Who said Excel payloads are dead?

Just because macros are disabled doesn’t mean the war is over. With .xll files, we now have a macro-less, stealthy, and potent payload vector to deliver in phishing or targeted red team operations.

Remember — red teaming is all about adapting to change.

Excel isn’t dead — we just upgraded.

Next: Stay sharp — we’re moving from Malicious DLL Execution Bypassing Macro Restrictions to Advanced Fishing to bypass 2FA through evilginx , Device code phishing, dynamic device code phishing and Consent and Permissions Attacks in Part 7.

If you find this blog useful, don’t forget to hit the clap button and follow the blog.

Certifications:
OSEC3, CRTL, CRTO, OSCP, OSEP, OSWE, OSED, eMAPT … Others

Follow me on LinkedIn & Twitter(X) to stay updated and to know new things.

Bye Bye, Take Care.