Get-Member would reveal that Excel.Application has a Run method, which can be used to run macros from a Excel document remotely. We can use this PoC macro below and add it to a Excel spreadsheet (See Examples for malicious payloads):
Upload the file to the target machine:
Excel.Application will run with SYSTEM permissions through DCOM. Opening a document and thereby starting a process requires a profile, which SYSTEM doesn’t have by default. Creating a Desktop folder for it resolves the issue:
Use Excel.Application.Workbooks.Open to access the uploaded .xls file and run the macro:
Here’s a complete PoC compiled from the previous snippets: