Introducing GoExec!

Introduction

Spawning remote processes on Windows devices has become a common procedure for lateral movement on Active Directory networks and beyond. Understanding the handful of methods used to achieve remote execution is crucial for hackers and system administrators alike. In this post, we'll present our new project, goexec, as an improved alternative and drop-in replacement for many of the existing tools used for the same purpose.

Why Goexec?

Goexec offers a number of additions and improvements to existing solutions commonly used in the industry such as the Impacket remote execution scripts (atexec.py, dcomexec.py, psexec.py, smbexec.py, and wmiexec.py).

• OPSEC First One of the major issues with existing tools, especially the Impacket scripts, is a lack of OPSEC consideration. Goexec is designed to use the best possible OPSEC measures for each operation by default, while still providing the optional ability to perform unsafe operations like fetching program output.

• Additional Methods Goexec provides some additional methods that fundamentally differ from those used by other tools. For example, methods such as tsch change or scmr change will edit existing resources instead of creating new resources. Methods like this come as an attempt to improve OPSEC and potentially evade defenses.

• Adjustable The CLI was designed to incorporate as many relevant options as possible for each execution method. This allows operators to easily adapt their actions according to their environment.

• Native Proxy Support Goexec supports SOCKS5 proxies with the --proxy/-x flag, without the need for external software like proxychains.

• Dynamic Transport Goexec allows the operator to configure the MSRPC connection parameters, transport, and endpoint using a number of flags. This feature may help operators bypass port restrictions, or evade network monitoring.

• Extensive Logging The Impacket library and its dependent scripts lack proper debug logging, which can be a major inconvenience for troubleshooting and development. Goexec, with the help of go-msprc, provides extensive logging capabilities through the speedy zerolog module.

In the initial release, Goexec supports four primary methods for gaining remote execution on Windows devices, all of which involve the use of Remote Procedure Call(s) (RPC) communicating with the following services:

• Service Control Manager (MS-SCMR)
• Task Scheduler (MS-TSCH)
• Distributed Component Object Model (MS-DCOM)
• Windows Management Instrumentation (MS-WMI)

Service Control Manager (MS-SCMR)

One of the more common protocols used for remote execution on Windows is Service Control Manager Remote (SCMR). Put simply, Service Control Manager Remote enables remote control and configuration of Windows services using RPC. Utilization of this protocol to spawn processes is implemented by many tools in the offensive security space including Impacket's psexec.py and smbexec.py scripts, and Cobalt Strike's jump psexec command. This method is also used in legitimate system administration tools like PsExec.

Remote Execution with SCMR

Remote execution can be achieved in a couple of different ways using SCMR, but most implementations will make calls to RCreateServiceW and RStartServiceW to create a service that will spawn a process using the provided lpBinaryPathName.

SCMR Module

The SCMR module works a lot like smbexec.py, but it provides additional RPC transports, and uses MSRPC by default instead of SMB named pipes.

scmr change

The scmr change command allows operators to execute programs by modifying existing Windows services using the RChangeServiceConfigW method rather than calling RCreateServiceW. This may lower the chance of detection in some environments as many of the more popular offensive tools (such as smbexec.py and psexec.py) do not have this capability.

scmr create

The scmr create command will use SCMR to create a new service, start the service, then delete it. This is a similar operation to the one implemented in smbexec.py.

Protocol References

• RChangeServiceConfigW
• RCreateServiceW
• RStartServiceW
• ROpenSCManagerW

Task Scheduler (MS-TSCH)

The Task Scheduler service is used to create and manage scheduled tasks running on a remote Windows device. This service is primarily used by the graphical Windows "Task Scheduler" application and schtasks.exe. The Task Scheduler service can often be abused by attackers with administrative access to execute programs on the remote machine.

Remote Execution with Task Scheduler

Remote execution via Task Scheduler may involve the creation of new scheduled tasks or manipulation of existing tasks, typically using the Exec action to spawn a process when the task starts.

Task Scheduler Module

Goexec's tsch module expands on common implementations such as atexec-pro and Impacket's atexec.py script by providing additional flexibility and capabilities.

• Modify existing scheduled tasks In addition to scheduled task creation, Goexec can change existing task definitions to achieve program execution using the tsch change command. This includes the ability to restore tasks to their original definition shortly after program execution.

• Evade signature detection Many of the existing tools will provide very obvious signatures of malicious activity during task creation (see atexec.py, atexec-pro). Goexec avoids this by constructing an extremely flexible task definition with many dynamic values.

• Avoid certain remote calls Goexec can entirely avoid making certain RPC calls that may be considered unusual or malicious such as SchRpcRun and SchRpcDelete, which are unconditionally used by atexec.py and atexec-pro. Goexec makes use of the TimeTrigger element and the DeleteExpiredTaskAfter setting to start and delete the task automatically.

tsch create

The create method calls SchRpcRegisterTask to register a scheduled task with an automatic start time. This method avoids directly calling SchRpcRun, and can even avoid calling SchRpcDelete by populating the DeleteExpiredTaskAfter setting.

tsch change

The tsch change command calls SchRpcRetrieveTask to fetch the definition of an existing task, then modifies the task definition to spawn a process at the operator's will. By default, this method will restore the task definition to its original value after execution is completed.

tsch demand

The tsch demand command will call SchRpcRegisterTask, but rather than setting a defined time when the task will start like tsch change, it will additionally call SchRpcRun to forcefully start the task.

Protocol References

• SchRpcRegisterTask
• SchRpcRun
• SchRpcDelete
• Settings.DeleteExpiredTaskAfter

Distributed Component Object Model (MS-DCOM)

Distributed Component Object Model (DCOM) is a proprietary network protocol designed by Microsoft, and an extension to Component Object Model. Component Object Model (COM) is a system that enables interaction between software components. DCOM extends this system to facilitate communications over a network connection via Remote Procedure Calls (RPC).

Remote Execution with DCOM

Remote Execution may be achieved via DCOM by instantiating an exploitable object using the RemoteCreateInstance operation of the ISystemActivator interface, then locating an exploitable property or method.

DCOM Module

One major improvement we've made to Goexec's DCOM module, was to enable packet stub encryption by default. This significantly decreases the chance of detection from network monitoring compared to the cleartext packets sent and received by dcomexec.py. Below is a comparison of the traffic generated by dcomexec.py (top) versus our DCOM module (bottom)

Goexec does not include two of the three methods offered by dcomexec.py, as we couldn't find a modern test case for these (tested on Windows 10, Windows 11, Windows Server 2022, Windows Server 2025).

dcom mmc

The dcom mmc command instantiates the MMC20.Application class, which can then be used to call Document.ActiveView.ExecuteShellCommand and spawn system processes.

Windows Management Instrumentation (MS-WMI)

Windows Management Instrumentation (WMI) is yet another RPC-capable standard that enables administrators to obtain management data from remote devices. WMI can be used by offensive security professionals to spawn remote processes, interact with remote file systems, and much more.

Remote Execution With WMI

WMI offers a large sum of classes to query or manage remote devices. A handful of these classes may be used to facilitate remote execution, but the most common is likely the Win32_Process class with the Create method.

WMI Module

The initial release of Goexec includes a simple WMI module which can spawn a Windows process, or directly call a method.

wmi proc

The wmi proc command calls the Create method of the Win32_Process class to spawn a remote process.

wmi call

The wmi call command is used to manually supply a WMI class to instantiate, a method to call, and some arguments to pass (if applicable).

Acknowledgements

• @oiweiwei for the wonderful go-msrpc module
• @RedTeamPentesting and Erik Geiser for the adauth module
• The developers and contributors of Impacket for the inspiration and technical reference

More Reading

• Scorpiones - Lateral Movement using DCOM Objects - How to do it the right way?
• enigma0x3 - Lateral Movement using the MMC20.Application COM Object
• Orange Cyberdefense - PsExec'ing the right way and why zero trust is mandatory