GoExec: Next-Gen Remote Execution Tool Boosts OPSEC for Windows Attacks
GoExec is a new take on some of the methods used to gain remote execution on Windows devices. GoExec implements a number of largely unrealized execution methods and provides significant OPSEC improvements overall.
Goexec supports four primary methods for gaining remote execution on Windows devices, all of which involve the use of Remote Procedure Call(s) (RPC) communicating with the following services:
- Service Control Manager (MS-SCMR)
- Task Scheduler (MS-TSCH)
- Distributed Component Object Model (MS-DCOM)
- Windows Management Instrumentation (MS-WMI)
Service Control Manager (MS-SCMR)
One of the more common protocols used for remote execution on Windows is Service Control Manager Remote (SCMR). Put simply, Service Control Manager Remote enables remote control and configuration of Windows services using RPC. Utilization of this protocol to spawn processes is implemented by many tools in the offensive security space including Impacket’s psexec.py and smbexec.py scripts, and Cobalt Strike’s jump psexec command. This method is also used in legitimate system administration tools like PsExec.
Remote Execution with SCMR
Remote execution can be achieved in a couple of different ways using SCMR, but most implementations will make calls to RCreateServiceW and RStartServiceW to create a service that will spawn a process using the provided lpBinaryPathName.
SCMR Module
The SCMR module works a lot like smbexec.py, but it provides additional RPC transports, and uses MSRPC by default instead of SMB named pipes.
scmr change
The scmr change command allows operators to execute programs by modifying existing Windows services using the RChangeServiceConfigW method rather than calling RCreateServiceW. This may lower the chance of detection in some environments as many of the more popular offensive tools (such as smbexec.py and psexec.py) do not have this capability.
scmr create
The scmr create command will use SCMR to create a new service, start the service, then delete it. This is a similar operation to the one implemented in smbexec.py.
Protocol References
Task Scheduler (MS-TSCH)
The Task Scheduler service is used to create and manage scheduled tasks running on a remote Windows device. This service is primarily used by the graphical Windows “Task Scheduler” application and schtasks.exe. The Task Scheduler service can often be abused by attackers with administrative access to execute programs on the remote machine.
Remote Execution with Task Scheduler
Remote execution via Task Scheduler may involve the creation of new scheduled tasks or manipulation of existing tasks, typically using the Exec action to spawn a process when the task starts.
Task Scheduler Module
Goexec’s tsch module expands on common implementations such as atexec-pro and Impacket’s atexec.py script by providing additional flexibility and capabilities.
-
Modify existing scheduled tasks In addition to scheduled task creation, Goexec can change existing task definitions to achieve program execution using the
tsch changecommand. This includes the ability to restore tasks to their original definition shortly after program execution. -
Evade signature detection Many of the existing tools will provide very obvious signatures of malicious activity during task creation (see atexec.py, atexec-pro). Goexec avoids this by constructing an extremely flexible task definition with many dynamic values.
-
Avoid certain remote calls Goexec can entirely avoid making certain RPC calls that may be considered unusual or malicious such as
SchRpcRunandSchRpcDelete, which are unconditionally used by atexec.py and atexec-pro. Goexec makes use of theTimeTriggerelement and theDeleteExpiredTaskAftersetting to start and delete the task automatically.
tsch create
The create method calls SchRpcRegisterTask to register a scheduled task with an automatic start time. This method avoids directly calling SchRpcRun, and can even avoid calling SchRpcDelete by populating the DeleteExpiredTaskAfter setting.
tsch change
The tsch change command calls SchRpcRetrieveTask to fetch the definition of an existing task, then modifies the task definition to spawn a process at the operator’s will. By default, this method will restore the task definition to its original value after execution is completed.
tsch demand
The tsch demand command will call SchRpcRegisterTask, but rather than setting a defined time when the task will start like tsch change, it will additionally call SchRpcRun to forcefully start the task.
Distributed Component Object Model (MS-DCOM)
Distributed Component Object Model (DCOM) is a proprietary network protocol designed by Microsoft, and an extension to Component Object Model. Component Object Model (COM) is a system that enables interaction between software components. DCOM extends this system to facilitate communications over a network connection via Remote Procedure Calls (RPC).
Remote Execution with DCOM
Remote Execution may be achieved via DCOM by instantiating an exploitable object using the RemoteCreateInstance operation of the ISystemActivator interface, then locating an exploitable property or method.
DCOM Module
One major improvement we’ve made to Goexec’s DCOM module, was to enable packet stub encryption by default. This significantly decreases the chance of detection from network monitoring compared to the cleartext packets sent and received by dcomexec.py. Below is a comparison of the traffic generated by dcomexec.py (top) versus our DCOM module.
Goexec does not include two of the three methods offered by dcomexec.py, as we couldn’t find a modern test case for these (tested on Windows 10, Windows 11, Windows Server 2022, Windows Server 2025).
dcom mmc
The dcom mmc command instantiates the MMC20.Application class, which can then be used to call Document.ActiveView.ExecuteShellCommand and spawn system processes.
Windows Management Instrumentation (MS-WMI)
Windows Management Instrumentation (WMI) is yet another RPC-capable standard that enables administrators to obtain management data from remote devices. WMI can be used by offensive security professionals to spawn remote processes, interact with remote file systems, and much more.
Remote Execution With WMI
WMI offers a large sum of classes to query or manage remote devices. A handful of these classes may be used to facilitate remote execution, but the most common is likely the Win32_Process class with the Create method.
WMI Module
The initial release of Goexec includes a simple WMI module which can spawn a Windows process, or directly call a method.
wmi proc
The wmi proc command calls the Create method of the Win32_Process class to spawn a remote process.
wmi call
The wmi call command is used to manually supply a WMI class to instantiate, a method to call, and some arguments to pass (if applicable).
